IETF Logo Mail Archive

Re: [Acme] acme subdomains open items

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 13 December 2020 20:42 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09C03A0B35 for <acme@ietfa.amsl.com>; Sun, 13 Dec 2020 12:42:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdqXnYH621-Z for <acme@ietfa.amsl.com>; Sun, 13 Dec 2020 12:42:10 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4EA3A0940 for <acme@ietf.org>; Sun, 13 Dec 2020 12:42:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 049CF3898C for <acme@ietf.org>; Sun, 13 Dec 2020 15:44:39 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tDLRDle3D_ge for <acme@ietf.org>; Sun, 13 Dec 2020 15:44:38 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 534473898B for <acme@ietf.org>; Sun, 13 Dec 2020 15:44:38 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6EE9A5D1 for <acme@ietf.org>; Sun, 13 Dec 2020 15:42:07 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "acme@ietf.org" <acme@ietf.org>
In-Reply-To: <CY4PR11MB16851C0F7BA56FA3A6E74945DBC90@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com> <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HHxbhbZQAdf2SRjFVUezmkGcg+OdeZL_ey0AwubxkSVSA@mail.gmail.com> <16962.1607347826@localhost> <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com> <2310.1607463183@localhost> <CAErg=HHOjdYAzCvx4vKkPAAMyEzJYqR_E-Ns=_a9pqeD8ny4eA@mail.gmail.com> <29885.1607476438@localhost> <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com> <CY4PR11MB16851C0F7BA56FA3A6E74945DBC90@CY4PR11MB1685.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 13 Dec 2020 15:42:07 -0500
Message-ID: <11358.1607892127@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EW95z5V3a5PRWMNlL_vWAeNuSSw>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 20:42:14 -0000

Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > The draft as is does not preclude http-01 challenges, but I agree that
    > the dns-01 challenge is more applicable.

I'm gonna pick on this part only.

An http-01 challenge shows that the client controls the web resource that is named.
It does nothing at all about control of the DNS.   We don't know anything
about the client's control over the DNS, about any other names in the DNS.

When we do a dns-01 challenge for a specific name, we mostly prove exactly
the same thing: that the client can direct traffic to that name to a place
that it could potentially control.
{Well, the presence of CNAMEs (and DNAMEs) blurs this a bit}

If we do a dns-01 challenge for foo.example, then there is an assumption
in the challenge that we control the DNS for foo.example, and therefore
could put any.thing.foo.example into the DNS and control that.

Really, it doesn't quite prove that, it proves that we can update
_acme-challenge.foo.example, and that could be the only thing we
can actually control.

We might want to think about whether the authorization phase for
a subdomain challenge might need to show control over more bits than just that.
For instance, we could demand proof of _acme-challenge.ran.dom.token.foo.example.
Perhaps even that we can insert A or AAAA records at that spot too.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email