Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-authority-token-07: (with DISCUSS and COMMENT)
"Peterson, Jon" <jon.peterson@team.neustar> Mon, 11 July 2022 15:44 UTC
Return-Path: <prvs=219136d260=jon.peterson@team.neustar>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6B4C14F72B; Mon, 11 Jul 2022 08:44:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=wbCH/pqm; dkim=pass (1024-bit key) header.d=neustar.onmicrosoft.com header.b=lyoT3QqG
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAbhuM4xO0BI; Mon, 11 Jul 2022 08:44:24 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7571AC16ED1F; Mon, 11 Jul 2022 08:43:39 -0700 (PDT)
Received: from pps.filterd (m0078668.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26BA6Yil019868; Mon, 11 Jul 2022 11:43:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=8b0606Ol3Qfh5vaxFD/3ZskxwJSsnj/i3Uf5Imb4ygo=; b=wbCH/pqm7xSqTXro7mXVYgccLN0aTOKlgJrjz5GPJuAu4lnghbsmXn50CZQoFcvZk8cX GQX0Tm0ZiHtr/RRkluNJX/a5rpB9F81WJQx2eMP1LCmfiMWIYd8NUeHsoYiTL5sR9TGM eE4ozCCVnijnchIloLug0o8bWwCtbcL2vGa5XqiqBKqtcebDnAAoKx1nwVIozujVj/Pw 0uh0Go10fIz4w9SKPGzBv4OpiIqfcZVo5gAmdpgliS2D3QglyNdrhKUSyg4gcxPf41l8 Xu6QDsWDaEEHJJqRkGlVYr9oVvuntMoE8Rd6bOeKt3aVWK8fj5I+EFltdejcHPAB55AE Gg==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by mx0b-0018ba01.pphosted.com (PPS) with ESMTPS id 3h74ftu2vu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 11 Jul 2022 11:43:25 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KFIH/KwZ3W/IQPmzMqwdLsFiFauu7HMrq+VcFIuRpavTeUZ6cfOcNmIbdDZt1BpJGUZrg20zlKf0ZLxEsS+qd7yd7O4J8LPxV4a6lRDPv5o/TG/8ezA95VN/Zjj/6LIQNjAY6Tmt0hDOQOyZYZtP3o0L77gxiCrBB7Om1UFeuB0YadTHDBZSDTqbhVzCPLRY+C/op6g6FeKMLkhPn58RyVEHRKT54bMictZQh6qHhCdYwWlbcZk9HOGF3prv/eHPusT2VhV8ZlV6qlstENNh7Hm4trg5Np5X5HsK/8toD1MIj8mrG07EbMDq9GnUVMa2HiUh7uHqsnMyBct9vUkvfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8b0606Ol3Qfh5vaxFD/3ZskxwJSsnj/i3Uf5Imb4ygo=; b=hLGleuM1/OORnJzSuoy8O4W3QdHbTvdYkxEGybNl8g56DzbjoaWRPtWIy91jjmASv9yGQvlKLiFtKSv5D9v2knjXZyvfjHdTGZTmO2+W2+6JFZ95n55K7ce2GjICZkLrv4yKZ6lhDIoYCQotSUQAy1nDyvZyBC4HnlTJ6U2hEsPFGp+dU7CLs5oXgHO4EpBq1uwIKzSznjIuDfqwFZzk3fnlSQva8xGnSNiF1l72j48AV/BnXVm1OnU/q8XR44mTrIf9a/dg5895q6eUzO3MCkr48TDQgMud53u6TnKoBnGH+UFYQrPB+ZOkr6kaQE7tqmMkFUeSJJhKIm4XigEDxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8b0606Ol3Qfh5vaxFD/3ZskxwJSsnj/i3Uf5Imb4ygo=; b=lyoT3QqGGIRCUpVSF50ljxLoyzzaqKEDqBSGR9D3aP4RGTcQVn3IIs0dyfzXsBWni4JEu2H1smL51RZ6orXgJq89lt1maxOCS24x3OLKdI/6ikS1KBkA/aMWrVgRb1kwR23QJAIAsrrPOEV3YMeDnl1FK1fSE/DdyD52Pa0BJrU=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by PH0PR17MB5374.namprd17.prod.outlook.com (2603:10b6:510:cd::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.26; Mon, 11 Jul 2022 15:43:20 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::1194:97c1:34e9:4fd5%7]) with mapi id 15.20.5417.026; Mon, 11 Jul 2022 15:43:20 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-authority-token@ietf.org" <draft-ietf-acme-authority-token@ietf.org>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Rich Salz <rsalz@akamai.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-acme-authority-token-07: (with DISCUSS and COMMENT)
Thread-Index: AQHX49/a7DejBaL+u0SGwGdrWRsi0q16bxWA
Date: Mon, 11 Jul 2022 15:43:19 +0000
Message-ID: <F4A22F09-D79A-4F9F-A953-FAE893252D1A@team.neustar>
References: <163805285192.3433.11768017112035002696@ietfa.amsl.com>
In-Reply-To: <163805285192.3433.11768017112035002696@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1dd408bd-3bef-4a15-f6dd-08da635414aa
x-ms-traffictypediagnostic: PH0PR17MB5374:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YoqbRj9R1VEkfFFUE5Xnpk2AQA5jyYdjIZkuYZqvbKzIe/1L98SqP04sNqhArzprey2Q70XGhqWiZXcZRucfN/tTN5w+YLyjvXKF9+FzTgbkxfRMPzBTmiQ6y/fAxboL/KOi7WtHJ9jvRPhaw7LxEhCCOTgXCi/FtCSFrIdQtJIXzrvO/X+p76DkO0mSmnOwl03jGcMLHloeyqwVxoUf/lStsMNvLnIHXAyvoRDCXljdSznNMHRhVpivWQ02EAXpeoOPIvOZ8ONm39qGgEqpI9MOvK26x7ZVb3BCLQuN4ClmnKP+5n5SESFgtSDCLJ2m2nvLT9yLxOhI1H14lm+Sg2ca1Ywxx6IgrrHzVA0XebbHa0CLNDd9aY5UjPhPkTkoivLyPeIYrmTG9ad/feAzN/yhlgi9xMOCeyAzmYbG159jf2cMBg844IjeqIHpHDa/PnmJ/Ico1B+TJM/VKOOEhhs2hLD5kfxnpf0LOZ40jpP9LySYESYr9U25ahsjWEruZe2lpubqECi+8qMQHM+XMGKKQBgy9z54B3L94dKNzoEcJCL+eptGL3CAAlGc21UHi4sZ9mKMTAz4tE8ektv0RNIxJMqthzJkNyUYw/bYcUSXNNPWlW6X/qBgPDX/ces4tVSVKm0AZjKNynNUahC9x3WHhxvFegcLRmbOJBhzTco4Cg42aEt2Hz021GVsw71UXzTgZp70J+iKVy0AwXUGBdsh1FDV2DiunBN7rCfOFlD4wNNiUS1kyRS6JE+YXM8RWItc2AHBZA3/5Nj3XH2GuwWQyYpZWllfnWQHourKm3H6JVsiJZyEdIu4TrbQba8IvTLbxb/tLgyf0tDwh4UVR5/2VCDpwuC/zVmeK7xqoI+xnhfic2JJ861OenRPoHt2
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(396003)(376002)(39850400004)(366004)(346002)(71200400001)(110136005)(91956017)(6486002)(478600001)(64756008)(33656002)(38100700002)(66946007)(66574015)(6506007)(66556008)(86362001)(38070700005)(186003)(6512007)(26005)(2616005)(76116006)(4326008)(8676002)(66446008)(54906003)(316002)(66476007)(2906002)(41300700001)(5660300002)(30864003)(8936002)(83380400001)(122000001)(46492015)(45980500001)(579004)(559001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /d2GXK9SzsbqyzFzfFGtmyhgx1F8wMlnEWCSli58GXWMI+udhxAl3kFjoCby17yG7gmuq9RJPSl+hjPBO7+Y0KGzTeioTM2/r6+qYQ2WXjuIMjB62gkImbLKkJFVIbNesXM1dHobOV5CwzysLglgsSvjuRbtKEKgxVyYx7l8OF3YTCXATu+yWYjRE7O3hQx0Dy1TYLQDKEt/AU9ODdpVFy9u7iP4dk14MwGkOnHLMAmWvjuvw19fy3/BUGGqy48YEVWy392AjDoFcrGq6kJkNXCSYc2K1yJvdUkKXjxVvgFzVtrQfRYOgeANnFrwJINWow90JgcsyOHALE/S2CgyELvyNn1n0tTy3fSP6l3uunlNjQG2H5/3DFXxJMQBLW2vd80k/BzOKh5yDVPLPHS+ef1G7oEy5pSEN6BnaafbhZRV6UevSx4Exe0K6+jf2epX621tcv8Avd8iLhVTTUyzEADYLp5HeJp3/wUmPbvqonfl9GuJbdnS88ls5mD8en/Ax3AHDhEhtzdpwKOdh3CkLVE92SD26B+lCg0oB101DP/tEYdCjnEiUUBx7obZ0U4Mo/UmATKOFAHJ3F6esDvy+7Jz5xcivUCsv1IRkBVyA3S/08c6bsxWTUNQzU6vncraaISNG7bqTN7JixFWhms9352soZZyVNGbSc/JoVsqe6Us/vV/yWRdy9p9YzycrXR9WbA06ZcBZMAJpBMAxHnJMiKJJYqrXhziI/PeXAvol2WiH8OVMHZkJVS1qlVgV6Z1lRj+0z8SOfxO5vfCm8Od9bbKG6sxosgJetPrXU/+SgnEGMLAcaJfzfD3S0TRkMhFHcz/rxSiFq31YZIj6SWQPCyiaPTGTlmBiBEYJR5555eRb0k74AZ+ng7YeJBur9xuHKV8cWxhx46CDRGvC519JwscuxTibZAMBhtXeIYUjp7kRt8sVUnl1egW5eVwcXt634tp8zwbBEAM/L3tE3Mr4nGX/6w8+YYn970Sx85nu2xdGg1KRNQesLB/RlcZgoivo2B9H73bGZCHSTUQHWRWjHighYtkzkIAeJjyVZdWf7NPGKwiUcmwfcYfmIXu+FX6XrghUFjZaHtlXC8tOfiwiVA/T9ao2tGSvKOcXQ2+ZLeXpamqNJFX0iitaISJcMwY+JZ4AsATiougbPrjGFnPfAE+l9oNbNGuYPGBPvfUACbdnPdelDr/8e78NmG2AjJW3lRKku0SOgldYlc9tVhc7HdVXaYZVrmxLHc8MPthbh6kdoy/P1BxqXllSjZa/SzuJQvhxzqgmw3n7JT7Ehl0NjxJQ+Oq+MJTH1NKED6DgUcYZfq59LjRkXwcSVcn9ox6mwCTaW1Pnjjghetpv0Bl5t/LHQ7u+py0u0sxkD9vv75W35HcIf2ODGhj5K1HjGLQajOKXS9SQp5sGQRZW5yQ8dqulBSBrtf6tMINcGoMgwghaMKoNBEPJNAafumGJ2V7PIqzGZczYwzQU8hbBQ9Ya6rCColQ/QqRdYU6EVxNreMnO5UrlnMF88Kfzr92Q+nJkerxuCI8JNrSD8bNVWbG7teEXGhZBR67i4Ca1x4K3p4ioqlKVWJmR7zgKTR927hGTHH4el/YxOuE4y47wQvBuA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <F3EBD322DF0AB849A29B6E3DE0151269@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1dd408bd-3bef-4a15-f6dd-08da635414aa
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2022 15:43:20.0872 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dNgiyH6YOyv5hqzwmAeGbeG/8wy9JAR2vU/6G0sMkuEkuIMegFo7BZlvwXu6BkiXlswPJ64WW+dsV8iM3BaD9Rw6HDtSvjBmyfFHXWwaSys=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR17MB5374
X-Proofpoint-ORIG-GUID: YRX1WVxq5937AXjmrqcqCJH75vKimkzy
X-Proofpoint-GUID: YRX1WVxq5937AXjmrqcqCJH75vKimkzy
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-11_19,2022-07-08_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207110066
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EtazdT7Wdot6OxWoqMm9SN99GPM>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-authority-token-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 15:44:28 -0000
Hi Ben (and the IESG), We're finally getting to implementing fixes based on IESG review for the acme-authority-token and the related -tnauthlist draft. As a number of ADs supported Ben's discuss and comments, you can find responses to Ben inline below. On 11/27/21, 5:41 PM, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote: Benjamin Kaduk has entered the following ballot position for draft-ietf-acme-authority-token-07: Discuss ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (1) Let's talk briefly about how JWT issuers are identified. Section 4 has some text: For this ACME Authority Token usage of JWT, the payload of the JWT OPTIONALLY contain an "iss" indicating the Token Authority that generated the token, if the "x5u" element in the header does not already convey that information; typically, this will be the same location that appeared in the "token-authority" field of the ACME challenge. [...] While "iss" is the default way to identify a JWT issuer, the JWT BCP (RFC 8725, BCP 225) does not make a strong recommendation that it is the preferred way to do so, with the implication that other ways to identify the issuer are reasonable. However, the text here only mentions the "x5u" element as an alternative to "iss" for identifying the issuer, which does not seem to be a comprehensive depiction of the JWT ecosystem. Issuers could be identified by other X.509 related protected headers such as "x5c", or in some situations just by the key used for signing (when that key is accompanied by other configured metadata), among other things. So, I don't understand why we call out "x5u" specifically here and apparently don't allow other ways of identifying the issuer. I have added "x5c" to the text there, though I'm not sure why this spec would need to give a comprehensive description of the JWT ecosystem. (2) We seem to describe the contents of the "atc" JWT claim as an array in §4, but the examples show its payload as a JSON map. Which is correct? We mean map. Eliminated the place where this was carelessly called an array. (3) I'd also like to have a (hopefully brief) discussion about the properties that we do and do not provide as relates to binding an authority token to an ACME client. I think the existing text in 3.3 already addresses this, including the potential use of the nonce, by deferring it to the identifier type profile (see the last paragraph there). I've added some text related to this, but I don't think it requires any change to the behavior described in the document. More: In particular, in the REST API to the Token Authority, we have the client provide the fingerprint of its ACME key/identity, but the Token Authority does not do any validation on that value and is expected to just include it directly in the issued token. This means that some other entity X who is not the legitimate client but knows their key (fingerprint), and is also authorized to use a given identifier by the Token Authority, could cause a token to be issued that references the legitimate client's key. (Note that X could learn the fingerprint of the client by, e.g., being a semi-trusted CDN in front of the ACME server as considered by RFC 8555§10.1.) That token would then only be useful by the legitimate client, and so there would need to be some other vulnerability that lets X trick the client into using that token, That does not seem like a trivial hurdle to me. Short of compromising the target client's ACME account, or their system, what would that vulnerability be? but it still seems that we have broken the chain of custody that would let us claim that the authority token was generated "based on a request from the client" (§3.3). In particular, it seems that (with these preconditions) we might have a scenario where a client gets issued a certificate for numbers that it is not actually authorized for! That's a big "might." Again, if you can compromise a target's ACME account or something, you already have the power to get the same result. Bear in mind as well that Token Authorities will have their own relationships (5.1) with the entities to whom they disperse Authority Tokens, so they aren't just giving these out anonymously or something. This weakness does not immediately lead to an obvious vulnerability, as it requires two additional factors to be exploited -- the attacker must themselves be authorized at the Token Authority, and there needs to be some as-yet-unknown mechanism for the attacker to cause the client to use this new/different token -- but I think we at a minimum need to document the properties that we don't provide. Sure, as a theoretical matter - it's (hopefully) now better documented at the end of 3.3. We could choose to make the mechanism more complicated and close off this loophole by requiring proof of possession in the request to the token authority. The obvious way to do this robustly would require another round trip, though, to let the token authority provide a nonce that the proof of possession is provided over. Sometimes we can use a TLS Exporter value to save on that round-trip, but I haven't thought through very carefully what that would look like here. The request to the token authority would probably need to convey the entire public key, not just the fingerprint, so that the signature could be verified. There's another risk relating to thumbprints that is probably worth documenting -- we in effect are hardcoding a dependence on SHA256 for the fingerprints. (I'm happy to see that the wire-format of the thumbprint does identify the hash function used, so a transition mechansims should be pretty straightforward.) In light of the BCP 201 guidance for building in algorithm agility, I think we should say that we are hardcoding SHA256 and SHA256 is believed to still be quite strong (the SHA-3 contest helped solidify that position), but if a second preimage attack for SHA256 is found, an issued authority token could be used with a different ACME account key. We can also go on to say that in that event, implementations can migrate to using a different hash function for the fingerprints due to the in-band hash function identification in the fingerprint field. Such a transition would require a new RFC to actually specify the details of the new behavior, but would not be very invasive to implementations. Given the state of implementation, I think it would be okay to say that if a change of algorithm is required, we'll update the specification. I added that to the Sec Cons. (4) We mention almost in passing that the tkauth-01 challenge type has a new "token-authority" field that designates a location where a token can be acquired. I think we need to have some more explicit discussion of the semantics of this field and how it's populated, especially in light of how this document implies that typical usage will include "token-authority" but the companion document implies that "token-authority" will not be in common usage. We definitely need some discussion of the security considerations of having party X tell the client to go authenticate to party Y and do some thing; this type of flow is very prone to enabling phishing attacks where the client gives party Y credentials that party Y is not supposed to have. In many cases it ends up being a de facto requirement that the client is configured with a specific list of allowed values for "party Y" and must reject anything not known to be trusted. (So, in this case, that would have the client reject any token authority URLs that are not in this preconfigured allow-list.) There is (again, in 5.1) text about the assumed business relationship between a client of this API and the Token Authority. It was not meant to be implied in this document that "token-authority" will be the common usage. Added a "when present" to one of the two places that "token authority" is mentioned. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- It's surprising to see a new JWT-using protocol that doesn't cite RFC 8725. Added. Section 4 This draft specifies a tkauth-type of "atc" which contains a standard JWT token [RFC7519] using a JWS-defined signature string [RFC7515]. The "atc" tkauth-type MAY be used for any number of different ACME identifier types in the ACME challenge. Is there an authoritative listing anywhere of exactly which identifier types it can be used with? In particular, it seems like there is a need for a bit of specification for how a given identifier type integrates with "atc" usage, and this document perhaps only covers that integration for TNAuthList and not the other defined ACME identifier types. If someone wanted to perform such an integration in the future (whether for an identifier type that already exists or some new one), and wrote a new document, how would we want to associate such a document with the "atc" registration/specification? Broadly, I don't think we saw a need for a registry listing which ACME identifier types (which are already in an IANA registry) happen to be supported by "atc." I think the requirements in 3.1 for tkauth-types make clear the kinds of things that need to be specified for an "atc" usage - as the first paragraph says, "subtypes inherit these requirements", and effectively every ACME identifier type ("tktype") is a subtype of "atc." The JWT payload MUST also contain a new JWT claim, "atc", for Authority Token Challenge, which contains three mandatory elements in an array: the ATC identifier type ("tktype"), the identifier value ("tkvalue"), and the binding ("fingerprint"). The use of "tktype" is restricted to the values in the "ACME Identifier Types" registry as defined by [RFC8555]. [...] I'm curious what went into the decision to use the name "tktype" for this field -- the "tk" prefix seems to correspond to "token" and thus indiate the generic authority token mechanism. A "tktype", then, might seem to be a type of authority token in a straightforward reading. This is in contrast with the stated meaning, the identifier type that the authority token conveys. Would, say, "tkidtype" be useful here? I'm sure the thinking behind its naming was minimal, and while I mean "idtype" would perhaps nod more to the ACME Identifier types, I don't think we should try to shift it now. The "tkvalue" indicates the scope of the authority that the token, and its semantics are outside the scope of this document. [...] Do the semantics of the "tkvalue" contents need to be specified somewhere else? In the document that defines the identifier type, perhaps? Are the semantics of the identifier types already in the IANA registry specified somewhere? Well, in the document that specifies the identifier type. I added a sentence for that. The identifier type and value are those given in the ACME challenge and conveyed to the Token Authority by the ACME client. This seems to presuppose that the ACME challenge exists prior to the authority token issuance, but elsewhere in the document we allow for token issuance prior to the creation of the ACME challenge. How might these fields be populated in that case? I think the only case where token issuance precedes the challenge are cases where a token with a long expiry is reused over multiple ACME challenges. But I don't think the sentence here expresses (or even implies) order or precedence, just equality of values. Following the example of [I-D.ietf-acme-authority-token-tnauthlist], the "tkvalue" identifier type could be the TNAuthList, with a "tkvalue" as defined in [RFC8226] that the Token Authority is attesting. [...] [This is a bit slim on what the encoded tkvalue actually is to be, but it's probably okay to defer this to the referenced document. I do have an open point on that document that we should say what ASN.1 encoding is used, though.] Again, it is supposed to be slim here, as its really up to the specification for the ACME identifier type to define what goes in "tkvalue". or individual telephone numbers. For the purposes of the "atc" tkauth-type, the binding "fingerprint" is assumed to be a fingerprint of the ACME credential for the account used to request the certificate, but the specification of how the binding is generated is left to the identifier type profile for the Authority Token. So for example: I really strongly dislike this phrasing of "is assumed to be [...] but the specification [...] is left to the identifier type profile". It seems like a recipe for confusion about what the protocol actually entails. This binding is the subject of the preceding section (3.3); this text is just loosely paraphrasing. I'll insert a "see 3.3" at the end of this sentence. It seems like we could probably get away with making "atc" just always use the account key fingerprint (regardless of identifier type), and if a different binding is needed, that could get a new authority token challenge type. Alternately, we could say that the profile for the identifier type MUST specify how the binding is computed, and offer the fingerprint as an example method, but say nothing about "default" or "assumed to be" -- if it's something that is unequivocally the responsibility of the profile, then it's clear where to go to find out what to put there. On the gripping hand, though, other parts of this document seem to be written on the assumption that it will always be the fingerprint. I think we can do a normative RECOMMENDED in 3.3 for using the ACME account fingerprint, and then caveat that by saying the nonce or what have you could be specified by ACME identifier specification for use with "atc". I've plugged that in. Optionally, the "atc" claim may contain a fourth element, "ca". If set to "true", the "ca" element indicates that the Token Authority is Are the 'ca' contents limited to a boolean value (and should we say so in the document)? Or is "true" the only admitted value, with the element omitted for other cases? (The text in -tnauthlist that claims to define the "atc" claim has a bit more detail on this topic.) I've added "boolean" to the sentence about the "ca" element. And as an aside (based on the attempted division anyway) -tnauthlist defines how to populate the "atc" claim of the Authority Token for its use case, whereas -authority-token defines the "atc" claim of the ACME challenge. granting permission to issue a certification authority certificate rather than an end-entity certificate for the names in question. This permits subordinate delegations from the issued certificate. If Since the ACME ecosystem already has a native delegation mechanism (RFC 9115), it might be helpful to make some statement about how this delegation mechanism (doesn't) relate to that one. Basically, RFC9115 delegation manages the EE certificate that the delegate uses for signing; the reference to delegation here is instead about acquiring an intermediate cert which can in turn issue EE certs (which are potentially managed by RFC9115 or what have you). So related, but only loosely. I added a little text. Specifications of "tktype" identifier types may define additional optional "atc" elements. Since the "tktype" identifier types are allocated from a registry created by RFC 8555 (that accordingly does not mention the ability to allocate additional "atc" elements), do we want to add a note or additional reference to the registry to publicize this functionality? Alternately, perhaps we are really talking about the specification of the integration of token types with "atc" usage (a "profile", as the terminology seems to be used in the draft already), which may or may not be in the same document that specifies the new ACME identifier type. This passage is talking about the fact that a given "tktype" (e.g. TnAuthList) can define new claims that appear in the "atc" element. I'm not sure what we'd need to add to the registry itself to publicize what - it is indeed something that would be in the same document that specifies the "atc" usage for a given ACME identifier type. ACME identifier types without an "atc" usage specification would have no need for something in the registry. Section 5.1 The body of the POST request MUST contain the Authority Token Challenge element that the client is requesting the Token Authority generate. In the way, the client proposes the scope of the Authority Token it would like to receive from the Token Authority. To clarify: by "Authority Token Challenge element", we mean the value of the key/value pair identified by the key "atc"? So the string '"atc":' does not appear in the POST body? No, I would think "element" entails both key and value - that's clarified now. I might consider some more prose or an explicit example, though since this section is in some sense only providing a template for the API exposed by the Token Authority and not a full API specification, perhaps there is no need. (Peeking ahead to -tnauthlist, I see that the example there refers to "the "atc" JSON object that should be embedded in the token" and does contain '"atc":'...) Yeah, it's easier to defer to the other spec for the full example. Section 7.3 Is there anything to say about what topics the reference for a given allocation needs to cover? There is a reference there to section 3.1, which is where those requirements are supposed to be captured. Section 8 Up in §3 we mention the need for a trust relationship between CA and token authority; is there anything more to say about that here (including, perhaps, some mention of the consequences if the trust proves to be misplaced in either direction)? Okay, I added a bit there. Do we want to give any more guidance on how to set the expiration time for (TNAuthList or other) authority tokens? I think it will end up being pretty specific to the ACME identifier type. We might mention that an implementation of a Token Authority REST interface should avoid side channel leakage (e.g., for whether a given account ID exists) in its HTTP responses/response codes. I mean, I don't think there's anything specific to this interface about that general weakness. When "x5u" is used to identify the issuer, the security considerations for referencing remote URLs apply; RFC 3986 does a decent job of documenting these. This seems like something we inherit from the RFC8725 guidance (say, 3.10) ? Issuance of CA certificates (e.g., for STIR delegation) has additional security considerations; we should probably reference the stir-delegation document here and incorporate those considerations. Anything that closely tied to STTIR would belong in -tnauthlist rather than here, I think. is the fingerprint specified in Section 4). All Authority Tokens must specify an expiry (of the token itself as proof for a CA, as opposed to the expiry of the name), and for some application, it may make sense of that expiry to be quite short. Any protocol used to Should/must the expiration time of the issued certificate be prior to the expiration time of the authority token used to authorize certificate issuance? I think that's a reasonable SHOULD, added. NITS I think these are all useful changes, but there's no need to respond if you disagree -- just go ahead and ignore anything you don't like. Most of these nits I implemented. Section 1 on the Internet. It enables administrative entities to prove effective control over resources like domain names, and automates the process of generating and issuing certificates that attest control or ownership of those resources. I'm not sure in what sense ACME really automates "generating" certificates in addition to automating "issuing" them. Perhaps one could say that it automates the process to request a certificate and that is a new contribution, but I don't think that ACME itself adds much to something that could be called "generating" a certificate. In some cases, proving effective control over an identifier requires an attestation from a third party who has authority over the resource, for example, an external policy administrator for a namespace other than the DNS application ACME was originally designed to support. In order to automate the process of issuing certificates for those resources, this specification defines a generic Authority Token challenge that ACME servers can issue in order to require clients to return such a token. [...] Pedantically, I don't think we've defined or described the authority token yet; the text leading up to this only covers the challenge. So writing "such a token" seems premature and we might rather say "return an Authority Token that authorizes a given issuance". Section 3 token could be used as a response to an ACME challenge. This specification, therefore, defines an Authority Token issued by an authority over a namespace to an ACME client for delivery to a CA in response to a challenge. Authority over a hierarchical namespace can Is it for delivery to a CA or to an ACME server? described in [I-D.ietf-acme-authority-token-tnauthlist]; in order to use "tkauth-01" Validation Method with an ACME Identifier type other than "TNAuthList," that identifier type would need to be registered separately with IANA. [...] If this would be a new registration in the "ACME Validation Methods" registry, I'd suggest "that identifier type would need to be listed in a new registration in the ACME Validation Methods registry maintained by IANA". The current text is easy to misread as saying that the identifier type itself would need to be registered, e.g., in the ACME Identifier Types registry. While that is no doubt true, it doesn't seem to be the intent of this statement. Section 3.1 While Authority Token types do not need to be specific to a namespace, every token must carry enough information for a CA to determine the name that it will issue a certificate for. Some types Maybe s/name that it will issue a certificate for/name for which certificate issuance is authorized/, since the CA could decide to not issue for some other reason. While nothing precludes use cases where an ACME client is itself a Token Authority, an ACME client will typically need a protocol to request and retrieve an Authority Token. The Token Authority will require certain information from an ACME client in order to ascertain that it is the right entity to request a certificate for a particular name. [...] Maybe s/the right entity/an authorized entity/, as there could in theory be more than one? The protocols used to request an Authority Token MUST convey to the Token Authority the identifier type and value from or what will be used in the ACME challenge, [...] I'm having a bit of trouble making "type and value from or what will be used in" into a two-branch parallel statement relating to the ACME challenge. Possibly s/what/that/ would help things fit (or maybe I'm just missing the right reading), but I'm not really sure. both "example.com" or "example.net". The advantage of the latter is that if, at a later time (but one within the expiry of the JWT), the This is the first time we mention "JWT", and we have not yet made the connection that Authority Tokens will be JWTs. Section 3.3 different purpose. To mitigate this, Authority Tokens contain a binding signed by a Token Authority; an ACME server can use the This phrasing suggests that the binding is signed indepenedently of the JWT itself, which doesn't seem to be the case; maybe something about "the signture on the Authority Token covers a binding value" instead? Section 4 claim manages token freshness. In addition to helping to manage replay, the "jti" provides a convenient way to reliably track with the same "atc" Authority Token is being used for multiple challenges over time within its set expiry. "with" in "track with" doesn't seem quite right; maybe "when"? Maybe s/expiry/lifetime/ as well, as "expiry" would typically refer to the event or time of expiration, as opposed to the entire period of validity. Following the example of [I-D.ietf-acme-authority-token-tnauthlist], the "tkvalue" identifier type could be the TNAuthList, with a Do we want to s/tkvalue/tktype/ here? The next line goes on to talk about the actual "tkvalue" contents, so it might help readability to refer to the named field that holds the type, here. "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint": We seem to capitalize it "TNAuthList" in the actual IANA registration request in the companion document. Section 5.1 In order to request an Authority Token from a Token Authority, a client sends an HTTPS POST request. This specification assumes that Token Authority URIs are known to clients through preexisting business relationships, and that credentials and related authentication and authorization for Authority Token acquisition encompassed in that relationship. [...] There seems to be a missing word or two here, maybe "are encompassed" and "that the credentials and related [...]". POST /at/account/:id/token HTTP/1.1 Host: authority.example.com Content-Type: application/json Is ":id" intended to be a placeholder for an actual account identifier? That might be worth mentioning in the prose and/or using a little bit more markup around. (draft-ietf-acme-authority-token-tnauthlist does attempt to put some text in to that effect.)
- [Acme] Benjamin Kaduk's Discuss on draft-ietf-acm… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Peterson, Jon