Re: [Acme] [Technical Errata Reported] RFC8555 (6317)
Aaron Gable <aaron@letsencrypt.org> Wed, 03 January 2024 17:24 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7A7C3F0C25 for <acme@ietfa.amsl.com>; Wed, 3 Jan 2024 09:24:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkOSkKU9AgGd for <acme@ietfa.amsl.com>; Wed, 3 Jan 2024 09:24:42 -0800 (PST)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0BF8C14F60F for <acme@ietf.org>; Wed, 3 Jan 2024 09:24:19 -0800 (PST)
Received: by mail-oi1-x22e.google.com with SMTP id 5614622812f47-3bbd6e377ceso4250251b6e.1 for <acme@ietf.org>; Wed, 03 Jan 2024 09:24:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1704302659; x=1704907459; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f8tO+RNsfENSHufosCn6tNHiMrOKVYFvB8yRJ3NyBSo=; b=CaCZIkDSugD5qmcR5+7Jyt7cZ5kWk5g5z23WMzAwJHbFtVskyU9nyiQE/JKxnqsCh7 SGGPe0/Ed21xsgqEQt1CVHHEDB2Z/Cfk0n+SjSWEqeJW2vuCkqvaI77aOH/MXdTH0+cd UitPLkv2Yd+dZrRrwE5qGEgBwa4PD9vFKIxCU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704302659; x=1704907459; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f8tO+RNsfENSHufosCn6tNHiMrOKVYFvB8yRJ3NyBSo=; b=hbftH6+ClKFWPoX+9UZ/wCVuBqFwn5oeOsPhqW7xy1HyJ7s8p2NRcpE880dhjag7Ph P/OJtISk5wZ061N50Y8ZawVyJKRK6Xd+QdrNbifJIOFItTLq+u6rBXwO5v3atuGd6XLi IN0vJZe/JAyn6ne71t3+GpJI2hmkhRI1z60d8lnKG90VhwB3Ad2+yJZLOmr1WlwDqT+c 0VkQGualE02RwAECKu8wxmnjgwYAAORaxA52Lj5PMYW4QFsm6orCQd87btHqW+bi4kwW jnD4pboKBhnB/tzX4ynT4Q2P5FsVRIZ68B4tXJLNrnx50Yf7K2rwtFuiz35M9vqWeoKm b1gw==
X-Gm-Message-State: AOJu0YyMsuI2BOqm60WlRnt5piI5HsZ30xzIR//nC8JgkbLGhKskDEtJ Z1z0prb2due3e1JHGbCHRaQmsEu1jsGDEdGtpHIOUI1GaE/+dyE1Z3hVvRyV
X-Google-Smtp-Source: AGHT+IG3Yy2BMm56FZQXuLM0OOxzyG863k2oL/2RHvfP38JPffumPn4MbWdENPiUDt0tp6vPyEduzVjkLAQIUq9C2Gg=
X-Received: by 2002:a05:6870:51cb:b0:1fa:1c89:c656 with SMTP id b11-20020a05687051cb00b001fa1c89c656mr22708057oaj.56.1704302658861; Wed, 03 Jan 2024 09:24:18 -0800 (PST)
MIME-Version: 1.0
References: <20201023221949.B6009F4072C@rfc-editor.org> <CAGgd1OcBrF-W_rktuTyCNnC_8-tU2i5VQSLAUoc_mw-aZTSANQ@mail.gmail.com> <50047612-01A3-436F-A940-6CAE115F2AD9@gmail.com> <ZZWE9Ni3hx0Cot1J@LK-Perkele-VII2.locald>
In-Reply-To: <ZZWE9Ni3hx0Cot1J@LK-Perkele-VII2.locald>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 03 Jan 2024 09:24:08 -0800
Message-ID: <CAEmnErcRPTmz0xoJiq+SXCNX5yDJkV7d=JbLLOkxTAXvs1JtuA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000092543b060e0de234"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FZSyg8iFwsHBeNt9l-g3gW3YKo0>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6317)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 17:24:46 -0000
I believe this erratum should be rejected, for a few reasons: 1) It is not a clarification or fixing an obvious mistake, it is a change to the protocol. Today, many ACME servers (Let's Encrypt included) immediately move an Authorization to the "invalid" state as soon as any Challenge for that Authz has been attempted and failed. This erratum would make that behavior unacceptable. 2) The motivation for the change is incorrect. Filing a new Order to try again does not require deactivating all of the Authorizations associated with the previous order. In fact, doing so may be detrimental, if any of those Authorizations were already "valid" and the ACME server is willing to re-use existing Authorizations with a new Order. 3) The practical benefits in the current ACME client ecosystem are virtually nonexistent. The number of ACME clients installations which are capable of fulfilling more than one challenge type (i.e. have access to DNS, the webserver's filesystem, and the webserver's handshake protocol) is vanishingly small. Most are configured with enough permissions to fulfill exactly one kind of challenge. Being able to fall back between challenge types in an attempt to fulfill an authorization will not help most clients. Aaron On Wed, Jan 3, 2024 at 8:02 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Wed, Jan 03, 2024 at 11:13:01PM +0900, Seo Suchan wrote: > > While looks sensible I wonder if how many clients pulling on auth > > instead of challanges: Those client will pull without limit if this > > behavior applied to CA > > > > For example this client do watch auths status instead of challenge > > itself. > > > https://github.com/diafygi/acme-tiny/blob/c29c0f36cedbca2a7117169c6a9e1f166c501899/acme_tiny.py#L151 > > I would imagine most clients do that. The one that I have written > certainly does (I think it would timeout with "authorization status > stuck" error after 10min). > > AFAIK, ACME does not even guarantee that challenges are fetchable. > > > And one does not have to deactivate authorizations in order to retry. > Just creating new order will either restart from scratch or resume > where one left off, depending on the CA. > > Yes, one would need autotimeouting blacklist for clients that can > try multiple methods, but I do not think that is hard (at least > compared to stuff like handling the three different concurrent > order race conditions). > > > The only reasons I know to deactivate authorizations: > - Getting rid of zombie auths that fail CAA validationmethods. > - Dropping authority to reduce damage on key compromise (explicit > clear-all would be better for this purpose). > > > > > -Ilari > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] [Technical Errata Reported] RFC8555 (6317) RFC Errata System
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Deb Cooley
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Seo Suchan
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Ilari Liusvaara
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Aaron Gable
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews