Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 15 January 2017 15:04 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262EB1295A7 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 07:04:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdzWx1HFjtQm for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 07:04:10 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 642F612959D for <acme@ietf.org>; Sun, 15 Jan 2017 07:04:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 9488B192AB; Sun, 15 Jan 2017 17:04:08 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id Url5KDCqXzhR; Sun, 15 Jan 2017 17:04:08 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 24C8FC4; Sun, 15 Jan 2017 17:04:08 +0200 (EET)
Date: Sun, 15 Jan 2017 17:04:07 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Message-ID: <20170115150407.GA26702@LK-Perkele-V2.elisa-laajakaista.fi>
References: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org> <20170115140330.GA26429@LK-Perkele-V2.elisa-laajakaista.fi> <6AEBC4C9-FA1B-4672-AE58-15C165722B30@webweaving.org> <20170115142931.GB26429@LK-Perkele-V2.elisa-laajakaista.fi> <65DAC165-2700-4DA5-A492-28B1F2E60541@webweaving.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <65DAC165-2700-4DA5-A492-28B1F2E60541@webweaving.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/GwAhbMv0Tld6OFlPF1pcNA_tmMk>
Cc: acme@ietf.org
Subject: Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 15:04:17 -0000
On Sun, Jan 15, 2017 at 03:39:43PM +0100, Dirk-Willem van Gulik wrote: > > > On 15 Jan 2017, at 15:29, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > > > There actually are restrictions on what ports public CAs can use for > > authentication. These are: > > > > - 80 (HTTP) > > - 443 (HTTPS) > > - 115 (SFTP; no, not _that_ SFTP [1]) > > - 25 (SMTP) > > - 22 (SSH) > > > > These limits are exactly so that unprivileged users don't bind > > daemons to the ports and use those to obtain certificates (the > > certificates are valid for all ports). > > Just to make sure I understand the reasoning: > > CA Policy prohibits an ACME CA Server from fetching the token > (authenticating) from a subscriber port > 1024 (or a port not an > element of [80,443,115,25,22)) because an (on common flavours of > unix) an un(der)privileged) user may run a daemon on such a port. > > Correct ? Just so I understand the tradeoffs made correctly when > implementing/mitigating the root-risk on the webserver side. Actually, ACME as of currently can use only 80 or 443 (there is no explicit port selection anywhere). The remaining three ports might be used by non-ACME public CAs. And all those five ports are privileged to bind to (but once bound, are not privileged to accept connections from[2]). And if you are talking about abuse from root, there is not much that can be done, outside Mandatory Access Control extensions like SELinux and such. > You would not happen to know where these are documented (I’ve > scanned CPS, SA and policy but no cookie yet). CABForum Baseline Requirements.(I looked up version 1.3.9, since the 1.4 versions are AFAIK essentially withdrawn). [2] It is actually possible to bind to such port, drop privileges and then pass the descriptor to another program via exec or even local socket. The receiver can then accept connections from it, even if receiver never was privileged. I have one daemon on one VM that does just that with port 443. -Ilari
- [Acme] Well Known CA->client poll on port 80/443 … Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Salz, Rich
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara