Re: [Acme] WGLC for ACME DTN Node ID

Brian Sipos <BSipos@rkf-eng.com> Fri, 16 April 2021 21:28 UTC

Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01443A35CE for <acme@ietfa.amsl.com>; Fri, 16 Apr 2021 14:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRIoB3Eg0_M8 for <acme@ietfa.amsl.com>; Fri, 16 Apr 2021 14:28:18 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2076.outbound.protection.outlook.com [40.107.223.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1843A35CD for <acme@ietf.org>; Fri, 16 Apr 2021 14:28:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QheeCoKRhq8X//Y35+tP5p70hjTNhLl6jGdU+l9zyKHHJvJtQgytzcgWGqJqR2u33QN8UVnWqC+JonJtgtDPJZsrDKgNBYa7HdR2be2t+kYHK5CIaHnO+6NbzyxFfu6mM/oZmWPsGUm7YKZI2uDvHeWaRk5GWasd+6NMvpMnF+LCriKZ2glnlOPH/cuhB2YU4jtatfCPIgqM1FFpQyJYaJTtoieS3YWLTNDEAazSO5F/7AtzxL0d2oCBq+UBmZgiAbzgHT8G0XAsuQRnUAukFV1MR6vqQs7iAbsbn2El5M7oyMFL+/LpuaSgQcWdEq/jks2FygnCj0XFqWd2LEKbGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VRhTHfW1cxomJdOj5QMx1GuSbKdI56lDnr3gBJRT5m8=; b=JDzk7temccf264apKVbtm6yOeN9x2MUA4YIewF1/1qjATlmjTLlbsDKPeWxRctxneMIeUH6oUqmfgNcA1C6WvLW5TDbL08go9UGxVOFdJzEZbHLoUYnE01CvuzchYSEh4ls8hIZnaw/MoihARqmuWvrqz3nxm35F7BVNUKNT2ENTF+O/cNx2ndLbWcbfxysjx7n26rAg2/Gn8U/+sayJ5+BQxvWfkMAhW5aS01J2zvOPbGyz4WX11JJpeTnBHxjlq/K0ZUZd7KPRAbewVpqwaXR370R82zR+S96ZLZ51Pkv4/nG/otUYyaBIMnzo5m7/nl/rp9Fe+5tx1IzNA0ch9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VRhTHfW1cxomJdOj5QMx1GuSbKdI56lDnr3gBJRT5m8=; b=XlUAFfD3EFdEKsjKmOe43kwsFNKXU/sd3dHES7BXG0kfXhFFFFBrJAhMEriIfLT5ettebs6bGWr0OFunzi/6YTLQ5Xxw5zuDDmO4cCvjiS1NgbixfgMAPyrbCRENoPNttjPcHAmKXxM3o246fYScy0xD6qkpqBxtxy2/zfXFrWU=
Received: from DM6PR13MB3562.namprd13.prod.outlook.com (2603:10b6:5:1c4::33) by DM6PR13MB4379.namprd13.prod.outlook.com (2603:10b6:5:1d1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.8; Fri, 16 Apr 2021 21:28:15 +0000
Received: from DM6PR13MB3562.namprd13.prod.outlook.com ([fe80::7cb4:2a94:ec20:e117]) by DM6PR13MB3562.namprd13.prod.outlook.com ([fe80::7cb4:2a94:ec20:e117%5]) with mapi id 15.20.4042.019; Fri, 16 Apr 2021 21:28:14 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "acme@ietf.org" <acme@ietf.org>
CC: "ryan-ietf@sleevi.com" <ryan-ietf@sleevi.com>, "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>
Thread-Topic: [Acme] WGLC for ACME DTN Node ID
Thread-Index: AQHXMwdofSNCozHHr0WDM1PTxsWmzw==
Date: Fri, 16 Apr 2021 21:28:14 +0000
Message-ID: <53eb2ec146be9b4a553b6ffd68f9038e0d8de350.camel@rkf-eng.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Evolution 3.40.0 (3.40.0-1.module_f34+11756+2e59385f)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 51aed34f-b16c-4bb5-e663-08d9011e8b55
x-ms-traffictypediagnostic: DM6PR13MB4379:
x-microsoft-antispam-prvs: <DM6PR13MB4379D0DAE2101857EEF2F5689F4C9@DM6PR13MB4379.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: odjNL9uLzBMojrg37lIdnXpL+u9RwS41VPF6u0LLpIPmpc2JUo6pRM5joEtygzZTuMs/z5gCCdcpJFgf7/7RVxZLcEJ1UJTI2Dbp6YMCg9mc31SwZ6uJYhn2g6rWpSFU9dOHbvP45lyLzDqQtpSMoZl36Wf+7pFRZAL4gLLLQ6HXMhgh5o280hTIlECo0ApnmjSaxvd6oUjZQEw45Ua9lE3X/wiAZqRP6S4kionV0k/ulT8VME97Ihjzl1voTSwambPivuC469Lfzp7eJAlF9ryDjWuH6fXqxmf2gC10u3AxQSl+vzi+KZgQ30MxK6666s1my7JPcammwgbeUIkWDwr9GK0wssl0NX392/56T5KZshy9UCAkCQ4KPzgt6Vkeoo0cZJT5H0HfQFZurFBD2APYjy6KBB8E5sklmvBI8e1ieOP7nZCuWfJwRqbkYMAKuDTftcp4sJH0s5vFPFyDlIEck0B1iXR9+j2RnxdbZnLkj4nLnsITy6Xlr18hdGxMiaDC0BNY4PDqUO7SC1Of5HrnL4PMKvBsKNJnp4HwQ9z3ihR9bPNROPw5/kO1Iz6MLxMgxBvfJ27/AGizM/Tl8d2pEanae/PqySV+XKv5H/c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR13MB3562.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39830400003)(376002)(366004)(136003)(346002)(396003)(66556008)(66446008)(83380400001)(64756008)(76116006)(91956017)(6512007)(2616005)(8936002)(316002)(2906002)(66616009)(66574015)(478600001)(66946007)(66476007)(5660300002)(122000001)(6486002)(71200400001)(86362001)(36756003)(54906003)(4326008)(38100700002)(6506007)(99936003)(26005)(186003)(6916009)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: OZ1QZqsc13SObNH24cXbKt/jDVPhkUEONLq2jLevavHXJFJT0bt31F/QAE4zQ8Ij+jYWrhW+UQa5DiM9qwqayXB5M2kuu6rvP7wV+Nsv4DUxweqtykoBgM6J1sQHD2rLdiDSVaoG+H54L8erw+q2bkVcyUa8l5Payxa0IF6OOjV15LMd4dD4kSGqoHVER2uRxkhT171g8kJ4C8zefYv/T+2V4W07AijnkggeepJ/8ooffC1r1zdrJ6UNsT95Dkk9mhR2sNRSDMaE2PX4Psowa1y4CR/HpLmYolWt2EvwxtrhvYT3osweN/FZAw3PTieCz7eAds6D85jPSkwbtyI0sBLMtHpudUcMFCcLQo75dmgjhAzqgniIGFKdnfOUHPdoa66qgEDrzZJuEJ3KVZoW94MtWHh3aszFcfq0oXOKKT3iMok4kLqJESqy3lb1PTvbOOALpkpX2C9Rx/NYwWlRiLaadXE2ZysyFLahrDqEs4aAqizpabtfAHFo7W3CXhHbTrhiscdzVSN/IMGJyBBE3Q1D01mcmftYyTZCMnd812cr8RPrcn9Teh/D08nThBuP21OBhZCzKGDRqCprm5beSYrnN8zRWgt0Cg3KSHS+HaLC0Cjq1DFeqdKRfhb7gLnFbKsaCsXEZzQm+dIV0qSMvKhCBOu0SYaj4W0FbwcP5sYKDnkYnAeP7IZ5LVIPJ8DVuX4cvJODiTDdLwp9u0KAJr6kh/DuXqDRlE05k79VHaMOeXXJO/COATDfFv/23d+3teFZcquaVBvG5fBRIlJYb8xeq8+DZAxGn2FO9UzHJ4NTNLea40TIcv0FEQ5NuVY44BORzbPyoDKbU/VzlH7W5H5xLf7GqcvY3tzLvb23GzAnw+CUr7vBVo1CnfjVaYtxnzfV+cceL0TCCU6mkrw51ykHhnxSOVPdSJpnEeEplp6yJYQqBRRFJOPmoEvjULQecNUWC+G/6ANo9/YFOIZCwEYd87zcRvRHBpXBIAceabTGolM5DqGwVOKAKQZBSASDwKQ4IBbI8xMd2S2i/0C8qYc0lxJc2HUcEBYx0tZzQUah6CwR6cYHdSxtE91x8F7XbkkxPMee722FJs9zrgzGOdxBv3s1r+wq2tlTYe2L+Lzvvz7nKAVTMbAhzUj5TmpyeIB3Gka06sAx7wZ/FRehaLO5+hQKfPQmdXxngJoGO2/oDZXbMqEXupzFaXqTZeU2JIAuQ9jBiwx0/il+4HROk/WeR05r0A5+JGgAd812m/38Jwv1WvfCKDk5ZHZ6hojjYbI4j3jwsiBFcSJKP2qwvCd9WGXQy0ei+BRaAET+oKbTQNmHNl4GINvl0pd1hmW+
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-EMxTauyJlf2EtTMV90fC"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR13MB3562.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 51aed34f-b16c-4bb5-e663-08d9011e8b55
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2021 21:28:14.5416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OEIyfTKIP1DCbU4q3/mNT/3HswRCV1P39UFnJLMvVZBfnLh8T9EIPaTeDJqc/43FiueT1cMnIFjs+mAsdU91vA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR13MB4379
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HCnRPHRiyf2qhyoNVSnDDGK1d88>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 21:28:24 -0000

Ryan,
Thank you for the review comments. My responses are inline with prefix "[BS1]".

> With admittedly very little context for this specific use case, a few
> things stand out:

> Section 2 states "Any identifier of type "uri" in a newOrder request MUST
> NOT have a wildcard ("*") character in its value." This seems to
> unnecessarily constrain the character space. While I suspect the purpose
> was to exclude wildcards from the authority-part of a generic URI/specific
> to a particular scheme, it ends up defining the semantics for all URIs.
> Given URI's well-known ambiguity in representation across implementations,
> and the ability to do things like include pct-encoded characters in
> reg-name (it's only a must requirement, not a MUST requirement), this both
> seems unnecessarily restrictive and fails to achieve the goal, especially
> since such decoding to prevent this scenario, at the ACME server, is SHALL
> NOT'd by the same section.

> If the goal is to prevent wildcards that imply certain semantics for a
> given scheme (e.g. "dtn:"), then that probably deserves a separate section
> detailing the requirements for the extraction and validation of the Node ID
> from the URI, and can define any restrictions on the character namespace.

> Alternatively, since identifier labels are cheap, making the identifier
> type a dtn-uri (rather than the acknowledge-generic URI) seems like a way
> to impose requirements specific to DTN URIs without risk of overfitting for
> other types of URIs.

[BS1] This was a copy-paste statement from ietf-acme-email-smime, and I agree
that this imposes unnecessary restrictions on the "uri" type. I will add
clarification that the URI must conform to any scheme-specific syntax.
It is actually the case that both "dtn" and "ipn" URI specifications [1]
restrict a Node ID to have a specific set of allowed characters (similar to
restrictions on DNS names). So a Node ID is a more restricted form of a generic
"dtn" or "ipn" URI, and I will add clarifying statements outside of the "uri"
type definition.

> Section 3 describes how this cribs from ietf-acme-email-smime, but provides
> no clear explanation as to the _why_, only the _how_. For example, the
> statement "requires that the ACME client have access to the results of each
> channel to get both parts of the token" describes a result, but does not
> describe the motivation that necessitates such a design. This seems like it
> might be relevant for security considerations, but documenting the
> rationale for this design seems relevant to successfully and securely
> implementing/extending this spec. This becomes equally relevant when
> attempting to understand why the choice of 128-bits of entropy within
> Section 3.1, since it seems the choice in the size of the parts is equally
> related to this undocumented threat.

[BS1] Yes, there is a missing "Threat: Bundle Replay" which applies to both
Challenge and Response bundles in similar ways. The "token-part2" is the unique
value for the whole ACME challenge and the "token-part1" is the unique value for
each bundle exchange. Having -part1 proves recepton of the Challenge Bundle (but
on-path attackers will also see this) and having -part2 proves access as the
ACME client (which will be hidden from OPAs).
Thinking through the logic a bit, I don't know if there is much value in -part2
since:
 1. It's not part of the challenge bundle itself, so can't be used for on-path-
attack filtering.
 2. It's used for the Key Authorization value alongside the client key
thumbprint, so there already is data binding the response to that ACME client.
 3. The 
Maybe Alexey (CC'd on this message) has some insight about the token splitting
for a messaging challenge (i.e. not a HTTP/TLS/DNS request-response exchange).

> In Section 3.1, I'm probably just not familiar enough with the underlying
> specs, but as far as I could tell, it's not clear why Step 3 the ACME
> client needs to indicate the <token-part2> to the BP agent, versus just the
> source. The source Node ID is clear, at least, but it seems like, at best,
> <token-part2> might just be serving as a "request ID" of sorts (judging by
> 3.4)

> The reason I highlight this is because I think it diverges from some of the
> classic assumptions about ACME and challenge design, because it seems to
> suggest that <token-part2> may transit the network in the clear and/or be
> held by multiple parties, which is a very different model than the history
> of ACME's DNS/TLS challenges being tied to the CA/Browser Forum's Request
> Token (which not simply a random value, but uniquely bound to the original
> request and is single-use). I *think* this might just be a terminology
> issue here, but would it make sense to name these according to their
> structural purpose, rather than just "token-part1" / "token-part2"?

[BS1] I agree that more purposeful names could help; the current ones were chose
only to follow in the steps of ietf-acme-email-smime draft.
The purpose of "token-part2" is in fact to be unique for the ACME challenge,
while the ACME server Node ID would be long-lived and shared across many
challenges. The -smime draft actually doesn't say (either way) about whether
multiple emails sent to validate a single challenge should all contain the same
"token-part1". It seems to be implied that one challenge would produce exactly
one challenge email.

> In Section 3.3, it's stated "The ACME server SHOULD NOT perform URI
> normalization on the Node ID given by the ACME client.". It seems like this
> deserves its own section within Security Considerations, because as with
> the above remarks, when, where, and how URI normalization is performed
> seems like it has significant security impact. Even if this protocol uses
> unnormalized URIs throughout the entire protocol, if implemented on top of
> anything that performs normalization, or the certificates that are issued
> are used by clients that perform normalization, you can end up with
> ambiguities / confused deputies. Normally in a security protocol you would
> want to validate and normalize your 'hostile' inputs as early as possible
> in this flow, and that's one of the key roles of the ACME Server / CA, so
> that it uses identifiers that are post-normalized/unambiguous. This seems
> like a major oversight, but it could be that I'm misunderstanding something
> specific to DTN.

[BS1] I don't believe that you are misunderstanding, and this is a good point to
clarify. 

> Section 3.3 states "BP agents SHALL refuse to respond to a Challenge Bundle
> which is signed by a known ACME server but has an invalid signature.". It
> seems like this also deserves a note within the Security Considerations,
> both in terms of how BP agents/ACME clients should determine whether an
> ACME server is "known" and how they can successfully determine an invalid
> signature (i.e. how to maintain the expected signing keys). This might
> merely be a spec reference to DTN, but this normative language appears to
> be trying to mitigate an undocumented security threat.

[BS1] I am adding clarifying text under "Threat: BP Node Impersonation" as it
applies on both sides of the BP messaging.
There is a way to use BPSec BIB signature/MAC to behave in a very similar way to
email DKIM, in that you trust a signing entity to vouch for some message-
generating end entity. Unfortunately BP doesn't (currently) have the same kind
of in-band control over naming that something like DNS provides (to support
DKIM), so this configuration is all out-of-band and implementation-specific.

For ACME server authentication, the ACME client BP agent would need to be
configured to trust either a raw key or an end-entity PKIX cert signed by some
client-trusted CA.

> I agree with Russ' comments on Section 4 where the EKU MUST be included in
> the issued certificate. Related, the profile from that Section 4.4.2 seems
> problematic for implementation (around keyUsage), but alas, that's a whole
> other issue for a whole other spec :)

[BS1] I agree also and am adding lanugage about this.

> Section 6.1 feels unnecessarily light for explaining why it's not a
> concern. It feels like a bit of a handwave, rather than a statement of how
> the conclusions are reached. If I'm correctly understanding, the reason
> you're saying both the challenge and response are fine to be publicly known
> is that they can only be used in conjunction with the ACME account
> performing the challenge, which relies on a private key which is not
> communicated. Is that right? It doesn't seem like that provides much
> assurance, for the reasons detailed in Section 6.2

[BS1] Yes, the reason why 6.1 is not an issue (for ACME) is that all on-the-wire
ACME data is either random token or cryptographic hash data, and it's all per-
challenge so there should be no risk of replay-ability.

Regarding proof-of-naming-authority (which is part of what this validation
relies on), I am strengthening the requirement that Challenge and Response
bundles must be signed by a trusted security source but still the configuration
of which security source is trusted for which Node IDs is left to the
implementation. DTN does not yet have the same kind of robust naming authority
and hierarchical structure that DKIM/DNSSEC/DNS provides; the security
configuration would be something like "I trust the source dtn://their-
enclave.authority/ to sign for Node IDs matching pattern dtn://their-
enclave\.(.+)/" so that validating ownership of individual Node IDs relies on
that delegation of trust similar to how ACME validation of "dns" claims relies
on trusting DNS.