IETF Logo Mail Archive

Re: [Acme] dns-01 challenge limitations

Philipp Junghannß <teamhydro55555@gmail.com> Fri, 11 September 2020 13:27 UTC

Return-Path: <teamhydro55555@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E463A0770 for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNOhkr0Y3C23 for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:27:47 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089C83A041C for <acme@ietf.org>; Fri, 11 Sep 2020 06:27:47 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id o8so13794811ejb.10 for <acme@ietf.org>; Fri, 11 Sep 2020 06:27:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=US2JYPooCO9bNrHVmDkEw9ugUNxOG7ynhIlav8Ihlyo=; b=V0VYgamjjPoHnilkwyo1R7JQYWlPw7tan+R489NoKJNRoA+vvWe44bo45j5eOCc2kg fq2smpUesPH6IKRmJEceByo0nqMnyLY0jD51M3id6W54Jp2UKYubHFIntj4MmzhyEC2r rSM8fySKXQ8rfUMbMRKEVTEnIoDEi8nCZkRCP5Stnbj2+17BgqM76w+hCgBJTKBeUYij HjNm2F9J5HvAJ6K1mEQj1PmjoawoLKazb7MbsU62QESBcGcPBGubcEwUlA+wRFjdNpCA bRdMcNE/5X+bp3ppY2I891p9BwzUYT2yFTgiAzssBV3O42lt5pM+UsRbVR2/MqH/p60L AHCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=US2JYPooCO9bNrHVmDkEw9ugUNxOG7ynhIlav8Ihlyo=; b=jIE5wiTyovm1vGsHHvPPW42fVxzOjBPb9XPH0TqW7/X042RruYe0+qt/xct1QhV/ne I90XpV6RL2XiS6/bxE8Nz4pg2lk0sFkN+MIRYBRC+wbxQFYewETvTu4/6+iN+hVP7Tlc eiICPISMskQzaxp4GISzNKi6V02bGAV6SvM5KtMgaonSKzM9cpPiGupsumsMY73QSqFA cgylbYxfcyN++kMFhGv7AEm7TLXQE2N10jnYZ/Vk9P95nOO03TMf+hBXm2JL8K+KEIx/ Z5pON+OXeolBx3UIfaAxxYUeZd9usr1y0uMa7ruPui9Y12LEI6FnjUlQgOhnYOSJT39H YBqQ==
X-Gm-Message-State: AOAM533BCNFwKK4XnEc6lH9vbwe8eV81v3ODGEtim6/0/2ZbbCEP1VqX V5iOptuRx5Ob7j15I5iYL4zlyhjdlGVjlabewfk=
X-Google-Smtp-Source: ABdhPJzcqc0xOlPEgUw86BZQ+dHha+4GIJ1osky2pG3bd7vZ1Tv+uYy2T7Xqt6vh91Uinp99TvPvTa6ZEZWB6HXixgQ=
X-Received: by 2002:a17:906:52c2:: with SMTP id w2mr2084094ejn.389.1599830865298; Fri, 11 Sep 2020 06:27:45 -0700 (PDT)
MIME-Version: 1.0
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <CACHSkNq9D5tYpaYm+_336+7WkJxuRw6_zPgEUtfMqaqbDr+zww@mail.gmail.com> <RIUPM_G4wCA2zxzlMxWZp78us6ljwnWaD3n4L4kRuxYeZkEudsnLnD4b6TllCoUoTlJy0FzcJIKQ5HHuNkYPWbrkmy6yGyDQPuYubQqsrQ8=@emersion.fr>
In-Reply-To: <RIUPM_G4wCA2zxzlMxWZp78us6ljwnWaD3n4L4kRuxYeZkEudsnLnD4b6TllCoUoTlJy0FzcJIKQ5HHuNkYPWbrkmy6yGyDQPuYubQqsrQ8=@emersion.fr>
From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Fri, 11 Sep 2020 15:27:35 +0200
Message-ID: <CACHSkNrc6Gnqwfq2OzgEqvCCrhKb3SLO9YJOcDRTPV3s27OZJQ@mail.gmail.com>
To: Simon Ser <contact@emersion.fr>
Cc: "acme@ietf.org" <acme@ietf.org>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000006d495a05af09a62c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HH8M3p2gcH_pjroZcYwJrOJ9mxc>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 13:27:49 -0000

well Certificate transparency is one something should maybe keep
notifications for.

Also I can understand the problem, but I have not decided the outcome, I
merely stated what I got as an answer back then.

problem is obviously also the CA/Browser Forum has certain requirements,
and I guess having access to some kind of direct verification at the time
of issue might be probably one of these.

Am Fr., 11. Sept. 2020 um 15:21 Uhr schrieb Simon Ser <contact@emersion.fr>:

> Hi,
>
> On Friday, September 11, 2020 3:13 PM, Philipp Junghannß <
> teamhydro55555@gmail.com> wrote:
>
> > I have asked that question in the LE forum iirc the problem is that
> > someone could place that record once and as long as someone doesnt
> > look at it all the time one can easily miss the fact that someone can
> > create wildcards and stuff for that domain, so the point is to prove
> > that dns access is given at the time of issuance.
>
> If someone has once write access to the DNS, they can set an
> acme-challenge record, redirect all requests, and issue wildcard certs.
> That would be easy to miss, too.
>
> > you could maybe use a different DNS Server which has a better API,
> > and potentially even can be used by ACME.
>
> The issue at hand isn't that a particular DNS registry operator isn't
> supported by a particular ACME client. What I want to fix is the need
> for all ACME clients to support all DNS registry operators.
>
> Thanks,
>
> Simon
>

v2.23.0 | Report a Bug | By Email