IETF Logo Mail Archive

Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt

Corey Bonnell <CBonnell@trustwave.com> Fri, 09 March 2018 16:22 UTC

Return-Path: <CBonnell@trustwave.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F9412D7F2 for <acme@ietfa.amsl.com>; Fri, 9 Mar 2018 08:22:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSHLYHrnnA9e for <acme@ietfa.amsl.com>; Fri, 9 Mar 2018 08:22:28 -0800 (PST)
Received: from seg-node-elk-01.trustwave.com (seg-node-elk-01.trustwave.com [204.13.202.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC460128961 for <acme@ietf.org>; Fri, 9 Mar 2018 08:22:27 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (Not Verified[216.32.181.175]) by seg-node-elk-01.trustwave.com with Trustwave SEG (v8, 0, 6, 10676) (using TLS: TLSv1.2, AES256-GCM-SHA384) id <B5aa2b4c00005>; Fri, 09 Mar 2018 10:22:24 -0600
Received: from CY4PR07MB3575.namprd07.prod.outlook.com (10.171.253.14) by CY4PR07MB3206.namprd07.prod.outlook.com (10.172.115.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Fri, 9 Mar 2018 16:22:22 +0000
Received: from CY4PR07MB3575.namprd07.prod.outlook.com ([fe80::9993:ac58:1046:e047]) by CY4PR07MB3575.namprd07.prod.outlook.com ([fe80::9993:ac58:1046:e047%13]) with mapi id 15.20.0548.019; Fri, 9 Mar 2018 16:22:22 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt
Thread-Index: AQHTsphBeokaol29rUK2k9cQqtE1wqPHzJSA
Date: Fri, 09 Mar 2018 16:22:22 +0000
Message-ID: <8FD66582-19DD-4268-BBD7-182C64FA815D@trustwave.com>
References: <152004450360.8238.9598390558043159042@ietfa.amsl.com>
In-Reply-To: <152004450360.8238.9598390558043159042@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [50.243.167.1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR07MB3206; 6:jqfW7Sno1lBBj4h6E+x7EOExG9iJCo3V4M7Y2I/t1+3hDRxpnFlvJ7def4DFe6Zp27cRjgXaSE/XBCP3ERFqwJXq9XvSVkJPY+znS1fn39psV3AlWKOM950f20QZOV8s807V/Q9XEIx7XzF1U7bWb+o4CXl0EJ5mhAqtvQUhEnZF5ol9N//N4O0QQ7NoFzIj4105DzDAHnrZWXPj29Ij/eDOsK7dAcUZiTMIwaaddpavqSjoYZlQRYm1wH0znvgoyDb7VkiH330a0/iR+KzpnWmOr9uKXzCQr1K9bFyUQ8VRBYse+UgzrwlqQmW6n7DKLtBYFBPy2GWeSP5B3KAMPbOIppmrSn82uofYjGAOtS0lAK5uCJK/BUgZ4+y7Jkj8; 5:RxA+4hfzDH2G5kEnDjnfzRpEXQMoUiYkbJxmTl8fQ6VGtuUbQHo0IUk8lJpYRYiqDKLXn074rwTwGYa/H5/1zSjTcT4gy2VtIzlqwI3SDaIqhG3gqLi/ACuo+JPVgV2OREs48u5Hi0U+iPOoOz97VfUm3zMhMC045/Kr0GddizM=; 24:KeuX+I5SmPeNFjN58G1vFgRREXEXZ8wZ1YKL+Sfin4zdi2yE3v/F2KTwI1Ds67vOyvQBPundbO/GMCTH6IH9ASYQlDpgGPuiLcqIqO5WLlk=; 7:V1GFQZU2t7VWhE//PwzNcJqZ1cX7+FBUP96021VIGatThi82oU3hQMkWbvGStlBVphoDfCB5l1+mrQj1mN7RUmjRWiDkdAGmf/XMEWJqS89pSmz5Y0dNPOCG7rrbeaAm6zHyXi79wqabhRuOlR//2tPxLOT2SGAMfiS8AU72WLmCTkyz6pcv71c5kFn6294qYBcxa6d/3G5QJbjAqHAK3cjf+3WJRoSYNO/+QD0Dn1xvJPtxK1OH9JDF+f2v7MuB
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c3e0075a-2fa4-48ad-d78a-08d585d9f033
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:CY4PR07MB3206;
x-ms-traffictypediagnostic: CY4PR07MB3206:
x-microsoft-antispam-prvs: <CY4PR07MB32060495A9D724A06A142A15CFDE0@CY4PR07MB3206.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232896897485771)(192374486261705)(1591387915157);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231220)(944501244)(52105095)(93006095)(93001095)(3002001)(10201501046)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:CY4PR07MB3206; BCL:0; PCL:0; RULEID:; SRVR:CY4PR07MB3206;
x-forefront-prvs: 0606BBEB39
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(39380400002)(39860400002)(396003)(376002)(199004)(189003)(377424004)(106356001)(59450400001)(316002)(25786009)(36756003)(33656002)(8676002)(1730700003)(81156014)(81166006)(105586002)(99286004)(2351001)(68736007)(6512007)(2950100002)(6306002)(76176011)(6916009)(3660700001)(53936002)(3846002)(6116002)(5640700003)(14454004)(6246003)(5660300001)(6486002)(72206003)(229853002)(2900100001)(53546011)(82746002)(8936002)(6506007)(966005)(6436002)(2906002)(66066001)(305945005)(478600001)(80792005)(97736004)(102836004)(2501003)(5250100002)(7736002)(3280700002)(83716003)(26005)(186003)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR07MB3206; H:CY4PR07MB3575.namprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: LRYvsKMIcm+0m5olAn3yPAiyt6ROwRTEXK7Z3BwmWEGs1BLycz6nd22KVLwtnbzdlTRRC5KXH92lwJn19Vs+mxd538K0kP3NhML0jpISuMVPYm2DAgyKvh9hGi+6m/C3Zyla5isUtV3iuDIf0nZbmhIPQ/Jq8yWaX7KjsV47CwisyoE+mohOmAth2QJGQhDjMmJHF4wxh4k9UDOf4QsBqTpYU8c361qFA0cuVXEjBVGITAeAYGh+ARtsDP16IlwfFAelBrtNzF3zMgLzqcqOKanXmG2PQIwjYXybpRx5haVKZ+o67ppJMc2JYIP2wkcgCYNWIHZRkZHpL9ohL/SIjQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0DA7C0B08A66924DA43C75C71BABA6D0@namprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c3e0075a-2fa4-48ad-d78a-08d585d9f033
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2018 16:22:22.6182 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR07MB3206
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/I-kYlek8KftYoTINi3PCfrmq7dc>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2018 16:22:30 -0000

Hello,
I read over draft-ietf-acme-tls-alpn-00 and noticed two things:
1) Section 3 states, " If all of the above steps succeed then the validation is successful, otherwise it fails.  Once the handshake has been completed the connection should be immediately closed and no further data should be
   exchanged". Perhaps I'm reading this too literally, but I think this is ambiguous, where "handshake" can mean either the TLS handshake in its entirety (such as sending ChangedCipherSpec/Finished messages, etc.) or if the connection should be terminated upon the client receiving the ServerHello message (which is the entirety of the "handshake" described in steps 1-3). I imagine the former is preferable, so the wording should perhaps explicitly specify "TLS handshake".
2) Section 5 (IANA considerations) has no mention of updating the IANA "Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids) with the new ALPN identifier "acme-tls/1". For consistency with other documents that define ALPN identifiers, "acme-tls/1" should probably be added to the registry.

Thanks,
Corey
 
Corey Bonnell
Trustwave | SMART SECURITY ON DEMAND

On 3/2/18, 9:35 PM, "Acme on behalf of internet-drafts@ietf.org" <acme-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:

    
    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Automated Certificate Management Environment WG of the IETF.
    
            Title           : ACME TLS ALPN Challenge Extension
            Author          : Roland Bracewell Shoemaker
    	Filename        : draft-ietf-acme-tls-alpn-00.txt
    	Pages           : 7
    	Date            : 2018-03-02
    
    Abstract:
       This document specifies a new challenge for the Automated Certificate
       Management Environment (ACME) protocol which allows for domain
       control validation using TLS.
    
    
    The IETF datatracker status page for this draft is:
    https://scanmail.trustwave.com/?c=4062&d=3oma2gDctiWeny5cn5DkGORX4VGQZeWcDcJBnrjUUw&s=5&u=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fdraft-ietf-acme-tls-alpn%2f
    
    There are also htmlized versions available at:
    https://scanmail.trustwave.com/?c=4062&d=3oma2gDctiWeny5cn5DkGORX4VGQZeWcDcUSzejVAQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-tls-alpn-00
    https://scanmail.trustwave.com/?c=4062&d=3oma2gDctiWeny5cn5DkGORX4VGQZeWcDZYWlLnWVQ&s=5&u=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fhtml%2fdraft-ietf-acme-tls-alpn-00
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at http://scanmail.trustwave.com/?c=4062&d=3oma2gDctiWeny5cn5DkGORX4VGQZeWcDcRGzujXDg&s=5&u=http%3a%2f%2ftools%2eietf%2eorg
    
    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/
    
    _______________________________________________
    Acme mailing list
    Acme@ietf.org
    https://scanmail.trustwave.com/?c=4062&d=3oma2gDctiWeny5cn5DkGORX4VGQZeWcDcJEnbHYBQ&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme

v2.23.0 | Report a Bug | By Email