Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt
Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 06 March 2018 00:49 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58954126D85 for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 16:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rNk3yB1KJxz for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 16:49:23 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B2AE1241F5 for <acme@ietf.org>; Mon, 5 Mar 2018 16:49:23 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta-8.messagelabs.com id 0A/79-10409-295ED9A5; Tue, 06 Mar 2018 00:49:22 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSe0gUURTGuzO76yhujqvlaSnKTSgNX1GgGCR ZUUGglgSLPWZ1crd9ycxq2x+WVGppUEpZbi2mblIWPUQro6LU8lWJtfkoxExzfZSiVmYPaWZn 7TF/DB/n993vnHs5BC7rksgJ2myiGQOlU0g8RJ1LqqqD8z9YlWGl1lURFY64iCL7tCQa2zQ64 RBvstmmsVhMKdYYVEbzHrG68JddkvowxtxQ81mSieqic5EHISLHMHD0tuK5yJ2QkWcwKJvYyA MZ2YPg2WihGw8kZBi0P2jAeO1Lbobiabuz7kOuhanxdlc9GrLarosFvQ4GPr7gPATXIQDq6sx 8WUomwrvcDlzIr0cwZr3q9LiTUXD1fQbvQeR8mGq+5ozEST9401/s1ED6Qm9bi0TQ82Cob0Ys +BPBOlnrqi8BW3MXEvQieFmch/heQFZh0Jr9wBUUAtX5n1ymrXCz9gsmmI5jcLI8UyyAIDjRc sVl0kJvxSCarR+rt7gODGJwebTRlboQKofPuwngnRgcP3Mw4U2T4XQFPx8PfmAwWdKCC28nh2 77cXQKBVr+uauF8+FkMYL88de4xflo3tBU1C8STKHw6uFzsaBXQHnJCC7oKDj3/bFE0P5wOq/ XTdCrYeTJOLqIiAq0nKWZdJoJDl8ZomI0KWqTntLogsPDIkL0NMtSKbSOUrEhSUZ9JeJWaw73 3UWnLDG1aAGBKeZJIymrUjZXZUw+oKZY9W4mTUeztWghQShAerifY94MnUKb92p03H7OYiA8F b7ShD4OS9lUSs9qUgTUjCIJ+1lHNk4MXB/k/p2DI9m4TGQwGmi5nzSbzyP5A+o0w5+42Y1/iR bJfaSIG1DmmUozeo3pfz6M/Aik8JEW8CmeGoPpT9dhbiCMG6i1+wI/kIn6i+SZKDxhy48yS/L bgPT4GaPq0T6c8fHXfsjoSbeVZ1XpFA3apZfGC+IzRoNnhpd5Pd15nz758bBXx/42pWj9Bq9A 84GqF3TEkTzb221ZR4O0Je5TsYF9TYfuKLVJKw82zi0qKCz9eiMnL/b14qSae9U70r9Vb48OV XesiQsc8r91IuD2yC6FiFVT4UE4w1K/ASFrY5XsAwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-7.tower-96.messagelabs.com!1520297361!84508064!1
X-Originating-IP: [216.32.180.181]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 4188 invoked from network); 6 Mar 2018 00:49:21 -0000
Received: from mail-bn3nam01lp0181.outbound.protection.outlook.com (HELO NAM01-BN3-obe.outbound.protection.outlook.com) (216.32.180.181) by server-7.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 6 Mar 2018 00:49:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3kUCHHXQh4O2xwWmWBO1VbNrPBDkesFtd6ZyGx1YW4Q=; b=L9MrrcSKP1fqwpdmjdM56EN3eIds16EHdp3snEmwKUq1HKfvqWnldwy1AjsGV4beM6RoEqDXk4clOGcXLngtlbsI+gyIeSIoXxyz3vWdQM8XEP23E/ule7frEHbmWlENN74ahyU4vAi5f4yA65ge2sPTGP229nQJQqxQewGQcfY=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1663.namprd14.prod.outlook.com (10.171.146.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 6 Mar 2018 00:49:19 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32%18]) with mapi id 15.20.0548.016; Tue, 6 Mar 2018 00:49:19 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt
Thread-Index: AQHTsphBaFvLANvuuEyLtRI8vGB+36PCX/JggAACz4CAAAA6wA==
Date: Tue, 06 Mar 2018 00:49:19 +0000
Message-ID: <MWHPR14MB137680A717982DF2CE74D09983D90@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <152004450360.8238.9598390558043159042@ietfa.amsl.com> <MWHPR14MB1376F483CB3E73791710E38083D90@MWHPR14MB1376.namprd14.prod.outlook.com> <edd49894-c546-3417-066c-c6cad1da1269@eff.org>
In-Reply-To: <edd49894-c546-3417-066c-c6cad1da1269@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [70.169.161.2]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1663; 7:DUVN518Ch50Cae4H1kXkcmVdZs0ZtEAvjptZCa0tn58io8ad28SsNnm5tNJwa2QzBZ/cRlciDYC3ikfWxjbsjdHwFLAmvS2PoRORcvGgNtZDdbQh6wmuRtfxZ0e10Dn/ZIl9GBfSe2Skc7FnuOJw+8MQ3lv3rK5+bQHqMyFdYa3L7tl/xK8eHHQZ441sbTA0Qxy6ZS1TrMuYcbTLRK4MgJlIOPKkfe+Cis5qtm+hNKhtNuSvauyY6y6516QOZZmp
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 282e30c8-8fa9-4671-320c-08d582fc1828
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1663;
x-ms-traffictypediagnostic: MWHPR14MB1663:
x-microsoft-antispam-prvs: <MWHPR14MB1663B2942CE835FC0D6AE07183D90@MWHPR14MB1663.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040501)(2401047)(5005006)(8121501046)(3231220)(944501244)(52105095)(10201501046)(3002001)(93006095)(93001095)(6041288)(2016111802025)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(6043046)(6072148)(201708071742011); SRVR:MWHPR14MB1663; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1663;
x-forefront-prvs: 06036BD506
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(39380400002)(366004)(39860400002)(189003)(199004)(13464003)(74316002)(2906002)(105586002)(305945005)(76176011)(55016002)(9686003)(5660300001)(25786009)(106356001)(3660700001)(8936002)(2950100002)(3846002)(7736002)(66066001)(99286004)(97736004)(68736007)(7696005)(6116002)(2900100001)(14454004)(33656002)(86362001)(2501003)(81156014)(81166006)(5250100002)(110136005)(59450400001)(53546011)(6246003)(316002)(229853002)(186003)(8676002)(3280700002)(99936001)(53936002)(26005)(478600001)(102836004)(6506007)(6436002)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1663; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 5BqorKB8IHjGZYHv/4Z8MAfF0zSttrSDXIoOLV2lIVn8zSbXfb4IiBli+qAqPZzMliYBBRgLlOXhZICsq2JFnVIKpEHueRe9uzLAmYXplYlJITjJcW28e7rfQ1zoJyyyDolqPvKQsfC7y5TSsDATKNqu0vpmDywhyNdoJMm7QpQnfF49IuFn/uW3RCYnm/q2V2FIsL1AdLGdInmKrjle0uVlDo3Z0jhRoymxYq9DCDylDHtbkT9RWzGKxCBSevDeBqhLkiF3CeSZGaL9bhZaHYv6Mm77rzFlSWCmHvtRV3mtvDjmtSmg8pMA0E/V/GlbAHONf/CNpzaLhF/sNhdFEQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0552_01D3B4AA.47FED780"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 282e30c8-8fa9-4671-320c-08d582fc1828
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 00:49:19.0356 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1663
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/IfLh7gIfPXwPiE7cI9lLz_9auL4>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 00:49:25 -0000
That's a fair point. Although note that critical extension bugs don't tend to be of the "ignore critical extension" variety (though that happens), they tend to be of the "understand the critical extension for the purposes of rejecting it and then getting the logic backwards" or something similar. The self-signedness is probably the most important mitigating factor ... we might want to make sure that the draft has enough requirements to make sure that the margin of error is two to three software bugs in all compliant implementations, and is never just one. -Tim > -----Original Message----- > From: Jacob Hoffman-Andrews [mailto:jsha@eff.org] > Sent: Monday, March 5, 2018 5:42 PM > To: Tim Hollebeek <tim.hollebeek@digicert.com>; acme@ietf.org > Subject: Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt > > On 03/05/2018 04:37 PM, Tim Hollebeek wrote: > > I think we may come to regret using that trick so much. Such schemes > > are only one software bug away from having rather profound effects on > > trust decisions and the entire ecosystem. > This is a good point, but an important mitigating factor is that these are self- > signed certificates, as compared to CT's precertificates, which are signed by a > trusted issuer but poisoned. And they are only presented when the acme/1 > ALPN is negotiated. So you'd need three software bugs, each of which would be > a game-over bug on its own: > > - ignoring a critical extension > - trusting a self-signed certificate > - sending acme/1 ALPN for non-validation traffic
- [Acme] I-D Action: draft-ietf-acme-tls-alpn-00.txt internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-0… Tim Hollebeek
- Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-0… Jacob Hoffman-Andrews
- Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-0… Tim Hollebeek
- Re: [Acme] I-D Action: draft-ietf-acme-tls-alpn-0… Corey Bonnell