[Acme] Re: Update: draft-geng-acme-public-key-05
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 24 April 2026 06:56 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9D066E22BD31 for <acme@mail2.ietf.org>; Thu, 23 Apr 2026 23:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777013772; bh=ujzzwRvI1OA1Agg10Veyq+vMoKOMjeRk4ycO+T3Et44=; h=Date:From:To:Subject:References:In-Reply-To; b=O/Y5bg7zcy2u5TrC6QEwCBRLSqllwOK0ROQRJLGEEwX9filVu1jJvRTtvAdgG4Orx k8+5j4PLLpC1Un72EM0s753IfvaKyVG6pKV9L9WEYktAt0Wef6y8APioYbu8XYppGz jf3baF73EOt6dWd1yiwSufRimjAxF7xmBKs8Uk1o=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=welho.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okkII_aoTwG3 for <acme@mail2.ietf.org>; Thu, 23 Apr 2026 23:56:11 -0700 (PDT)
Received: from smtp.dnamail.fi (sender001.dnamail.fi [83.102.40.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4C916E22BCD8 for <acme@ietf.org>; Thu, 23 Apr 2026 23:56:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.dnamail.fi (Postfix) with ESMTP id 5108C2113901 for <acme@ietf.org>; Fri, 24 Apr 2026 09:55:58 +0300 (EEST)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.178]) by localhost (dmail-psmtp01.s.dnaip.fi [127.0.0.1]) (amavis, port 10024) with ESMTP id uB3slIbb7aYo for <acme@ietf.org>; Fri, 24 Apr 2026 09:55:57 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-117-27.bb.dnainternet.fi [87.92.117.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hliusvaa@dnamail.internal) by smtp.dnamail.fi (Postfix) with ESMTPSA id B5DFD2113FD5 for <acme@ietf.org>; Fri, 24 Apr 2026 09:55:57 +0300 (EEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.dnamail.fi B5DFD2113FD5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=welho.com; s=2025-03; t=1777013757; bh=8E8KMiS49NI6mcudNBzDqC8axLZjkl6pqUUHGHpc+Sc=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Ajr9hK5NmmDIvCzsRHWkhk1oL7LtCp/EuNcUo9413hb+jDDRtrUx3l9/4KexIctCl a7/3yboLYuZqGjEu98hfc2xbzfmeC4cE4Wv1/oXcAy5W1ChOeyK8QcwJhoUsi/ORR/ XiFRxMugzHoQysBoZ3RtmnO9jxMrzuCDu6HCHn8nQRPjtHg/EQkjChQyiXY0mXz8oG kOy27MtHNnPSD5mNw1iOU+zf2V73DSQyVxF/tPO4Jyympx9h6FzzqZAj8TCyd2MFY1 ZoALUfgLm21WadbJ7m9UQH5tDgjPFV0FOH8Vmlgwv13cfz5/S2mdUe9z6b6KluEzRj H8Lw+vHuIq2tw==
Date: Fri, 24 Apr 2026 09:55:57 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: IETF ACME <acme@ietf.org>
Message-ID: <aesT_YeilmiR13AW@LK-Perkele-VII2.locald>
References: <CAB=Y13dw+m7Oc4JPi+dk77tNZ=xJf05WRefd2fjRdOvz_qJjyA@mail.gmail.com> <ac6pUlXmhEOFYmFB@LK-Perkele-VII2.locald> <CAB=Y13fioUaCzpWJ8OCs=_F3YH7V6h6M4-2X1rDFubnT4JX-gQ@mail.gmail.com> <adn3p_LBRjS8dOSv@LK-Perkele-VII2.locald> <8060EBF4-CC67-44B0-8221-42170B8F0C0A@trustasia.com> <CAKZgXHpvSY=Daz8gqw0D6=A_sHzW+7jtarDKz3Po7ppKz99ZMQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKZgXHpvSY=Daz8gqw0D6=A_sHzW+7jtarDKz3Po7ppKz99ZMQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: S5AF3G7IMI34LCW5LTMIWZX4HMVCADT6
X-Message-ID-Hash: S5AF3G7IMI34LCW5LTMIWZX4HMVCADT6
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Update: draft-geng-acme-public-key-05
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/J6_a3cOU3mMgCdn8W5c_L96HPKA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
On Thu, Apr 23, 2026 at 06:41:05PM -0500, Mike Ounsworth wrote:
> Hi,
>
> > We have considered adding a "direct" delivery mode where the client
> includes the proof inline in the challenge response POST body. This is
> technically straightforward and we agree it would simplify both client and
> server implementations. However, it comes with an important security
> trade-off: direct delivery only proves key possession — it provides no
> evidence that the submitting party controls the named domain. We believe
> this distinction is significant enough to warrant explicit treatment in the
> draft rather than leaving it implicit.
>
> I have not yet reviewed the new draft version, but just based on this
> comment, this design seems anti-modular design. The ACME protocol already
> has robust mechanisms for proving domain control.
What I think is much simpler way to do the verification:
- For signature keys:
* The challenge object in pk authorization contains nonce.
* The ACME client POSTs TLS 1.3 signature for the nonce and
sha256 hash of raw new order payload.
* The ACME server verifies the signature.
- For KEM keys:
* The challenge object in pk authorization contains challenge
ciphertext.
* The ACME client decapsulates the challenge ciphertext and POSTs
MAC of context and sha256 of the raw new order payload made using
the shared key.
* The ACME server verifies the MAC using the shared key.
Using raw newOrder payload avoids any C16N and also includes things
like ACME profiles or future extensions.
A proxy can still sign the newOrder request, since the needed fields
(kid, nonce, url, etc.) are in the header, not in the payload.
If a proxy tries to change the newOrder request, the signature or MAC
will be wrong, and the validation fails.
A proxy can not replay challenge responses across orders, since each
order has unique pk authorization (the whole thing will not work
otherwise!), and each pk authorization has unique nonce or challenge
ciphertext.
-Ilari
- [Acme] Update: draft-geng-acme-public-key-05 吴攀雨
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 吴攀雨
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 palos.chen
- [Acme] Re: Update: draft-geng-acme-public-key-05 Mike Ounsworth
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 Mike Ounsworth
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Tim Hollebeek
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪