IETF Logo Mail Archive

Re: [Acme] HPKP in ACME

Aaron Zauner <azet@azet.org> Wed, 08 March 2017 13:46 UTC

Return-Path: <azet@azet.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A516129465 for <acme@ietfa.amsl.com>; Wed, 8 Mar 2017 05:46:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Swkv_J234Nfq for <acme@ietfa.amsl.com>; Wed, 8 Mar 2017 05:46:50 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC6C012943C for <acme@ietf.org>; Wed, 8 Mar 2017 05:46:49 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id n11so115259668wma.1 for <acme@ietf.org>; Wed, 08 Mar 2017 05:46:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=6zrZs0QjBQFZ7ZWvn4mBx39HhAy5CtujBj6vwKOsaPE=; b=dQrco/qjTg/6AlEx2sTgoyDMLyrcTD9/+vjdGUbNApYyDLiYL4WrU0dMpNmjOSJf0A 5fsK4vCCtbsba9Y6siTUt+Nq5VsWzkdKtrSpYqLMPYs199hQmmE0kuIchLLohlDwlEUU 15dX7b3qJvKAoMC+sxxXFyyKUFWmU74II/mt4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=6zrZs0QjBQFZ7ZWvn4mBx39HhAy5CtujBj6vwKOsaPE=; b=Hf8ygk49KWpxXY3p77+zUmY0BRruwsRK0hx7KhRdmvCygA1kpfegVOaiGEF53MHWWS CdViOjH1WGFPqgrNq85V5aWjnLvFkAYI/O7MYl0YCFqVQVzrR3j2Xmyv9eHw9ZMSRF8Y R9X7OzcALvOrXJN+OkUULkyy9iGAD81WZNt5VusSgm0OJOHvt0OdTQNTLVWVIyZMEKf1 MLjiq9vo5LXB0dlUKhrkdmUQq0oraNUAkke4lZVBIfVARKlbQBPxwDwu5H7+/8v7N6Ip 59CxriXrsmzT1WxkykEu+MMYYKSLfZv1tjNVdfHpN2/8jgc0vtpBf6hts3npsjiNXYNH gPhw==
X-Gm-Message-State: AMke39kib1wxVJDd2RKTrquUIz4UJ9rSlj/oxXkQBE/rpv/eWIe3KRLvuE0wPyE0L90qOg==
X-Received: by 10.28.62.144 with SMTP id l138mr5597527wma.50.1488980808275; Wed, 08 Mar 2017 05:46:48 -0800 (PST)
Received: from [192.168.1.101] ([41.251.2.162]) by smtp.gmail.com with ESMTPSA id v3sm4264325wrb.39.2017.03.08.05.46.38 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 08 Mar 2017 05:46:46 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_C3471FC4-429A-4404-8078-3D48D6A704F9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <59A14FBC-9208-42D5-9A1F-86DC7F665C5F@inria.fr>
Date: Wed, 08 Mar 2017 13:46:34 +0000
Message-Id: <3BABC7EA-37F3-4043-8BBF-04B7D3882909@azet.org>
References: <81377754-e24d-269d-0f48-ba37e55f8942@eff.org> <22DB918C-015D-48C8-9A5E-1D4BDC57DC84@azet.org> <20170303222502.GD31407@eff.org> <4816CEB7-A2A6-4DA2-800B-EBEFE8B3472F@azet.org> <59A14FBC-9208-42D5-9A1F-86DC7F665C5F@inria.fr>
To: Nadim Kobeissi <nadim.kobeissi@inria.fr>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/JczmxxSd8uPl-dMYA8Uj4_Cl2EQ>
Cc: Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>, Jacob Hoffman-Andrews <jsha@eff.org>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] HPKP in ACME
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 13:46:51 -0000

> On 07 Mar 2017, at 12:13, Nadim Kobeissi <nadim.kobeissi@inria.fr> wrote:
> 
>> 
>> On Mar 4, 2017, at 12:24 PM, Aaron Zauner <azet@azet.org> wrote:
>> 
>> 
>>> On 03 Mar 2017, at 22:25, Peter Eckersley <pde@eff.org> wrote:
>>> 
>>> On Fri, Mar 03, 2017 at 11:53:49AM +0000, Aaron Zauner wrote:
>>>> 
>>>>> On 13 Feb 2017, at 19:33, Jacob Hoffman-Andrews <jsha@eff.org> wrote:
>>>>> 
>>>>> Martin brought up a section I've been considering removing:
>>>>> 
>>>>>> Clients SHOULD support HTTP public key pinning [RFC7469], and servers
>>>>> SHOULD emit pinning headers.
>>>>> 
>>>>> Here's my reasoning:
>>>>> 
>>>>> - Public key pinning isn't implemented in most HTTPS libraries outside
>>>>> of browsers, so this is a considerable burden on implementers.
>>>>> - Public key pinning carries a fairly high risk of footgunning. The
>>>>> consequence of a failed pin for a CA that serves many ACME clients would
>>>>> be that some of those clients would fail to renew their certs, causing
>>>>> cascading breakage.
>>>>> - There is relatively little confidential information conveyed in ACME,
>>>>> and there are other defenses built into ACME (like including the account
>>>>> key as part of the challenge data), so HPKP is not strongly necessary.
>>>>> 
>>>>> Any objections?
>>>> 
>>>> I was the person who initially suggested adding HPKP, that was more than two
>>>> years ago. People get HPKP headers wrong constantly and thus lock themselves
>>>> or their users out of services, missing library support is - as you point
>>>> out - a problem and I don't see much interest within the community to add
>>>> HPKP. By now I consider HPKP failed tech. to be honest.
>>> 
>>> I don't think we should give up on HPKP completely just yet; the thing that's
>>> missing for site operators is a better toolchain for getting it right that
>>> protects against errors by humans in the loop.
>> 
>> It be cool if e.g. Certbot would reliably do that for Let's Encrypt users, I agree. But in general it seems that there's little interest by site operators (except really big ones) to actually deploy HPKP and, even more, maintain it. It seems to me that this isn't a knowledge gap, sys admins are well aware what the consequences are if they get pins wrong. I'm not aware of any project that automates this reliably at this time.
> 
> The nice thing about HPKP is that it allows site operators to do a strong assert on the authenticity of a bunch of certificates aside from the current one.

Yea, again: I was the person that proposed adding HPKP in the first place.

> As far as I know, this is the only simple currently available mechanism that would allow site operators to suddenly switch certificate and even certificate authorities without that switch being sudden and not backed up by some publicly verifiable chain of authenticity. Another cool side-note is that this chain of authenticity, if maintained throughout a bunch of HPKP-backed certificate rotations, becomes controlled more by the site operator themselves than the CA, which is interesting.

I think you're confusing HPKP with TACK. TACK had unique potential (especially for having more control on [perceived] trust for site operators). HPKP is a dummbed-down version of TACK fitted for HTTP headers, which turns out to have almost zero deployment. I'm not saying that TACK would have been the ultimate thing that would have gotten wide-spread deployment, but it would certainly have been easier to integrate that from the beginning with -- say -- server daemons and just deploy it via package upgrades. It's also much less likely that operators will DoS their services by mis-using pins with TACK.

> 
> Specifically since it is possibly the unique mechanism in which this can be accomplished, I think it deserves being kept for future integration, or at least not discounted so early on.
> 
> In my mind, HPKP integration into ACME is a matter of pooling engineering time. Integration can wait until, say, Let’s Encrypt engineers feel they have time on their hands, but the entire idea of HPKP shouldn’t be put down prematurely. It has unique potential.

Anyway, I feel that discussion on the whole topic isn't really productive anymore here. We all agree that HPKP has it's problems and there doesn't seem to be a timeline for integration in Certbot. As for the ACME spec.: I think we could go with OPTIONAL, but I have no problems with removing the paragraph.

Aaron

v2.23.0 | Report a Bug | By Email