[Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion

Q Misell <q@as207960.net> Thu, 07 September 2023 15:56 UTC

Return-Path: <q@as207960.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 85BBEC151549 for <acme@ietfa.amsl.com>; Thu, 7 Sep 2023 08:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id z9YHt59TbOpL for <acme@ietfa.amsl.com>; Thu, 7 Sep 2023 08:56:30 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7365C151524 for <acme@ietf.org>; Thu, 7 Sep 2023 08:56:29 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2b962535808so20313931fa.0 for <acme@ietf.org>; Thu, 07 Sep 2023 08:56:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1694102188; x=1694706988; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=AgGyZ/TKcILPdZ/3740w0GR4j1KV0NSHCO58ZcfxCkw=; b=jpsr5fkM92l56+Dk+BA0Eh+yKMNLa5yZrDorNp2oFLTQm3gnPbI5ckg6yYP6rlsko5 pkCuGsIniWTjwE8hanO9NrwcY+JngBcYuN0wiJDgUSGLk5YddnzCb6j8IazRtJGYBRCj Mi1zZsH9IaEeYJTkt9pY6hPcgK0UHzQh1lk48daJhdHY8mibQRnd9F3TQzYQZNzfgIGu xki+GQbdton5BrpRVsNE7oWHB44vQirSjutGaXIcN8Xwbp+p1BluWzNUPfL43rGO6Vw/ spDGzkg8vz3mt9YkxLuMkJH3oQkwDNUWqlQPdD7B1ogrzeO4w49nHfRNQXNnpRnySkC8 4YHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1694102188; x=1694706988; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=AgGyZ/TKcILPdZ/3740w0GR4j1KV0NSHCO58ZcfxCkw=; b=UXbrCBfW8P2ToNYYkRlVdKwyv6yfrWatfsjLNDB6OylX90wEAXE2ZwlW8Am3EfjVSV nkh9ypheY8IOEyo9ACMqQwYkr6HUFzM3RIUBEphYciA9r1xod7N+aoubHJNjMj374Rwc nCCaToQpBYv99o2Ee+867hUNEz4zMVohMyLSryRvzCRePrJWZGCRlsg6ysww9kmB0cm5 etaMKaAHggOGgwgTlem+8RZkJvPOFQvezNuQuOjiyv5MwryK9RG0Pp7P0CVCaaYdCGQ2 N6yCU6L+gXxKbUOmD2DB3+S31Up3X227xl0DVVbKlu2/pmlwY41dXS5+lrdp9647+vKD GYGw==
X-Gm-Message-State: AOJu0Yy4m+kTMVEdPwtP/NSwRyDQ4B1ipdx/SOIxWkykgc0lur+AorMD LL5q5J+50b1uclR0kxM+t/Sfr7II1ez6EP0DgDFk5aVjxjsvF85z/Bp6PQ==
X-Google-Smtp-Source: AGHT+IGoDUpjgDpCu9/IQvQ5mXgE0FCZJbgUaPc0RkJJaK1xBG+HXNGSHAVa0qSfrzrTQVIqTviy/+N3LPZVEM+T3JU=
X-Received: by 2002:a2e:9859:0:b0:2bd:1cd0:6041 with SMTP id e25-20020a2e9859000000b002bd1cd06041mr4773168ljj.0.1694102187480; Thu, 07 Sep 2023 08:56:27 -0700 (PDT)
MIME-Version: 1.0
From: Q Misell <q@as207960.net>
Date: Thu, 07 Sep 2023 16:55:51 +0100
Message-ID: <CAMEWqGvnrgp=f4eO1nQ9hzzCnY2z-pxE8fyQvHnzTDYCx-jq6A@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001933680604c6e758"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/LMYC_Ou41E_9RuaVSYPr7SIhCCc>
Subject: [Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 15:56:35 -0000

Hi all,

I've had some discussion recently with the Tor project on implementation
hurdles for draft-ietf-acme-onion. One concern that has been raised by a
few is the need to run a Tor client to validate requests, even with
onion-csr-01, due to the inclusion of CAA in the draft.

One solution proposed to this is that the ACME client MAY[1] send the
hidden service descriptor to CA as part of the finalize request. The CA
also MAY require this, if they do not wish to run a Tor client. This, to my
knowledge, wouldn't reduce the security of the validation of CAA, as the
descriptor document is still cryptographically validated in the same way
using the current network consensus. Additionally the directory authorities
that serve descriptors are already non-trusted actors in Tor.

The CA would still need a copy of the network consensus document to verify
the descriptor submitted by the client. Most directory authorities however
are reachable over standard HTTP over TCP, in addition to HTTP over Tor.
This would allow the CA to fetch the current consensus without any
connection to Tor. The consensus fetched this way would still be verified
against the trusted directory authorities of Tor[2].

What are people's thoughts on this, and more importantly, what problems do
people see with this? Should this be incorporated into the draft?


[1]: BCP 14 MAY
[2]: https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt

Any statements contained in this email are personal to the author and are
not necessarily the statements of the company unless specifically stated.
AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
registered in Wales under № 12417574
LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU
VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
Digital, is a company registered in Estonia under № 16755226. Estonian VAT
№: EE102625532. Glauca Digital and the Glauca logo are registered
trademarks in the UK, under № UK00003718474 and № UK00003718468,