Re: [Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion
Q Misell <q@as207960.net> Fri, 13 October 2023 16:19 UTC
Return-Path: <q@as207960.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46EE1C14CE24 for <acme@ietfa.amsl.com>; Fri, 13 Oct 2023 09:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48xaLa5PrkHf for <acme@ietfa.amsl.com>; Fri, 13 Oct 2023 09:19:53 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01353C14F73F for <acme@ietf.org>; Fri, 13 Oct 2023 09:19:52 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-53dd3f169d8so3972735a12.3 for <acme@ietf.org>; Fri, 13 Oct 2023 09:19:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1697213991; x=1697818791; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=42UwnaSG1bL8EGZnxUl1hCyjJ1ZBzWeQ6GIiG8GS4r0=; b=G+SUep8hCuCU+35RvT3MmNVPFKrNoFb9yKUb8RLVWGESRlzZsnhGw4AvfhOQiRXkcj /4YDp5zXTfqP7f2XsZYwrIojVnDuBu9xHyyFouQ44+4FK5wNwe13Vygz8wfyxH9yMgDU 7WFJydPMjb/I+3zj0UTHlFcngPGkNiZHkVr6qG1TPbseI5/K1TXf2AMKTyAdlwrVbX8I cNaLn0HZaFUpfii68488U/i23OPdvWWnUitDGWaTTITqIeoAuJzL7EmQ3z70qCCpNuyJ oTBf7N+b+j09xpSo3GxfWGk//2bMY8YPV01d+zI7fXRSsJiiQ/GC0kiwdzDt5eQ+7lc7 BEvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697213991; x=1697818791; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=42UwnaSG1bL8EGZnxUl1hCyjJ1ZBzWeQ6GIiG8GS4r0=; b=h0AKNUuQkB8lqQQ22qjEJIWefw2lZVkQ610RGpP7+kQ4u8XXujHnnKfA4j0QE30IcU NVKzzmoCKP64QGS5A2uv9dYzCSU/Z17b/DrwXd02Fzsi8yHWNaXkW7eShg6FYVji8Mpp uX4DzSLBj5C+4zBcPi+/fRH+ozNPi6Dr5zVHU4URPdFT59RSL4kXXuzKSd3TBywL5d67 gOLjMUxshi+dh/G6bJe4t0MONUxLxiun3Sdq++E+grB5vMYGroxrNuCrTZMNq8IdMXJu UQo/iEXvVy8QTfvXt2saT2iLCgO9ay5vmQ1dYZUYCc4SxXcIBaX1kKZ1U4un+6VOlSmu 6wZw==
X-Gm-Message-State: AOJu0Yw2gxz2CR/phZiF34f1vi1HcM7LjR+hbMHKWUdFxhMZDybXKzIH /fkHAz85EYsDyy+rMGNmwubhPDJI5BBWhHPV0Na2CQ==
X-Google-Smtp-Source: AGHT+IH6OeeqAyWRrEutcSQDvQzQ3MONijt+aqc9/E6BGnBTxdFH4oKkUSGtut7tgdKzEOfP3Pxz16Nv9eYKxg/H7rA=
X-Received: by 2002:a05:6402:1250:b0:533:e314:20dd with SMTP id l16-20020a056402125000b00533e31420ddmr23152293edw.13.1697213990503; Fri, 13 Oct 2023 09:19:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAMEWqGvnrgp=f4eO1nQ9hzzCnY2z-pxE8fyQvHnzTDYCx-jq6A@mail.gmail.com> <ZSWikYeVECjUrLM0@localhost> <CAMEWqGuJMA99nF8QCC+mJS3N1hSu3Gakvh+=bgo5H-VDgK8Z9g@mail.gmail.com>
In-Reply-To: <CAMEWqGuJMA99nF8QCC+mJS3N1hSu3Gakvh+=bgo5H-VDgK8Z9g@mail.gmail.com>
From: Q Misell <q@as207960.net>
Date: Fri, 13 Oct 2023 17:19:14 +0100
Message-ID: <CAMEWqGvN1n91eNZzZNfPQ89-Xoj-d9f_rPy0t_byneeDhxNStg@mail.gmail.com>
To: rhatto <rhatto@torproject.org>
Cc: Q Misell <q=40as207960.net@dmarc.ietf.org>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000031a7806079b6d84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/MJeqOKTIeCZbFho8lRdDfsN1Xpo>
Subject: Re: [Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 16:19:57 -0000
I've found some time to specify in-band CAA, a quick first draft is in the working draft[1]. Looking forward to hearing people's thoughts. [1]: https://as207960.github.io/acme-onion/draft-ietf-acme-onion.html#name-alternative-in-band-present ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Tue, 10 Oct 2023 at 21:22, Q Misell <q@as207960.net> wrote: > Hi Silvio, > > Thanks for that info, that's quite helpful. > > I think the idea of allowing the client to just send the CAA lines signed > by its key would work well, and remove most if not all of the problems I've > been running into. > I'll work on implementing that in my draft, and see how difficult it'd be > to get that part only working in Boulder (as Let's Encrypt have already > indicated that they won't be implementing http-01 and tls-alpn-01 for > hidden services). > > Cheers, > Q > ------------------------------ > > Any statements contained in this email are personal to the author and are > not necessarily the statements of the company unless specifically stated. > AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, > Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company > registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. > EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: > 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru > maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca > Digital, is a company registered in Estonia under № 16755226. Estonian VAT > №: EE102625532. Glauca Digital and the Glauca logo are registered > trademarks in the UK, under № UK00003718474 and № UK00003718468, > respectively. > > > On Tue, 10 Oct 2023 at 20:14, rhatto <rhatto@torproject.org> wrote: > >> On Thu, Sep 07, 2023 at 04:55:51PM +0100, Q Misell wrote: >> > I've had some discussion recently with the Tor project on implementation >> > hurdles for draft-ietf-acme-onion. One concern that has been raised by >> a few is >> > the need to run a Tor client to validate requests, even with >> onion-csr-01, due >> > to the inclusion of CAA in the draft. >> >> Hi Q, and thanks for bringing this up. >> >> > One solution proposed to this is that the ACME client MAY[1] send the >> hidden >> > service descriptor to CA as part of the finalize request. The CA also >> MAY >> > require this, if they do not wish to run a Tor client. This, to my >> knowledge, >> > wouldn't reduce the security of the validation of CAA, as the descriptor >> > document is still cryptographically validated in the same way using the >> current >> > network consensus. Additionally the directory authorities that serve >> > descriptors are already non-trusted actors in Tor. >> > >> > The CA would still need a copy of the network consensus document to >> verify >> > the descriptor submitted by the client. Most directory authorities >> however >> > are reachable over standard HTTP over TCP, in addition to HTTP over Tor. >> > This would allow the CA to fetch the current consensus without any >> > connection to Tor. The consensus fetched this way would still be >> verified >> > against the trusted directory authorities of Tor[2]. >> >> Specifically, the "valid-after", "fresh-until", and "hsdir_interval" are >> the only consensus items needed to parse, decrypt and validate an Onion >> Service descriptor. >> >> > What are people's thoughts on this, and more importantly, what problems >> do >> > people see with this? >> >> After a lengthy discussion with Tor developers, we suggest the following >> options, prioritizing the least complex: >> >> 0. ACME clients MAY send "valid-after", "fresh-until" and "hs_interval" >> along with the descriptor, which would allow the ACME Server to verify >> CAA in a stateless way, without bootstrapping Tor to fetch the >> descriptor and without fetching the network consensus. >> >> 1. Only the descriptor is sent by the ACME client, so the ACME server >> would >> need to fetch and cache the network consensus. >> >> 2. The ACME client does not send the descriptor, leaving to the ACME >> server >> the job of fetching it, as stated on draft-ietf-acme-onion-00. >> >> For options 0 and 1 above, there are two ways that a consensus (or just >> the >> needed items) can be fetched either by ACME clients or servers: >> >> a. Through the Tor network, from one of many directory caches. >> >> As this involves bootstrapping Tor, it makes more sense for ACME >> clients to do this fetching, as clients are probably already connected >> to Tor in order to run an Onion Service or to make the ACME request >> through Tor. >> >> b. Doing HTTP over TCP, or HTTP over Tor to the directory authorities. >> >> While this is supported nowadays, it's not guaranteed to work in the >> long term, since this method is deprecated in favor of the approach >> above, and DirAuths may even stop serving the consensus directly by >> HTTP >> at some point. >> >> This also requires checking the DirAuths' signatures in the consensus >> document. >> >> > Should this be incorporated into the draft? >> >> Yes, we support this idea, but also note that, despite parsing and >> validating an .onion descriptor being relatively straightforward, it >> involves more code to be maintained. >> >> We understand that signed CAA parameters could be accepted directly in >> an ACME API request without reducing security and the need to process an >> entire descriptor. >> >> -- >> Silvio Rhatto >> pronouns he/him >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> >
- [Acme] Obtaining the Tor hidden service descripto… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… rhatto
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan