IETF Logo Mail Archive

Re: [Acme] Add badPublicKey error

Richard Barnes <rlb@ipv.sx> Thu, 24 January 2019 16:09 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3302130F53 for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 08:09:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGxgEN2p_2zl for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 08:09:23 -0800 (PST)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46961130EC9 for <acme@ietf.org>; Thu, 24 Jan 2019 08:09:23 -0800 (PST)
Received: by mail-ot1-x334.google.com with SMTP id g16so1687220otg.11 for <acme@ietf.org>; Thu, 24 Jan 2019 08:09:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bAlnJXlDD6SqosoruFlLm5SRUrPpWGN/FDSRc1Bdpdg=; b=vAgq8jE4+/TiPYAuyAKaFfYHnalxC5LuZxrepRr8peogXnlWmMmo8kiJ0l3lKQ7Z77 hun0/QWzC1+27p6nI3oOZ+EEW2EIUsYUMWjsf5el7+XuGOJd9/miLyWJlxEoQ9FjQFix BTD8iM4eiTM39WqlYv79oOHZ2BkgTh3tkpHqP/OGnClNz5Lhx2qKWrKDJUB+0q35a5fQ 2NU1BVDwLaR+btxa25h5ar2r8abRN63F/MeCX2qTdbJxivVW9PrYJexMcUktPE/QbY1E uMk3zY80fimAnkfX/ZLBk5UqOUCPize06Xozd03ypXfZQOvvUaCBDR7Ml6jh9L27Gkz9 Jo2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bAlnJXlDD6SqosoruFlLm5SRUrPpWGN/FDSRc1Bdpdg=; b=WQPrcdIqnSMnU3dLdukxAGq7g13Z26HYXX4UJT9u3ywx6bfXDeMAsjNi3EmSmqj0ld ih0Okt8kdvhq8lEUi0t+yPwEFtOkb2JqBWV5juxmy/LU+6EeMXcQ+onHyenpiu8Eyb/b 9S2lePuKOBhTs4xSiv4rRnV72Q7R7InXFFPMfietJwn9ti/03Qf8wwpJqRUGotWuNpFe 2iQ17JqPpWPzzJO5nSOKPwfQf2r734vCUhdas+Rr7gVZXXegGD9k1UXJVEfWAx9GNDVq gJMLK1SkYb+ViwIZUMWNBfQmcxli0vLr/sHe+w+KosniQot1i2/Eqmx+wKq8dUfuAtzp /IIg==
X-Gm-Message-State: AJcUukfAt2WaSOynwnh87FDaFatO1ri6P0tJYx9ebGwgV+I+JVCjdywv A61mIXUJdAATNrBgfobWq4nig4P2MBnpmGrDCzaX1SZO
X-Google-Smtp-Source: ALg8bN5gZTWYTlCPJClOM3FqkrjDiVkoSDPqLg0VNE8syd/NrHpOEtZAotb0GKNp8UwZK8IQB9XDi3WIpW2cTJ0pSjM=
X-Received: by 2002:a9d:3a22:: with SMTP id j31mr4835160otc.238.1548346162190; Thu, 24 Jan 2019 08:09:22 -0800 (PST)
MIME-Version: 1.0
References: <D39A5FF3-5D2F-4C3D-9741-BB14A51E1744@akamai.com>
In-Reply-To: <D39A5FF3-5D2F-4C3D-9741-BB14A51E1744@akamai.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 24 Jan 2019 11:09:09 -0500
Message-ID: <CAL02cgQP1g-oBLp7F=p0OMmE1Dv_fkZ5MK-ju2LmbRc_QHScHA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Rob Stradling <rob@sectigo.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fcae7b0580366e0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Pa26apvp8QHJbQh8XQ8HDSnACyU>
Subject: Re: [Acme] Add badPublicKey error
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 16:09:26 -0000

On Thu, Jan 24, 2019 at 10:52 AM Salz, Rich <rsalz@akamai.com> wrote:

> As WG co-chair, I am not thrilled with making this addition so very very
> late in the process.  If the WG wants to do it, we'd need (a) clear
> consensus and (b) a quick approval from the IESG.
>

Note that since the registration policy is "specification required", doing
this in an extension spec instead would not require the consent of the IESG.



> As an individual, I dislike putting "here's what's wrong with your key" in
> the error message. For example, it encourages a thief to do "venue
> shopping" looking for a CA that will certify their stolen keypair.
>

I think you're confused here, Rich.  This error code relates to *account
keys*, not keys that are certified by the CA.

--Richard



>
> On 1/24/19, 9:27 AM, "Rob Stradling" <rob@sectigo.com> wrote:
>
>     I realize it's very late for making non-editorial changes to
>     draft-ietf-acme-acme, but I'd like to propose adding a new
> badPublicKey
>     error.  This error would be returned by the server whenever it does
> not
>     support, or wishes to reject, a "jwk" public key supplied in a
> client's
>     request.
>
>     Proposed text: https://github.com/ietf-wg-acme/acme/pull/478
>
>     The 'array of supported "alg" values' in a badSignatureAlgorithm
>     response is useful, but ISTM that it doesn't provide detailed enough
>     information to assist a client in generating a suitable public key.
>
>     (If the consensus is that it's too late to add a new error type, then
> my
>     alternative proposal will be to use "malformed" instead of adding
>     "badPublicKey", but keep the rest of PR 478 as is; I think it's a good
>     idea to call out the need for a server to sanity check each
>     client-supplied public key).
>
>     --
>     Rob Stradling
>     Senior Research & Development Scientist
>     Sectigo Limited
>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org
>     https://www.ietf.org/mailman/listinfo/acme
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email