IETF Logo Mail Archive

Re: [Acme] [Technical Errata Reported] RFC8555 (6843)

James Kasten <jdkasten@umich.edu> Wed, 09 February 2022 15:26 UTC

Return-Path: <jdkasten@umich.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CE653A0B1E for <acme@ietfa.amsl.com>; Wed, 9 Feb 2022 07:26:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qh5y5UjBt0q0 for <acme@ietfa.amsl.com>; Wed, 9 Feb 2022 07:26:09 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07B643A0AB9 for <acme@ietf.org>; Wed, 9 Feb 2022 07:26:07 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id o12so1865544qke.5 for <acme@ietf.org>; Wed, 09 Feb 2022 07:26:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Ynv/bj45HlNrsoUJhyKO3IF6RFb04+x2T+S1o/T758=; b=cuEwJHvgsFOB3N9i8jrUwaWPHbii86oZRlnAbtADm4fsl1mzUPIQx6c9H2+J0Gc27W quKXcZKl0fBCIva6vx8O5RC/T+pfKn8HV0TUySkppG/gLByDMTwUx8V8PtwwD7GGrZaQ juDkovnRTxlRMFIXWE8jtCRMroeDwTMiL/E6YwdD2nm9HN5oqFSl39ytSP/BpKeUKGo9 jS6Xw1O+3cfzicKmkCO0PkJbxdqjc0fDPf/2yurIJ+4iqe32PSYI4qyC91IX64JC8Lb3 yOVqB4Z+v8wl+EMDcAX2qy0zZnvil05YpZ3ify91iZzYWCjtC+GZUnsykUYWnXtutmNZ 6zRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Ynv/bj45HlNrsoUJhyKO3IF6RFb04+x2T+S1o/T758=; b=LRGRhxwevfIawGCPX2xcpvRdUU8bUuIyXGYA+Y0C65Slj865Sb28WljsbUDU3W4epB 3bNp8ZCNX0LxLzbB5uwnd05twp+yj0KgXqDtstD7PT5y54U2CuiAWwWHJsLNXzfA1jpL hW8cxsHJKHH4Po7veMap9GfIbXe8632hmjF2u4RJoBJTJE2+8nlk30KRZvM56vuZfLMQ ZCZau8GWMfDg1rXVQSeP16B/h+vwFu2XfXmsZ70kpUyR7+pUiKUG58MU36qeihi8V+Pu G5uJRYtZRFh3FE+/ZMlbJj9T8yNhzAYsRF7URVqyXYXDWTb4GwbOUXNFR1AHa+Zd25dp wBHA==
X-Gm-Message-State: AOAM532e6GB3qlZgpY3XBPqGn8hKqZhAFGoThOOJilOuufm3MlbhUNWM UCaeknWeqAr6CTdB5M48yDqdStmp+4Ns2QSES8wXIA==
X-Google-Smtp-Source: ABdhPJwsXa+SuwOeo0monQgBK0bciy37GQL1fP6e/uiCWcEOA6iu3hSL2XyYdOkBnk4w+odwqEgRaVQNjg/v0kwPRhw=
X-Received: by 2002:a05:620a:103c:: with SMTP id a28mr1347311qkk.413.1644420366102; Wed, 09 Feb 2022 07:26:06 -0800 (PST)
MIME-Version: 1.0
References: <20220208202323.A644DE9747@rfc-editor.org> <20220209065416.GT48552@kduck.mit.edu>
In-Reply-To: <20220209065416.GT48552@kduck.mit.edu>
From: James Kasten <jdkasten@umich.edu>
Date: Wed, 09 Feb 2022 07:25:54 -0800
Message-ID: <CAAEpsx8k3ysjYnj6cRYzepZnfZEsFv-emHpiz3bXG-hEW8NK_g@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Richard Barnes <rlb@ipv.sx>, Jacob S Hoffman-Andrews <jsha@eff.org>, Daniel McCarney <cpu@letsencrypt.org>, Roman Danyliw <rdd@cert.org>, decoole@nsa.gov, debcooley1@gmail.com, Yoav Nir <ynir.ietf@gmail.com>, IETF ACME <acme@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000c8849305d797735b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QqCgzqlNhpIqFuonAL-QjCbjclU>
X-Mailman-Approved-At: Wed, 09 Feb 2022 07:28:38 -0800
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 15:26:24 -0000

Hi Ben,

Thanks for the response.

Following redirects for the http-01 challenge is already recommended by the
RFC's Section 8.3
<https://datatracker.ietf.org/doc/html/rfc8555#section-8.3>.
```
The server SHOULD follow redirects when dereferencing the URL.
Clients might use redirects, for example, so that the response can be
provided by a centralized certificate management server.  See
Section 10.2 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.2>
for security considerations related to redirects.
```

Section 10.4 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.4>
also contains an additional warning or emphasis regarding redirects with
SSRF, so I included a generic reference to both for completeness.
```
However, if the attacker first sets the domain to one
they control, then they can send the server an HTTP redirect (e.g., a
302 response) which will cause the server to query an arbitrary URL.
...
```

I believe this errata resolves ambiguity in the current text. Popular ACME
CAs and clients are relying upon "http-01" challenge redirects from HTTP to
HTTPS today. As an author who is familiar with the origin of this text, my
intent was for it to read as "must be initiated" rather than "must be
completed" over HTTP. I am happy to hear others' thoughts. I do believe
deviating from this interpretation is extremely harmful for the HTTPS
ecosystem which I can elaborate on if desired.

Best,
James

On Tue, Feb 8, 2022 at 10:54 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Is there particular guidance from Section 10 that you had in mind to
> justify the following of the redirect?
>
> In light of the role of errata reports as indicating errors in the
> specification at the time it was published, I think the processing options
> here are either "hold for document update" or "rejected".
>
> -Ben
>
> On Tue, Feb 08, 2022 at 12:23:23PM -0800, RFC Errata System wrote:
> > The following errata report has been submitted for RFC8555,
> > "Automatic Certificate Management Environment (ACME)".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6843
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: James Kasten <jdkasten@umich.edu>
> >
> > Section: 8.3
> >
> > Original Text
> > -------------
> > Because many web servers
> > allocate a default HTTPS virtual host to a particular low-privilege
> > tenant user in a subtle and non-intuitive manner, the challenge must
> > be completed over HTTP, not HTTPS.
> >
> >
> > Corrected Text
> > --------------
> > Because many web servers
> > allocate a default HTTPS virtual host to a particular low-privilege
> > tenant user in a subtle and non-intuitive manner, the challenge must
> > be initiated over HTTP, not HTTPS.
> >
> > Notes
> > -----
> > Completing the entire http-01 challenge over HTTP is unnecessary. The
> threat of default HTTPS virtual hosts is remediated by "initiating" the
> http-01 challenge over HTTP. Validation servers which redirect from HTTP to
> HTTPS should be permitted following the rest of the guidance within Section
> 10, Security Considerations.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC8555 (draft-ietf-acme-acme-18)
> > --------------------------------------
> > Title               : Automatic Certificate Management Environment (ACME)
> > Publication Date    : March 2019
> > Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J.
> Kasten
> > Category            : PROPOSED STANDARD
> > Source              : Automated Certificate Management Environment
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email