IETF Logo Mail Archive

Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)

"Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com> Fri, 31 August 2018 18:27 UTC

Return-Path: <thomas.fossati@nokia.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63785130E8F for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 11:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQTk2WYXplSH for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 11:27:14 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00099.outbound.protection.outlook.com [40.107.0.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04173130E52 for <acme@ietf.org>; Fri, 31 Aug 2018 11:27:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y3UAJl9aRjj5mVfTs9cCN47Zi6R3B7BpBL9GmcCpofM=; b=kcChZjOBJNicU9oITGx/tH2aSTqIrUwHi1OSX4LHPeQ6c+Dn/AxIgFqr8LTCRlfjpNJ6HezhJ4py7TH0q+N0eCS1Wq1Ch9fF3Ed8n0sdqFY02Xf9HKOHWlJwznkulnLa4lq9jpVGjlHZS419BEDrRziV/3kC6SPzpRb4Qu4Yz/s=
Received: from AM2PR07MB0610.eurprd07.prod.outlook.com (10.160.54.15) by AM2PR07MB0705.eurprd07.prod.outlook.com (10.160.56.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1122.10; Fri, 31 Aug 2018 18:21:45 +0000
Received: from AM2PR07MB0610.eurprd07.prod.outlook.com ([fe80::dd4a:23d6:1528:921c]) by AM2PR07MB0610.eurprd07.prod.outlook.com ([fe80::dd4a:23d6:1528:921c%9]) with mapi id 15.20.1101.016; Fri, 31 Aug 2018 18:21:45 +0000
From: "Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com>
To: Felipe Gasper <felipe@felipegasper.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
Thread-Index: AQHUQB0GmG2GpeWiE0CO/8LyT04REaTYQTQAgAAK+oCAAAP0AIAAHTMAgAACe4CAAAJ4gIAAKOqAgAEcsmQ=
Date: Fri, 31 Aug 2018 18:21:45 +0000
Message-ID: <AM2PR07MB06104D25EB511E72BACD8E62800F0@AM2PR07MB0610.eurprd07.prod.outlook.com>
References: <153560463159.14901.5253843942494748934.idtracker@ietfa.amsl.com> <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com> <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com> <20180830154850.21a82df5@rovaniemi> <bcfd8b8d-2485-b170-f055-001a987af0e9@nostrum.com> <CAL02cgRrKjzV8NEEUyYf1Yg=Nz7fHoSc4yZupxL9A-p7v2LD0A@mail.gmail.com> <9E4B0F0F-F65A-44B4-A05B-3966F1F4C856@akamai.com>, <61C79A7C-A7C7-44BB-A2B8-1124D3F0FC0D@felipegasper.com>
In-Reply-To: <61C79A7C-A7C7-44BB-A2B8-1124D3F0FC0D@felipegasper.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=thomas.fossati@nokia.com;
x-originating-ip: [86.247.89.67]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM2PR07MB0705; 6:WaabsLroRtCJm1qdee/in7gU8/8NKoehwYEfYgxeWbBkoNrUm6IxSefNm6zcSe6sObGPqg+fx2rktz52ykpxEBgzhI7reTvX240IBzRCEPUFnsoTtBvm/rE1pLGIwvdQp9Qj1XVNzn+WmxhC2m0XAPb176vYg7LIZiT+jaEWXPvq0Enz/NKv8XASQFEBG6z2VOhUqVw3f6hBJScEuTED6dZs+poAAwobksbxUBeYPg3HOuVDmUXEqF8tn6OKFoUeUxaIvWGXDXy9gr0xnWhRd0MLqTSuW+X/V/f3emS4ipCH9RethtJ0zZmjarWMgPttPgpmLBjpIsirzzmr9IfDge4buy/wODJSIT3qnbYMXXnbE2O8KasmpBw4zaxAyTVVBflc1bSK0kR9e2fUk9Q4KlOhTlmNGfxaoSXQE6eHlr3yws0R0zV28twECsGQOJqqks3CDE4St4hyV5Pst3SOcw==; 5:gULiigigPd2koslEkcMSd9XJqokJ+4615acSx4NcIclw9Zb1Ui5XS2WqGPbbVMqwipQtJSQeotESGnWcxmyn5rAuPEbP8iAZuiaIx23AnEu1oj90wsro2Shebqcc5phDi4ERiKTTOsTp1U4erlAj8icww5Go1J6QJUvp4aFzjFo=; 7:iXAUeEIQ2BZCN8tv5Ts22Y0sgXFJdLEYN2HR5PVK9j6I4oXtPkFeJA1hHSmWB45y5T3TKjclSM8KKCfJxsThPR7r9177/pSNjoiXC/M+kFTa8Lb6QF8PcezFfjmvc9ZLfFLwb3+8VqLDQWOHqAXy16Vn0O0yf7JhVqSObcgHPlJjNGbQf1EvcjH4AQi4VX2nddF3ftq7MsPlAZzEM8CP4bLbhNxFzKEyIi3RS8G5f51W2k4ahuUEo0yzKUZzQhsQ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 92016ade-7a1f-4edf-9d61-08d60f6e9bca
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7193020); SRVR:AM2PR07MB0705;
x-ms-traffictypediagnostic: AM2PR07MB0705:
x-microsoft-antispam-prvs: <AM2PR07MB070588708A71AC7A62B1A665800F0@AM2PR07MB0705.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(11241501184)(806099)(944501410)(52105095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201708071742011)(7699016); SRVR:AM2PR07MB0705; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0705;
x-forefront-prvs: 07817FCC2D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(39860400002)(346002)(366004)(376002)(189003)(199004)(186003)(6436002)(5660300001)(26005)(7736002)(99286004)(33656002)(2906002)(14454004)(81156014)(5250100002)(66066001)(81166006)(229853002)(8936002)(86362001)(74316002)(6246003)(97736004)(478600001)(966005)(4326008)(6506007)(6116002)(3846002)(2900100001)(53546011)(110136005)(305945005)(102836004)(316002)(7696005)(486006)(93886005)(76176011)(53936002)(14444005)(256004)(106356001)(11346002)(105586002)(68736007)(8676002)(476003)(446003)(55016002)(6306002)(25786009)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:AM2PR07MB0705; H:AM2PR07MB0610.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: YzpSeKhPNjV2PLOZS4Wg2usZSpxDZb3mQv7QH68UYBNYTvQUQXJH8gIIESsdzzJdMsd66FVlQztE7D2/IM9DyzH8m3mxAeLTbcPxXqCYmbbQ/laGQVHs69JkqI2rukxCMohsS3zQJD+ET6ZkRkYHbA1WY8ZsHROflSqBUdjCxT5T1x5TwRN+h4jC8cb91CTPDmH7C8WgaLLtgY2/WSobTgME5/ms3Q0oSVfVh50qYT4D6wBeWg84aaq+hRo0ZTwX+zelh+gzLsXkoQ9WTruF1U6qFNH3dMBRDeLonjrionHvwHpW1UmIdmi7wcyiwrpyCB1doLdMBSPew+Y+mFkWmQpICGwj5xyE22o1b6reUOdjRnfhUAehVZqP0rfZbNYQS3fEWJQXGYyofWFKF7xaoQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 92016ade-7a1f-4edf-9d61-08d60f6e9bca
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2018 18:21:45.2048 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR07MB0705
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HiITSii4V4DA9PKyqy4Cx9rvKic>
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 18:27:29 -0000

+1

As noted by Felipe, the implication that the service effectively
consuming the certificate has to have the ACME account's key at hand is
not always a practical nor a particularly secure arrangement.  (Another
example where this wouldn't work out particularly well is a single ACME
STAR certificate shared across multiple service instances in a HA
configuration.)
Broadly speaking, it looks like this is going to be problematic in all
cases where you'd want to decouple the certificate requester from the
certificate consumer roles.

In particular, I'm very concerned about the impact on STAR Requests.
In both its forms - as an ACME profile [1] as well as a standalone
protocol [2] - the design postulates that the certificate resource is
public.  This is a core precondition to allow delegation without sharing
credentials between the delegating and the delegated entities.  The
authenticated POST-as-GET access to the certificate resource completely
wrecks this architecture.

So, my question (just to be super clear: scoped only to the "POST-as-GET
certificate" part of the proposed change) is: Can we let the ACME user
decide whether to enable or disable this specific behaviour instead of
making it mandatory for everyone?

Cheers, thanks

[1] https://github.com/thomas-fossati/I-D/blob/acme-delegation-profile/STAR-Request/draft-sheffer-acme-star-delegation.md
[2] https://github.com/thomas-fossati/I-D/blob/acme-delegation-profile/STAR-Request/draft-sheffer-acme-star-request.md
________________________________________
From: Acme <acme-bounces@ietf.org> on behalf of Felipe Gasper <felipe@felipegasper.com>
Sent: 30 August 2018 20:17
To: Salz, Rich
Cc: acme@ietf.org
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)

Would it work to keep certificate fetches as plain GET?

In shared hosting environments it’s common for a privileged process to request certificates on behalf of user accounts. This avoids having 1,000s of ACME server registrations from a single server. While certificates are generally made available within seconds, theoretically the delay between request and issuance could be much longer (e.g., for OV/EV), such that it might be prudent for that privileged process to give the order ID to the user and have the user poll for the certificate, e.g., via cron.

-Felipe Gasper
Mississauga, Ontario


> On Aug 30, 2018, at 11:51 AM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
>
> It appears that we missed a security issue.
>
> Please take a look at the PR mentioned below.  It removes many GET requests and turns them into POST so that the client payload can have authentication information.
>
> If you object to this change, please post a note to the list and explain why.  Try to do that within a week.
>
> Thanks.
>
> From: Richard Barnes <rlb@ipv.sx>
> Date: Thursday, August 30, 2018 at 11:42 AM
> To: Adam Roach <adam@nostrum.com>
> Cc: "felix=40fontein.de@dmarc.ietf.org" <felix=40fontein.de@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
> Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
>
> My preference here would be for approach (1).  I appreciate that it's a big change to make this late in the process, but that's the price we pay for missing a pretty significant issue up until now.  For existing implementations, the code impact should be modest, as long as they have been architected to isolate fetch logic (i.e., the have a get() method that you could just change to do the right POST thing).  And as long as we don't *forbid* responding to GET requests, servers can support both options for the time being.
>
> To illustrate what change we'd need to make, I went ahead and wrote up a PR:
>
> https://github.com/ietf-wg-acme/acme/pull/445
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email