Re: [Acme] [Technical Errata Reported] RFC8555 (6317)
Seo Suchan <tjtncks@gmail.com> Wed, 03 January 2024 14:13 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8F00C337C9B for <acme@ietfa.amsl.com>; Wed, 3 Jan 2024 06:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.603
X-Spam-Level:
X-Spam-Status: No, score=-6.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65RlX5DbVABH for <acme@ietfa.amsl.com>; Wed, 3 Jan 2024 06:13:06 -0800 (PST)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2784C337C82 for <acme@ietf.org>; Wed, 3 Jan 2024 06:13:06 -0800 (PST)
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-6d9b2c8e2a4so336854b3a.0 for <acme@ietf.org>; Wed, 03 Jan 2024 06:13:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704291186; x=1704895986; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=1oygjTvRLr0JLcQDggnafgmUyRwOFhITD895ClQWGQE=; b=KlbwftgJmAQPbvSWtDX8NttzEd6nnTLLjDmknWR60jqotncALXqJ3KfAgHGiqSg5XH C7BvIK5ghv16WH5f/IZH+txTciUsaC1Yd/Q48da5zPU//lsPLdTxIjU+x7/1BnZpdQaI qMnFAjSX29yaf1WEIqQqsey7zEIyq1Zv8/USuZVkl4SVl98vBQnntK6PMMjODXGa5JBN BAFSWvqdAjWGhcnr0ufTS8eaABpkeOojLYsuwR28A8SYL7rU2DkxuEpW9xqNFdGeF/IT 2VHKwcQ87Xzpm+K84Bvk8DNyFwPsOjgpMpSFcCmZdKBMe0gbBO2Dknl/+YlJD/hiU0+k MB5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704291186; x=1704895986; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1oygjTvRLr0JLcQDggnafgmUyRwOFhITD895ClQWGQE=; b=RMbHHIWfiAQe/N/0rl3Z6yAY+wjlPU8tzT83lyjIn4qWjedJPR1rW3DmpPiLICyTtp AwO1qBqXU4wn/7SjkNXaNSJu0+/T2gPb36ynUfq4eIp/4wt04kXLXu6BAgIinJiYkVPx SM4ri7ZzrngidnNx/lweweTvGt160WF+Arw4/GDqdoqKRQGcW8il8g4ByUJmsvIVYFNE APNOYNx/HlBHdxgxihL2Zv72Gwe0JSvjSdcoYblVQrFOgiekGLkzLyqhcO3XLJ/ipi4R kFsxaOKAj0tG+CumWJSVGSZxnaVBOnBSyjIm7lN2UOzyfpMR+t0i0Sjsluo4srduYM9k qNCg==
X-Gm-Message-State: AOJu0YzeDBTyuUO2l9RaLPV0hf52puytf+3X5ZMswyBY/6jd+iiuQPFl zDotob6hyLEe+l9/hvxs4iAOkqZ2rr4=
X-Google-Smtp-Source: AGHT+IFbw0/axjTbM5gM+g9E4Y3OWRAqN7y6+B+uX5f4MbszAxWBinNMdQoanagJNeaKhjoooguOXQ==
X-Received: by 2002:a05:6a20:e112:b0:198:f146:bd10 with SMTP id kr18-20020a056a20e11200b00198f146bd10mr343886pzb.33.1704291185445; Wed, 03 Jan 2024 06:13:05 -0800 (PST)
Received: from ?IPv6:::1? ([2406:5900:1038:12bf:c861:d965:4cd9:8ddf]) by smtp.gmail.com with ESMTPSA id fn2-20020a056a002fc200b006d99f930607sm19920423pfb.140.2024.01.03.06.13.04 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jan 2024 06:13:05 -0800 (PST)
Date: Wed, 03 Jan 2024 23:13:01 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <CAGgd1OcBrF-W_rktuTyCNnC_8-tU2i5VQSLAUoc_mw-aZTSANQ@mail.gmail.com>
References: <20201023221949.B6009F4072C@rfc-editor.org> <CAGgd1OcBrF-W_rktuTyCNnC_8-tU2i5VQSLAUoc_mw-aZTSANQ@mail.gmail.com>
Message-ID: <50047612-01A3-436F-A940-6CAE115F2AD9@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----8CADTTGEIJXLDE0CDADE03QRSEACZ4"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SC1d65HeJiTsN0Qu4gwmaNoLPl4>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6317)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 14:13:10 -0000
While looks sensible I wonder if how many clients pulling on auth instead of challanges: Those client will pull without limit if this behavior applied to CA For example this client do watch auths status instead of challenge itself. https://github.com/diafygi/acme-tiny/blob/c29c0f36cedbca2a7117169c6a9e1f166c501899/acme_tiny.py#L151 On 2024년 1월 3일 오후 9시 30분 5초 GMT+09:00, Deb Cooley <debcooley1@gmail.com> 작성함: >This is the last errata I'll pester you with today. This one seems >sensible. Please confirm or enlighten me. > >Deb > >On Fri, Oct 23, 2020 at 7:07 PM RFC Errata System <rfc-editor@rfc-editor.org> >wrote: > >> The following errata report has been submitted for RFC8555, >> "Automatic Certificate Management Environment (ACME)". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid6317 >> >> -------------------------------------- >> Type: Technical >> Reported by: Matthew Holt <matt@lightcodelabs.com> >> >> Section: 7.5.1 >> >> Original Text >> ------------- >> The server is said to "finalize" the authorization when it has >> completed one of the validations. >> >> Corrected Text >> -------------- >> The server is said to "finalize" the authorization when it has >> successfully completed one of the validations or failed all of >> them. >> >> Notes >> ----- >> The current handling of failed challenges is ambiguous, or at least >> inefficient. >> >> To get a certificate, a client creates an Order. The client then has to >> validate all Authorizations ("authzs"). For each Authorization, the client >> needs to successfully complete one of the offered Challenges. One >> successful Challenge is sufficient to validate the authz. However, >> currently in practice, one failed Challenge is sufficient to invalidate the >> authz, and thus the entire Order. To try another Challenge, the client then >> has to first deactivate the other Authorizations (expensive) and create a >> new Order (also expensive), then repeat the whole process, remembering what >> was already tried. >> >> It is proposed that an Authorization MUST NOT be finalized until all >> possible challenges have failed. The client could then simply try the next >> Challenge. In other words, a single failed Challenge should not invalidate >> an authz; an authz should be "pending" until all offered challenges have >> failed or one has succeeded. >> >> The spec should be clear that a single failed challenge is not sufficient >> to finalize an authz which has multiple possible challenges. >> >> ACME servers see many, many failed validations. ACME clients need to keep >> more state. This change will speed up ACME transactions, lower costs for >> CAs, reduce code complexity, and make ACME more reliable on the whole. >> >> Real-world experience: >> https://github.com/mholt/acmez/commit/80adb6d5e64a3d36a56c58c66965b131ea366b8c >> Mailing list discussion: >> https://mailarchive.ietf.org/arch/msg/acme/wIHaqikTCZ59zrWsUUus8lZ4VSg/ >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC8555 (draft-ietf-acme-acme-18) >> -------------------------------------- >> Title : Automatic Certificate Management Environment (ACME) >> Publication Date : March 2019 >> Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten >> Category : PROPOSED STANDARD >> Source : Automated Certificate Management Environment >> Area : Security >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >>
- [Acme] [Technical Errata Reported] RFC8555 (6317) RFC Errata System
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Deb Cooley
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Seo Suchan
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Ilari Liusvaara
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Aaron Gable
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews