Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
yan <yan@eff.org> Wed, 12 August 2015 20:55 UTC
Return-Path: <yan@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E921ACDD8 for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 13:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJ70RCa49u1E for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 13:55:53 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 210781ACDD7 for <acme@ietf.org>; Wed, 12 Aug 2015 13:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=Hwydp4c8bNiETqbBE6js9SSGOPrA22yBKrSqrBx0G5o=; b=cp6JKjyg9lEwCAFrNzjuKsWVMrUa3uGvhhkeIavpnAk1W58olt0QhKqfA+HPOD05kSDCu9j1p4qfu/tsVh71EbkQ/NNWann3ULVyXqq3S+UcLRn4EynrkXT3EqAYw2lYg0QwdYbLK734EEnHKHjHQabsiljowXFOt0pFtMzJNZE=;
Received: ; Wed, 12 Aug 2015 13:55:52 -0700
Message-ID: <55CBB2D8.2080504@eff.org>
Date: Wed, 12 Aug 2015 13:55:52 -0700
From: yan <yan@eff.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Andrew Ayer <agwa@andrewayer.name>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
In-Reply-To: <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/SOUuNUErxL1M1RwEnQo7N5thfDI>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 20:55:55 -0000
On 8/11/15 10:52 PM, Richard Barnes wrote: > Smallest diff change from the current document would be simply to > explicitly require validation value bound to account key that created > it -- not the one the signs the response. Since the attack requires > that the attacker change keys (using recovery) after receiving the > token, the attack only works if the validation is done against the new > public key. This option introduces non-trivial implementation > complexity, though, since the server now has to remember what key > signed the new-authorization request that caused the challenges to be > issued. Doesn't it already have to remember this? The current instructions for verifying a DNS challenge says: "1. Verify the validation JWS using the account key for which this challenge was issued." Since the challenge was issued before the attacker initiated account recovery to do the key change, the wording implies that the server remembers the original key at validation time.
- [Acme] Signature misuse vulnerability in draft-ba… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… Jacob Hoffman-Andrews
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… yan
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… yan
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Eric Mill
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Eric Mill
- Re: [Acme] Signature misuse vulnerability in draf… Rob Stradling
- Re: [Acme] Signature misuse vulnerability in draf… Stephen Farrell
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Ilari Liusvaara
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Simon Josefsson
- Re: [Acme] Signature misuse vulnerability in draf… Jacob Hoffman-Andrews
- Re: [Acme] Signature misuse vulnerability in draf… Tony Arcieri
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Tony Arcieri
- Re: [Acme] Signature misuse vulnerability in draf… Simon Josefsson
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker