IETF Logo Mail Archive

Re: [Acme] Threat model for claiming domains

Rob Stradling <rob.stradling@comodo.com> Mon, 29 December 2014 11:48 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595F21A0369 for <acme@ietfa.amsl.com>; Mon, 29 Dec 2014 03:48:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.3
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 tagged_above=-999 required=5 tests=[BAYES_50=0.8, URIBL_DBL_ABUSE_BOTCC=2.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41UN_vzW6W3E for <acme@ietfa.amsl.com>; Mon, 29 Dec 2014 03:48:48 -0800 (PST)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 733431A0390 for <acme@ietf.org>; Mon, 29 Dec 2014 03:48:04 -0800 (PST)
Received: (qmail 24758 invoked by uid 1004); 29 Dec 2014 11:48:02 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Mon, 29 Dec 2014 11:48:02 +0000
Received: (qmail 26110 invoked by uid 1000); 29 Dec 2014 11:48:02 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 29 Dec 2014 11:48:02 +0000
Message-ID: <54A13F72.1090104@comodo.com>
Date: Mon, 29 Dec 2014 11:48:02 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>
References: <CAHOTMVJdf8mQ-8_-ocHpfUA+N9v-S5VsBWgOVp1aFwDaWp3d0Q@mail.gmail.com><CAL02cgSvc1sO-iH3J_c4f=A2CspKwG686DaSUC1JKLD4GRy__w@mail.gmail.com><5497F5BB.9030002@comodo.com><CAL02cgSLtiN0Q-KEWZLcG_YjrW0gtdrwJHF9e6W_FdkHR92aig@mail.gmail.com><54996033.2@comodo.com> <CAL02cgQsp2pAHVmvxvBk2i9hoJ0aCAGby_ZpMB5MuK104c1fgQ@mail.gmail.com>
In-Reply-To: <CAL02cgQsp2pAHVmvxvBk2i9hoJ0aCAGby_ZpMB5MuK104c1fgQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/SmkGpcqLykB3_fnJ8BNaaavawto
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Threat model for claiming domains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 11:48:51 -0000

On 23/12/14 20:50, Richard Barnes wrote:
> On Tue, Dec 23, 2014 at 7:29 AM, Rob Stradling wrote:
>     On 22/12/14 14:29, Richard Barnes wrote:
>
>         Hey Rob,
>
>         Thanks for this.  The HTTP one looks more or less as I would have
>         expected.  We should probably tighten up the ACME one to look
>         more like it.
>
>         With regard to the DNS validation:
>         1. Is there a reason you guys use CNAME instead of TXT?
>
>     Hi Richard.  I don't recall any particularly good reason for why we
>     chose to use CNAME instead of TXT.  I think it was just a case of
>     sticking with what we knew would work and with what our customers
>     were more likely to already be familiar with.

Hi Richard.

Instead of using either CNAME or TXT for DNS-based domain validation in 
ACME, wouldn't it make more sense to use and extend CAA (RFC6844) ?

<snip>
>     IIUC, you're suggesting that there's a risk that Dreamhost might let
>     you register a CNAME record for <md5>.dreamhosters.com
>     <http://dreamhosters.com> that points to <sha1>.comodoca.com
>     <http://comodoca.com>.
>     A colleague just said to me: "most shared hosts (like Dreamhost)
>     designate that subdomain you request for webhosting and that it's
>     incredibly unlikely (read: near-impossible) to get them to change
>     their DNS for that to point anywhere other than their shared hosting
>     servers."
>
> I can confirm that this is the case with Dreamhost, having just tried
> the experiment.  Nonetheless, this seems like kind of a fragile
> assumption, given that there do exist some less-clueful hosting providers.
>
> --Richard

We're not aware of any less-clueful hosting providers who break our 
assumption, but I agree that the assumption is fragile given that there 
are such a huge number of webhosts across the world.

Let me just reiterate that this...

>     BTW, the reason I came up with the idea of using CSR hashes was
>     because we were trying to workaround patented domain control methods
>     that involve a CA-generated secret.

...was why we felt we had to make that fragile assumption.

If ACME can avoid making any fragile assumptions of this sort and can 
avoid infringing any patents, then I'll be happy.  :-)

<snip>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email