IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 16 December 2015 20:27 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1994D1A89A9 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:27:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVxvTm90m290 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:27:37 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 270CC1A89A8 for <acme@ietf.org>; Wed, 16 Dec 2015 12:27:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C870CBE54; Wed, 16 Dec 2015 20:27:35 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZEj6sRlku8z; Wed, 16 Dec 2015 20:27:33 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.31.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 45FF1BE7D; Wed, 16 Dec 2015 20:27:33 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450297653; bh=AQZwjNgxC0WXAz7Kd+/gfwVM/o9EeiNOpj7Ul4AlktY=; h=Subject:To:References:From:Date:In-Reply-To:From; b=rbPEojeQutW+Rwx8nGjqTzO4C66/K1dUf8sZUbmy2DhP9RW4xuM8YNFrtuAF26Pmx mYvlI9THBsS8dts0Xowqzeb7rtkWO1WdGz9TJ0Sw2i1lR5tS/FtLEPwuU93oA4mjnN fawADPqIh9IKzY2xhcbSxF2F5aEilBf8+7QG3N5k=
To: Michael Wyraz <michael@wyraz.de>, acme@ietf.org
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <894b0ad1f1c34184bbbc9133702ed474@usma1ex-dag1mb1.msg.corp.akamai.com> <5671BBB5.4050308@wyraz.de> <5671C174.5040004@cs.tcd.ie> <5671C562.9090803@wyraz.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5671C92F.5060609@cs.tcd.ie>
Date: Wed, 16 Dec 2015 20:27:27 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <5671C562.9090803@wyraz.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="DEpUlFFsrdtsQmV7P67jtkAtiLjFhVGF3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/V4EkltneA0UT4ug386DU5Eu598s>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 20:27:40 -0000


On 16/12/15 20:11, Michael Wyraz wrote:
> Stephen,
> 
> I fear I have no idea what you mean with a "suffix list" and such. 

(Caveat: I'm very much an amateur at DNS issues, I hope someone
else provides a better/more accurate response if one's needed.)

Pretty much all mechanisms of the kind you envisage end up
requiring a way to allow the "real" authority for a set of
names to control what happens deeper in the hierarchy. So
tcd.ie could decide what cs.tcd.ie are allowed to do with
acme for example. That means you end up needing to know
roughly where the zone cuts are, which is a hard problem
in general. The public suffix list is how that's mostly
done in the web and dbound is (an IETF activity) trying to
tease apart the various uses of that.

So one of the problems with what you suggest is that the
"right" place to look for my web servers is two up in the
hierarchy and not the public suffix and not one up.

S.

> Maybe
> it's what Phillip pointed out in his mail a few minutes ago. I mean a
> SRV record for ACME challenge/response that replaces the A record for
> this use case if pressent.
> 
> Example:
> mydomain.com. IN A 1.1.1.1
> sub1.mydomain.com. IN A 2.2.2.2
> sub2.mydomain.com. IN A 3.3.3.3
> _acme-validate._tcp.sub2.mydomain.com. IN SRV 80 acme.mydomain.com.
> sub3.mydomain.com. IN A 4.4.4.4
> _acme-validate._tcp.sub3.mydomain.com. IN SRV 8080 sub3.mydomain.com.
> 
> 
> ACME server would expect the challenge's response:
> for mydomain.com at http://mydomain.com/.well-kown/...
> for sub1.mydomain.com at http://sub1.mydomain.com/.well-kown/...
> for sub2.mydomain.com at http://acme.mydomain.com/.well-kown/...
> for sub3.mydomain.com at http://sub3.mydomain.com:8080/.well-kown/...
> for subsub.sub2.mydomain.com at
> http://subsub.sub2.mydomain.com/.well-kown/...
> 
> That's exactly the way MX works for mail and SRV works for those
> services that uses it. It behaves exactly as with A, so if the zone contains
> other.mydomain.com. IN NS sometwherelse.com.
> This NS can A records as well as _acme-validate._tcp SRV records for
> other.mydomain.com and all it's subdomains.
> 
> So just don't add this SRV record and you will be as happy as you are at
> the moment (probably more happy since xmas is comming ;-) )
> 
> Kind regards,
> Michael.
> 
> 
> 
> 
>>
>> On 16/12/15 19:29, Michael Wyraz wrote:
>>> An optional ACME SRV record in the spec would make all happy:
>> tl;dr: No, it would not make me happy and I will object to it.
>>
>> Sorry about that but it's just a bad idea;-)
>>
>> We'd need something like the public suffix list for that to
>> work. I really don't want the basic mechanism for acme to
>> depend on dbound. [1] If someone suggests walking the DNS
>> tree to find the RR, then that'll not be accepted by DNS
>> folks - there's lots of history for how that discussion
>> goes.
>>
>> And even if/when the public suffix issue is sorted, it'd
>> still be a bad idea for people in my specific situation.
>> For example, a record in tcd.ie (which is the correct public
>> suffix) could prevent me from getting down.dsg.cs.tcd.ie certified
>> even though the nearest real DNS authority is for cs.tcd.ie who
>> probably would not publish such a record. That would push me
>> back to using self-signed certs which would mean that acme was
>> a step backwards, not forwards. Again, I don't know what the
>> numbers are like for folks in my situation, but every time I
>> have described it, people have recognised it as not uncommon.
>>
>> And even if none of that were an issue, I want (me and others)
>> to be able to use acme to deal with CAs without there being
>> a new complex RA interaction as a part of the basic mode of
>> operation. An optional SRV scheme would inevitably evolve to
>> have that level of complexity. In my case, cs.tcd.ie if they
>> wanted to publish such a record would need a way to point to
>> different PIs (i.e. people) in the department as being the
>> ones who were responsible for authorizing certification
>> requests. And those people would decide to delegate that to
>> some student, so we'd have all sorts of non-trivial delegation
>> issues to tackle if the SRV scheme is to be well-defined.
>> Even optional things need to be well-defined.
>>
>> By all means define an SRV based challenge but I will argue
>> strongly against it's inclusion as an option in the basic
>> mechanism. I will also argue against the basic mechanism
>> having any documentation dependency on such a scheme (because
>> I think it'll take 1-2 more years to get done right). OTOH,
>> if acme gets the basics done and soon and deployed, then I'll
>> be happy to try help with subsequent work on RA features.
>>
>> Cheers,
>> S.
>>
>> [1] https://tools.ietf.org/wg/dbound/
>>
> 
> 
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email