IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Michael Wyraz <michael@wyraz.de> Tue, 15 December 2015 13:02 UTC

Return-Path: <michael@wyraz.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1A31A88BA for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 05:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrfYcx-aK3Y2 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 05:02:49 -0800 (PST)
Received: from mail.wyraz.de (web.wyraz.de [37.120.164.129]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFA501A88B4 for <acme@ietf.org>; Tue, 15 Dec 2015 05:02:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.wyraz.de (Postfix) with ESMTP id 8DD76A315B for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:33 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at web.wyraz.de
Received: from mail.wyraz.de ([127.0.0.1]) by localhost (web.wyraz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8ftSqCskArq for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:32 +0100 (CET)
Received: from [192.168.10.10] (ip5f5b4f75.dynamic.kabel-deutschland.de [95.91.79.117]) (Authenticated sender: michael@wyraz.de) by mail.wyraz.de (Postfix) with ESMTPSA id 58D42A315A for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:32 +0100 (CET)
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie>
From: Michael Wyraz <michael@wyraz.de>
X-Enigmail-Draft-Status: N1110
To: acme@ietf.org
Message-ID: <56700F68.3040103@wyraz.de>
Date: Tue, 15 Dec 2015 14:02:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <566FDAB7.2030403@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Vhej6IWLVK9KNaqNBG0pgnSf8Yk>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 13:02:52 -0000

Stephen,

I agree that getting things started I very important for lets encrypt.
But in my understanding, this is the mailing list for discussing the
ACME protocol, not the 1st implementation of it. So shouldn't we
think/discuss what comes after "now"?

IMO using SRV as an option for specifying which host/port (if any) is
responsible for ACME is a step in the right direction. It can be
optional which gives security-aware admins the possibility to make 
their system more safe without loosing comfort for those who don't care
a lot about security.

Have a look at all the discussions about "allow other ports than
80/443". People argue what could be safe ports for ACME and what not.
Why do an assumption instead of let people declare the port with a
fallback to 80/443.

Regards,
Michael.


>
> On 15/12/15 03:03, Julian Dropmann wrote:
>> I agree that the problem would still remain on a global scope, but
>> the argument, that there are other "dirty" CA's so we have to be
>> "dirty" too, is very questionable... at least...
>>
>> Is this a race to the bottom: The CA with lowest security standards
>> wins?
>>
>> Why should one trust any of those?
> I think you are not taking into account what I think is the
> point of acme. The overwhelming goals here are automation and
> real (*) deployment of a standards based way to manage PKI
> for the most popular applications using PKI.
>
> Once we get the above done, then the security/assurance bar
> can be raised over time in a useful manner. Today, it cannot,
> as the CAs only have p#10 in common really and the rest of
> what they do is effectively proprietary.
>
> So it is entirely valid here to argue that "same security as
> current WebPKI" is a good starting point.
>
> Cheers,
> S.
>
> (*) I say that as a co-author of RFC2510 and successors which
> was afaik the original but by no meanss the only failed attempt
> to do this. My experience with all of that tells ms that it is
> more important to prioritise initial deployment over almost all
> else.
>
>
>>> On 15 Dec 2015, at 03:32, Noah Kantrowitz <noah@coderanger.net>
>>> wrote:
>>>
>>> And the counter to that is the huge number of existing CAs that
>>> allow URL-based verification. We would pay the costs of increased
>>> complexity for setup (for example, the existing LE client would be
>>> totally impossible) but don't actually reap any benefits until the
>>> last of those CA shuts down. Hence, pragmatism with a bias towards
>>> improving accessibility. If the person running your website is
>>> actively hostile, they can probably get into some pretty serious
>>> mischief anyway :-/ (all of my arguments are absolutely dismissible
>>> as "slippery slope" fallacies for those playing along at home)
>>>
>>> --Noah
>>>
>>>> On Dec 14, 2015, at 6:20 PM, Julian Dropmann
>>>> <julian@dropmann.org> wrote:
>>>>
>>>> The important difference is, that only zones which intent to use
>>>> ACRE would create such an SRV record in the first place. With the
>>>> current design any A record host in the world can obtain certs.
>>>> By using an ACRE specific SRV record the domain owner at has at
>>>> least shown the intent to use ACRE for his zone. And also he
>>>> could limit it to a specific port number/service on that host. I
>>>> think this would be a very huge security improvement, and of the
>>>> verification quality in general, but only if this would not be an
>>>> optional thing.
>>>>
>>>>> On 15 Dec 2015, at 00:02, Noah Kantrowitz <noah@coderanger.net>
>>>>> wrote:
>>>>>
>>>>> It wouldn't matter anyway because even with a SRV delegation
>>>>> for the challenge, the final cert is still issued against only
>>>>> a hostname, not a specific service. Combined with the fact that
>>>>> there are existing CAs that do a rough equivalent of http-01
>>>>> and we can't expect that to go away any time soon, it isn't
>>>>> hard to see why pragmatism won out in the initial design.
>>>>> Fixing this for reals requires TLS-level protocol improvements
>>>>> for per-service certificates. Not against that, just saying
>>>>> you've got a long road ahead of you.
>>>>>
>>>>> --Noah
>>>>>
>>>>>> On Dec 14, 2015, at 2:47 PM, Michael Wyraz <michael@wyraz.de>
>>>>>> wrote:
>>>>>>
>>>>>> I thought about all the DNS stuff and came to the conclusion
>>>>>> that focussing ssl certs for https only and ignoring all the
>>>>>> rest may cause further security issues. E.g. if I delegate
>>>>>> http (via A-record or CNAME) to someone else, he can now
>>>>>> create valid ssl certs for my mail server which I did not
>>>>>> delegate. IMO A-record should be dedicated to http(s) (for
>>>>>> legacy reasons, see
>>>>>> http://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records)
>>>>>> and all other services (inclusing ACME) should use their own
>>>>>> srv records.
>>>>>>
>>>>>> Looks like a decision between comfort and security - let's
>>>>>> bet what will win...
>>>>>>
>>>>>>> Fair, adding a DNS-level opt-out would be a reasonable
>>>>>>> addition for future iterations, but not a hugely pressing
>>>>>>> issue given the expected use cases.
>>>>>>>
>>>>>>> --Noah
>>>>>>>
>>>>>>>
>>>>>>>> On Dec 14, 2015, at 12:55 PM, Michael Wyraz
>>>>>>>> <michael@wyraz.de> wrote:
>>>>>>>>
>>>>>>>> So just leave out the part with "then switch completely
>>>>>>>> from A to SRV" and allow both. This gives people the
>>>>>>>> comfort to use A/CNAME stuff while others who prefer
>>>>>>>> security use SRV. Both are happy, problem solved ;-)
>>>>>>>>
>>>>>>>>> Using normal A/CNAME records matches the default use
>>>>>>>>> case of HTTPS a lot more smoothly and allows a lot of
>>>>>>>>> cool transparent upgrade stuffs from folks like
>>>>>>>>> DreamHost or Fastly that already do the CNAME setup as
>>>>>>>>> part of user on-boarding and can run http-01 on the
>>>>>>>>> behalf of the user to set them up on an SNI
>>>>>>>>> termination. If all the major CDNs did this, it would
>>>>>>>>> be worth the negative issues where HTTP is delegated to
>>>>>>>>> an untrusted service. If TLS ever grows per-service
>>>>>>>>> restrictions that would be appropriate here, but that
>>>>>>>>> is waaaay out of scope for ACME I would think :-/
>>>>>>>>>
>>>>>>>>> --Noah
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Dec 14, 2015, at 11:17 AM, Michael Wyraz
>>>>>>>>>> <michael@wyraz.de>
>>>>>>>>>>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Julian,
>>>>>>>>>>
>>>>>>>>>> the issue your described here is caused by the
>>>>>>>>>> assumption that any the A-record points to a host
>>>>>>>>>> that should be allowed to create certs for that
>>>>>>>>>> domain. IMO a solution would be simple: use some
>>>>>>>>>> special SRV record that points to a service that does
>>>>>>>>>> the challenge. Allow users to set this record to
>>>>>>>>>> something like "none" to completely disallow
>>>>>>>>>> ACME-based cert generation. Use A-record as fallback
>>>>>>>>>> for a given time (e.g. one year), then switch
>>>>>>>>>> completely from A to SRV,
>>>>>>>>>>
>>>>>>>>>> Problem solved ;-)
>>>>>>>>>>
>>>>>>>>>> And it's almost as comfortable as using the A-record
>>>>>>>>>> because it needs just one single additional step, no
>>>>>>>>>> change of the client, absolutely minimal change to
>>>>>>>>>> the server, no extra software or support for dynamic
>>>>>>>>>> DNS updates or such.
>>>>>>>>>>
>>>>>>>>>> As a side effect it solves many problems with ACME in
>>>>>>>>>> complex environments like geo-distributed dns.
>>>>>>>>>>
>>>>>>>>>> Kind regards, Michael.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> maybe I am just a naive concerned user, but in my
>>>>>>>>>>> opinion there is one major issue with the Simple
>>>>>>>>>>> HTTP challenge and possibly other challenges,
>>>>>>>>>>> specified by ACME:
>>>>>>>>>>>
>>>>>>>>>>> Any host which is specified by an A/AAAA record of
>>>>>>>>>>> that domain zone can obtain trusted certificates in
>>>>>>>>>>> the name of the domain zone owner. Lets assume I
>>>>>>>>>>> host an private XMPP server using TLS on my own
>>>>>>>>>>> domain using an SRV record, and I point an A record
>>>>>>>>>>> to a third party hoster which hosts my public web
>>>>>>>>>>> blog. Now this third party hoster would be able to
>>>>>>>>>>> obtain signed certificates for my domain using ACME
>>>>>>>>>>> and use that to host an XMPP service on that domain
>>>>>>>>>>> using the standard port. Clients which trust that
>>>>>>>>>>> CA are now perfectly happy connecting to that
>>>>>>>>>>> entity.
>>>>>>>>>>>
>>>>>>>>>>> By creating an A record I ofcourse need to trust
>>>>>>>>>>> that host to some degree, but I still would expect
>>>>>>>>>>> the CA to verify if the requester has control over
>>>>>>>>>>> the DNS zone itself an not just over a single
>>>>>>>>>>> service running there.
>>>>>>>>>>>
>>>>>>>>>>> And consequently if it is valid to verify over
>>>>>>>>>>> HTTP, then maybe another CA validates the domain
>>>>>>>>>>> ownership by a mail service/MX record, and a third
>>>>>>>>>>> one over XMPP/SRV.
>>>>>>>>>>>
>>>>>>>>>>> This effectively means, as a domain zone admin, I
>>>>>>>>>>> have to trust every single service I define, not
>>>>>>>>>>> just to properly deliver this service, but also not
>>>>>>>>>>> to exploit his ability to obtain signed
>>>>>>>>>>> certificates in my name.
>>>>>>>>>>>
>>>>>>>>>>> Also you rely on the fact that on UNIX only root
>>>>>>>>>>> can bind on port 80 and 443. Lets assume there is
>>>>>>>>>>> an OS out there which does not enforce this
>>>>>>>>>>> restriciton, now any user on that host is able to
>>>>>>>>>>> obtain signed certificates for that domain.
>>>>>>>>>>>
>>>>>>>>>>> Maybe I missed something here, but overall this
>>>>>>>>>>> seems to be a very bad idea to automatically issue
>>>>>>>>>>> certificates without requiring a change in the
>>>>>>>>>>> actual DNS zone the certificate is issued for.
>>>>>>>>>>>
>>>>>>>>>>> Kind regards, Julian Dropmann
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________ 
>>>>>>>>>>> Acme mailing list
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Acme@ietf.org 
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>>> _______________________________________________ Acme
>>>>>>>>>> mailing list
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Acme@ietf.org 
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>> _______________________________________________ Acme
>>>>>>>>> mailing list
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Acme@ietf.org 
>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>> _______________________________________________ Acme
>>>>>>>> mailing list
>>>>>>>>
>>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>>>
>>>>>>> _______________________________________________ Acme
>>>>>>> mailing list
>>>>>>>
>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>> _______________________________________________ Acme mailing
>>>>>> list Acme@ietf.org 
>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>> _______________________________________________ Acme mailing
>>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>> _______________________________________________ Acme mailing
>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>> _______________________________________________ Acme mailing list 
>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>> _______________________________________________ Acme mailing list 
>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email