Re: [Acme] Issuing certificates based on Simple HTTP challenges
Michael Wyraz <michael@wyraz.de> Tue, 15 December 2015 13:02 UTC
Return-Path: <michael@wyraz.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1A31A88BA for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 05:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrfYcx-aK3Y2 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 05:02:49 -0800 (PST)
Received: from mail.wyraz.de (web.wyraz.de [37.120.164.129]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFA501A88B4 for <acme@ietf.org>; Tue, 15 Dec 2015 05:02:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.wyraz.de (Postfix) with ESMTP id 8DD76A315B for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:33 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at web.wyraz.de
Received: from mail.wyraz.de ([127.0.0.1]) by localhost (web.wyraz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8ftSqCskArq for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:32 +0100 (CET)
Received: from [192.168.10.10] (ip5f5b4f75.dynamic.kabel-deutschland.de [95.91.79.117]) (Authenticated sender: michael@wyraz.de) by mail.wyraz.de (Postfix) with ESMTPSA id 58D42A315A for <acme@ietf.org>; Tue, 15 Dec 2015 14:02:32 +0100 (CET)
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie>
From: Michael Wyraz <michael@wyraz.de>
X-Enigmail-Draft-Status: N1110
To: acme@ietf.org
Message-ID: <56700F68.3040103@wyraz.de>
Date: Tue, 15 Dec 2015 14:02:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <566FDAB7.2030403@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Vhej6IWLVK9KNaqNBG0pgnSf8Yk>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 13:02:52 -0000
Stephen, I agree that getting things started I very important for lets encrypt. But in my understanding, this is the mailing list for discussing the ACME protocol, not the 1st implementation of it. So shouldn't we think/discuss what comes after "now"? IMO using SRV as an option for specifying which host/port (if any) is responsible for ACME is a step in the right direction. It can be optional which gives security-aware admins the possibility to make their system more safe without loosing comfort for those who don't care a lot about security. Have a look at all the discussions about "allow other ports than 80/443". People argue what could be safe ports for ACME and what not. Why do an assumption instead of let people declare the port with a fallback to 80/443. Regards, Michael. > > On 15/12/15 03:03, Julian Dropmann wrote: >> I agree that the problem would still remain on a global scope, but >> the argument, that there are other "dirty" CA's so we have to be >> "dirty" too, is very questionable... at least... >> >> Is this a race to the bottom: The CA with lowest security standards >> wins? >> >> Why should one trust any of those? > I think you are not taking into account what I think is the > point of acme. The overwhelming goals here are automation and > real (*) deployment of a standards based way to manage PKI > for the most popular applications using PKI. > > Once we get the above done, then the security/assurance bar > can be raised over time in a useful manner. Today, it cannot, > as the CAs only have p#10 in common really and the rest of > what they do is effectively proprietary. > > So it is entirely valid here to argue that "same security as > current WebPKI" is a good starting point. > > Cheers, > S. > > (*) I say that as a co-author of RFC2510 and successors which > was afaik the original but by no meanss the only failed attempt > to do this. My experience with all of that tells ms that it is > more important to prioritise initial deployment over almost all > else. > > >>> On 15 Dec 2015, at 03:32, Noah Kantrowitz <noah@coderanger.net> >>> wrote: >>> >>> And the counter to that is the huge number of existing CAs that >>> allow URL-based verification. We would pay the costs of increased >>> complexity for setup (for example, the existing LE client would be >>> totally impossible) but don't actually reap any benefits until the >>> last of those CA shuts down. Hence, pragmatism with a bias towards >>> improving accessibility. If the person running your website is >>> actively hostile, they can probably get into some pretty serious >>> mischief anyway :-/ (all of my arguments are absolutely dismissible >>> as "slippery slope" fallacies for those playing along at home) >>> >>> --Noah >>> >>>> On Dec 14, 2015, at 6:20 PM, Julian Dropmann >>>> <julian@dropmann.org> wrote: >>>> >>>> The important difference is, that only zones which intent to use >>>> ACRE would create such an SRV record in the first place. With the >>>> current design any A record host in the world can obtain certs. >>>> By using an ACRE specific SRV record the domain owner at has at >>>> least shown the intent to use ACRE for his zone. And also he >>>> could limit it to a specific port number/service on that host. I >>>> think this would be a very huge security improvement, and of the >>>> verification quality in general, but only if this would not be an >>>> optional thing. >>>> >>>>> On 15 Dec 2015, at 00:02, Noah Kantrowitz <noah@coderanger.net> >>>>> wrote: >>>>> >>>>> It wouldn't matter anyway because even with a SRV delegation >>>>> for the challenge, the final cert is still issued against only >>>>> a hostname, not a specific service. Combined with the fact that >>>>> there are existing CAs that do a rough equivalent of http-01 >>>>> and we can't expect that to go away any time soon, it isn't >>>>> hard to see why pragmatism won out in the initial design. >>>>> Fixing this for reals requires TLS-level protocol improvements >>>>> for per-service certificates. Not against that, just saying >>>>> you've got a long road ahead of you. >>>>> >>>>> --Noah >>>>> >>>>>> On Dec 14, 2015, at 2:47 PM, Michael Wyraz <michael@wyraz.de> >>>>>> wrote: >>>>>> >>>>>> I thought about all the DNS stuff and came to the conclusion >>>>>> that focussing ssl certs for https only and ignoring all the >>>>>> rest may cause further security issues. E.g. if I delegate >>>>>> http (via A-record or CNAME) to someone else, he can now >>>>>> create valid ssl certs for my mail server which I did not >>>>>> delegate. IMO A-record should be dedicated to http(s) (for >>>>>> legacy reasons, see >>>>>> http://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records) >>>>>> and all other services (inclusing ACME) should use their own >>>>>> srv records. >>>>>> >>>>>> Looks like a decision between comfort and security - let's >>>>>> bet what will win... >>>>>> >>>>>>> Fair, adding a DNS-level opt-out would be a reasonable >>>>>>> addition for future iterations, but not a hugely pressing >>>>>>> issue given the expected use cases. >>>>>>> >>>>>>> --Noah >>>>>>> >>>>>>> >>>>>>>> On Dec 14, 2015, at 12:55 PM, Michael Wyraz >>>>>>>> <michael@wyraz.de> wrote: >>>>>>>> >>>>>>>> So just leave out the part with "then switch completely >>>>>>>> from A to SRV" and allow both. This gives people the >>>>>>>> comfort to use A/CNAME stuff while others who prefer >>>>>>>> security use SRV. Both are happy, problem solved ;-) >>>>>>>> >>>>>>>>> Using normal A/CNAME records matches the default use >>>>>>>>> case of HTTPS a lot more smoothly and allows a lot of >>>>>>>>> cool transparent upgrade stuffs from folks like >>>>>>>>> DreamHost or Fastly that already do the CNAME setup as >>>>>>>>> part of user on-boarding and can run http-01 on the >>>>>>>>> behalf of the user to set them up on an SNI >>>>>>>>> termination. If all the major CDNs did this, it would >>>>>>>>> be worth the negative issues where HTTP is delegated to >>>>>>>>> an untrusted service. If TLS ever grows per-service >>>>>>>>> restrictions that would be appropriate here, but that >>>>>>>>> is waaaay out of scope for ACME I would think :-/ >>>>>>>>> >>>>>>>>> --Noah >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Dec 14, 2015, at 11:17 AM, Michael Wyraz >>>>>>>>>> <michael@wyraz.de> >>>>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Julian, >>>>>>>>>> >>>>>>>>>> the issue your described here is caused by the >>>>>>>>>> assumption that any the A-record points to a host >>>>>>>>>> that should be allowed to create certs for that >>>>>>>>>> domain. IMO a solution would be simple: use some >>>>>>>>>> special SRV record that points to a service that does >>>>>>>>>> the challenge. Allow users to set this record to >>>>>>>>>> something like "none" to completely disallow >>>>>>>>>> ACME-based cert generation. Use A-record as fallback >>>>>>>>>> for a given time (e.g. one year), then switch >>>>>>>>>> completely from A to SRV, >>>>>>>>>> >>>>>>>>>> Problem solved ;-) >>>>>>>>>> >>>>>>>>>> And it's almost as comfortable as using the A-record >>>>>>>>>> because it needs just one single additional step, no >>>>>>>>>> change of the client, absolutely minimal change to >>>>>>>>>> the server, no extra software or support for dynamic >>>>>>>>>> DNS updates or such. >>>>>>>>>> >>>>>>>>>> As a side effect it solves many problems with ACME in >>>>>>>>>> complex environments like geo-distributed dns. >>>>>>>>>> >>>>>>>>>> Kind regards, Michael. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> maybe I am just a naive concerned user, but in my >>>>>>>>>>> opinion there is one major issue with the Simple >>>>>>>>>>> HTTP challenge and possibly other challenges, >>>>>>>>>>> specified by ACME: >>>>>>>>>>> >>>>>>>>>>> Any host which is specified by an A/AAAA record of >>>>>>>>>>> that domain zone can obtain trusted certificates in >>>>>>>>>>> the name of the domain zone owner. Lets assume I >>>>>>>>>>> host an private XMPP server using TLS on my own >>>>>>>>>>> domain using an SRV record, and I point an A record >>>>>>>>>>> to a third party hoster which hosts my public web >>>>>>>>>>> blog. Now this third party hoster would be able to >>>>>>>>>>> obtain signed certificates for my domain using ACME >>>>>>>>>>> and use that to host an XMPP service on that domain >>>>>>>>>>> using the standard port. Clients which trust that >>>>>>>>>>> CA are now perfectly happy connecting to that >>>>>>>>>>> entity. >>>>>>>>>>> >>>>>>>>>>> By creating an A record I ofcourse need to trust >>>>>>>>>>> that host to some degree, but I still would expect >>>>>>>>>>> the CA to verify if the requester has control over >>>>>>>>>>> the DNS zone itself an not just over a single >>>>>>>>>>> service running there. >>>>>>>>>>> >>>>>>>>>>> And consequently if it is valid to verify over >>>>>>>>>>> HTTP, then maybe another CA validates the domain >>>>>>>>>>> ownership by a mail service/MX record, and a third >>>>>>>>>>> one over XMPP/SRV. >>>>>>>>>>> >>>>>>>>>>> This effectively means, as a domain zone admin, I >>>>>>>>>>> have to trust every single service I define, not >>>>>>>>>>> just to properly deliver this service, but also not >>>>>>>>>>> to exploit his ability to obtain signed >>>>>>>>>>> certificates in my name. >>>>>>>>>>> >>>>>>>>>>> Also you rely on the fact that on UNIX only root >>>>>>>>>>> can bind on port 80 and 443. Lets assume there is >>>>>>>>>>> an OS out there which does not enforce this >>>>>>>>>>> restriciton, now any user on that host is able to >>>>>>>>>>> obtain signed certificates for that domain. >>>>>>>>>>> >>>>>>>>>>> Maybe I missed something here, but overall this >>>>>>>>>>> seems to be a very bad idea to automatically issue >>>>>>>>>>> certificates without requiring a change in the >>>>>>>>>>> actual DNS zone the certificate is issued for. >>>>>>>>>>> >>>>>>>>>>> Kind regards, Julian Dropmann >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Acme mailing list >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Acme@ietf.org >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme >>>>>>>>>> _______________________________________________ Acme >>>>>>>>>> mailing list >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Acme@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme >>>>>>>>> _______________________________________________ Acme >>>>>>>>> mailing list >>>>>>>>> >>>>>>>>> >>>>>>>>> Acme@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/acme >>>>>>>> _______________________________________________ Acme >>>>>>>> mailing list >>>>>>>> >>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >>>>>>> >>>>>>> _______________________________________________ Acme >>>>>>> mailing list >>>>>>> >>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >>>>>> _______________________________________________ Acme mailing >>>>>> list Acme@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/acme >>>>> _______________________________________________ Acme mailing >>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >>>> _______________________________________________ Acme mailing >>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >>> _______________________________________________ Acme mailing list >>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >> _______________________________________________ Acme mailing list >> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >> > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell