IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

"Matthew D. Hardeman" <mhardeman@ipifony.com> Fri, 12 January 2018 04:00 UTC

Return-Path: <mhardeman@ipifony.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A738127735 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 20:00:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kw9Tr4fKrgnW for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 20:00:03 -0800 (PST)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9CB31270A7 for <acme@ietf.org>; Thu, 11 Jan 2018 20:00:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id 5739EB40961 for <acme@ietf.org>; Thu, 11 Jan 2018 22:00:03 -0600 (CST)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORER+Ll50Hu0 for <acme@ietf.org>; Thu, 11 Jan 2018 22:00:02 -0600 (CST)
Received: from [10.47.52.51] (68-117-162-146.dhcp.unas.al.charter.com [68.117.162.146]) by mail.ipifony.com (Postfix) with ESMTPSA id 146A0B4091A for <acme@ietf.org>; Thu, 11 Jan 2018 22:00:02 -0600 (CST)
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Thu, 11 Jan 2018 22:00:00 -0600
References: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
To: acme@ietf.org
In-Reply-To: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
Message-Id: <7AE547D0-8427-4463-B45C-1F2EB9BEEFF8@ipifony.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Vs9OicFnoifdKvWpN0Usbo8ins4>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 04:00:05 -0000

I strongly support the ideas that Martin Thompson is presenting on this matter.  While this is a major change, it provides an opportunity build a mechanism to achieve the actual security goal: to ensure that the TLS endpoint that you’re speaking to when you follow all the routing steps a real browser would for a given endpoint successfully negotiates, within this new protocol, proof of possession of the validation challenge token along with confirmation, possession of the account key, and confirmation of what actual DNS label is being validated.

> On Jan 11, 2018, at 9:46 PM, Matthew D. Hardeman <mhardeman@ipifony.com> wrote:
> 
> Hi, guys,
> 
> I’m entirely new to this list and not sure whether or not I’m welcome, but I have some comments on the ALPN idea.
> 
> In order to actually be an improvement in security, the ALPN needs to be more than a mere marker of support.
> 
> Consider:  The new mechanism is implemented and Let’s Encrypt deploys.
> 
> Customer’s of not-secure-shared-webhost-A complain that they can’t get validations via this easy mechanism.  (The complaint would actually likely originate internally by their own development staff.)
> 
> Rather than do the work to ALSO fix the insecure aspects of the infrastructure, they’ll hastily patch in the “acme" name.
> 
> To add security, perhaps the SNI that is sent should be the actual domain label that is being validated, along with the “acme” ALPN name.  At this point, an actual ALPN extension should negotiate the authentication, with the server having the opportunity to bind the proper target name to a desired authentication and then if and only if the server has available the account key credentials of the requestor, would it be able to answer with a proper authentication.
> 
> Just adding a marker with the hammer being that just doing this without implementing the promises that are supposed to be implied on pain of violating an RFC is…  Likely to get laughed at in a derisive way by the very web hosts whose behavior now has you contemplating improvements to the protocol.
> 
> There’s no fast way out of this mess.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email