Re: [Acme] Threat model for claiming domains
Richard Barnes <rlb@ipv.sx> Sat, 20 December 2014 00:26 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 494031ACE93 for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 16:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rC7agWkicyWz for <acme@ietfa.amsl.com>; Fri, 19 Dec 2014 16:26:02 -0800 (PST)
Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com [209.85.217.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27601ACE90 for <acme@ietf.org>; Fri, 19 Dec 2014 16:26:00 -0800 (PST)
Received: by mail-lb0-f169.google.com with SMTP id p9so1657924lbv.0 for <acme@ietf.org>; Fri, 19 Dec 2014 16:25:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+HNRI8ZwEBBuZJZqk+Y30Fe0zNNtf/lvP2EUYJ0E/SU=; b=jIwLXu4X9WCz7UX/gYxmnF3fpiL34E7XJx/llagBkfTuShqlqdelokD3d4L9EngDrm t3dJeoT5xFmdbg7Hz1evejrd4FMbji4rKM/s+qukBAHcA1HU/5hfs7liqO5V/SIyrNTw VQI23jLSsy1sDbKEMTYnbtJlpUIj0cLaPjZzYw0tVXKJalxzeJR4aEcUZo+5pc8L78ke bY0Kcn2NhauXYgdr9Wa7gdznneaVgjyC2fC5UxH17hH8Wd10xY4cq5vnKbtxhtryRxZ5 i5ycB2lC1Ol+KFJVTYrlQ90SOoVwmIN7NmKf9sIao1AVqOyfmcvsNICFC2eIeluG13PC ZhcA==
X-Gm-Message-State: ALoCoQmx+E9ZU5GckvXMdn0iQvITQGFFGCOw9PFlPomVYq5gJmAgBH8pPAGBgu4UE3/73NrpRoEQ
MIME-Version: 1.0
X-Received: by 10.152.2.165 with SMTP id 5mr10467312lav.40.1419035159096; Fri, 19 Dec 2014 16:25:59 -0800 (PST)
Received: by 10.25.12.215 with HTTP; Fri, 19 Dec 2014 16:25:59 -0800 (PST)
In-Reply-To: <CAHOTMVJdf8mQ-8_-ocHpfUA+N9v-S5VsBWgOVp1aFwDaWp3d0Q@mail.gmail.com>
References: <CAHOTMVJdf8mQ-8_-ocHpfUA+N9v-S5VsBWgOVp1aFwDaWp3d0Q@mail.gmail.com>
Date: Fri, 19 Dec 2014 19:25:59 -0500
Message-ID: <CAL02cgSvc1sO-iH3J_c4f=A2CspKwG686DaSUC1JKLD4GRy__w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary="089e01229ba29523b8050a9ade7b"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/WGnQKb-HfNfmGmKuquXojJHiUE4
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Threat model for claiming domains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 00:26:06 -0000
Hey Tony, I just got around to thinking about this for a moment. Obviously, our baseline here should be whatever the CAs are doing today, since we have empirical evidence that those methods are more or less OK. I did a quick and dirty empirical survey of the top few CAs this afternoon: https://docs.google.com/a/ipv.sx/document/d/1KVKIS6abA2KL-yHvFsMql6U3qUjVhgO6p19Hzci0vQo/edit?usp=sharing For the most part, they rely on sending an email to either the registered WHOIS contact, or something like admin@domain. GlobalSign supports validation based on a DNS record or a <meta> tag in index.html. With regard to your concern about services colocated on the same IP (presumably for simpleHttps and DVSNI validation): This seems to mostly be addressed by not allowing the ACME client to specify the port that the ACME server connects to. That means that the attacker has to control not only something on the box, but the default port for HTTP or HTTPS. If that's not the case, normal routing based on the Host header or SNI should ensure that the validation request goes to the right place. Nonetheless, I agree that more analysis would be useful, across all the validation methods. --Richard On Mon, Dec 1, 2014 at 7:33 PM, Tony Arcieri <bascule@gmail.com> wrote: > > Is there a published threat model for claiming domains? I haven't been > able to find it, but I'd certainly like to read it! > > If we simply accept a service running on the same IP that a given DNS name > points to, there seems ample opportunity to register certificates for > services colocated on the same IP. > > -- > Tony Arcieri > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > >
- [Acme] Threat model for claiming domains Tony Arcieri
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Rob Stradling
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Peter Bowen
- Re: [Acme] Threat model for claiming domains Rob Stradling
- Re: [Acme] Threat model for claiming domains Phillip Hallam-Baker
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Bernd Eckenfels
- Re: [Acme] Threat model for claiming domains Rob Stradling