IETF Logo Mail Archive

Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Fri, 31 August 2018 18:32 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 044BD130DDC for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 11:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yi26h6GYfdLb for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 11:32:44 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547AA128CFD for <acme@ietf.org>; Fri, 31 Aug 2018 11:32:44 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id r69-v6so23374033oie.3 for <acme@ietf.org>; Fri, 31 Aug 2018 11:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CCSplQG4oXSjPW+ajnx+B5hbPkgy+Ik4XQcXQjDMDIU=; b=tlEspEmZGhbuCyJ4TVJJt/CciMU0vZT/J9mjWcRVBLrl80E3XeuhP/q4UWPuyQM2vh 1aCgvKxKVFKdZAiefg4yRM9AY25MKITEuClwxpXPdmiMMZxbKnLoCbdn7zOVoscMJg7S o8FAPLy+Xhm+6MbJ66oBJUL7sij/Libac8o6LBr9KPCn/pDN1+OC7WHDxaQf2vKTrdm6 hawhkgzK8kcsPeIUqnFgfW2Ug7QmG2xtIHSJ+XZf9WcfGJfxOGt9DXmmK1wu2S2sCE3T iMUs3NghUe1VrFSBoUY8PlalqqLo0qpDHXKrHoZCXoeMNZmbT+PMLE354IUv5FU44ypD tjbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CCSplQG4oXSjPW+ajnx+B5hbPkgy+Ik4XQcXQjDMDIU=; b=mBfJYqAwVfORqBcF/OfMBe1kjzbyGMygc/GQJ29YiiV2udClRftxblMbiiQWgEfMOK VPuRxL+bcLAovOXGZsVH8/cYw0O1d3cn3w+ze/enk2GVxoldQfJcjkLCqKvUXOWz3Ox8 9l7ceOD9i55+0+w0rbigyZI5koP4FSvNi1CXhE8dspm6KtMkTcPDYUjb7BoRsH2kiPm/ s/Q2AdzMpny0VVkhz5LgFAvjadXht37X4vWMkngV+ysL/d+1wDBCTqbQSCPfuirIiaWS KdPif4WWKFyDd62NJxwxGumdKJxbLbnPKAlN5rNK3jygeCLtmdqWe0RF0faeUd623L/m pWpA==
X-Gm-Message-State: APzg51B6F1qCdNs2s0takp4919m8uE6BiHCapRg06m/5vcCCnPB6hsh1 Mui+MpA6In95CPRLjEM7CuTapGaZ+F+6nFlWJ/kci4Vf
X-Google-Smtp-Source: ANB0VdZMdpUlvUFrYCDdjpJQNACOZSLHns2M1Ih2PriZcjsvfOowW7qffQsiB+sv3248KFAKBfkEqM+SAwDihRnJh5w=
X-Received: by 2002:aca:f189:: with SMTP id p131-v6mr8940971oih.14.1535740360764; Fri, 31 Aug 2018 11:32:40 -0700 (PDT)
MIME-Version: 1.0
References: <153560463159.14901.5253843942494748934.idtracker@ietfa.amsl.com> <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com> <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com> <20180830154850.21a82df5@rovaniemi> <bcfd8b8d-2485-b170-f055-001a987af0e9@nostrum.com> <CAL02cgRrKjzV8NEEUyYf1Yg=Nz7fHoSc4yZupxL9A-p7v2LD0A@mail.gmail.com> <9E4B0F0F-F65A-44B4-A05B-3966F1F4C856@akamai.com> <61C79A7C-A7C7-44BB-A2B8-1124D3F0FC0D@felipegasper.com> <AM2PR07MB06104D25EB511E72BACD8E62800F0@AM2PR07MB0610.eurprd07.prod.outlook.com>
In-Reply-To: <AM2PR07MB06104D25EB511E72BACD8E62800F0@AM2PR07MB0610.eurprd07.prod.outlook.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 31 Aug 2018 14:32:29 -0400
Message-ID: <CAL02cgSQ4aDf9fXcFt+p28wVz5qeUyGpuTWVUqDMDFa=tNiLXw@mail.gmail.com>
To: "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Cc: Felipe Gasper <felipe@felipegasper.com>, rsalz=40akamai.com@dmarc.ietf.org, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000abc90c0574bf6aa9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/WLy8ecg-PLfoCnyaHCGXTxPDF0c>
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 18:32:47 -0000

STAR only requires that the server be able to GET the certificate URL,
right?  If that's the case, I don't see a problem, given that the latest
version of the PR allows GET to certificate resources.

I don't think we can make authentication optional.  That would revert us
back to having to do privacy analysis for everything.  Note, however, that
the *authorization* that the server applies is still up to the server.  If
the server wants to have some external interface by which you could
authorize additional people to see your stuff, they are not forbidden from
doing so.

--Richard

On Fri, Aug 31, 2018 at 2:28 PM Fossati, Thomas (Nokia - GB/Cambridge) <
thomas.fossati@nokia.com> wrote:

> +1
>
> As noted by Felipe, the implication that the service effectively
> consuming the certificate has to have the ACME account's key at hand is
> not always a practical nor a particularly secure arrangement.  (Another
> example where this wouldn't work out particularly well is a single ACME
> STAR certificate shared across multiple service instances in a HA
> configuration.)
> Broadly speaking, it looks like this is going to be problematic in all
> cases where you'd want to decouple the certificate requester from the
> certificate consumer roles.
>
> In particular, I'm very concerned about the impact on STAR Requests.
> In both its forms - as an ACME profile [1] as well as a standalone
> protocol [2] - the design postulates that the certificate resource is
> public.  This is a core precondition to allow delegation without sharing
> credentials between the delegating and the delegated entities.  The
> authenticated POST-as-GET access to the certificate resource completely
> wrecks this architecture.
>
> So, my question (just to be super clear: scoped only to the "POST-as-GET
> certificate" part of the proposed change) is: Can we let the ACME user
> decide whether to enable or disable this specific behaviour instead of
> making it mandatory for everyone?
>
> Cheers, thanks
>
> [1]
> https://github.com/thomas-fossati/I-D/blob/acme-delegation-profile/STAR-Request/draft-sheffer-acme-star-delegation.md
> [2]
> https://github.com/thomas-fossati/I-D/blob/acme-delegation-profile/STAR-Request/draft-sheffer-acme-star-request.md
> ________________________________________
> From: Acme <acme-bounces@ietf.org> on behalf of Felipe Gasper <
> felipe@felipegasper.com>
> Sent: 30 August 2018 20:17
> To: Salz, Rich
> Cc: acme@ietf.org
> Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with
> DISCUSS and COMMENT)
>
> Would it work to keep certificate fetches as plain GET?
>
> In shared hosting environments it’s common for a privileged process to
> request certificates on behalf of user accounts. This avoids having 1,000s
> of ACME server registrations from a single server. While certificates are
> generally made available within seconds, theoretically the delay between
> request and issuance could be much longer (e.g., for OV/EV), such that it
> might be prudent for that privileged process to give the order ID to the
> user and have the user poll for the certificate, e.g., via cron.
>
> -Felipe Gasper
> Mississauga, Ontario
>
>
> > On Aug 30, 2018, at 11:51 AM, Salz, Rich <rsalz=40akamai.com@dmarc.ietf..org>
> wrote:
> >
> > It appears that we missed a security issue.
> >
> > Please take a look at the PR mentioned below.  It removes many GET
> requests and turns them into POST so that the client payload can have
> authentication information.
> >
> > If you object to this change, please post a note to the list and explain
> why.  Try to do that within a week.
> >
> > Thanks.
> >
> > From: Richard Barnes <rlb@ipv.sx>
> > Date: Thursday, August 30, 2018 at 11:42 AM
> > To: Adam Roach <adam@nostrum.com>
> > Cc: "felix=40fontein.de@dmarc.ietf.org" <felix=
> 40fontein.de@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
> > Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14:
> (with DISCUSS and COMMENT)
> >
> > My preference here would be for approach (1).  I appreciate that it's a
> big change to make this late in the process, but that's the price we pay
> for missing a pretty significant issue up until now.  For existing
> implementations, the code impact should be modest, as long as they have
> been architected to isolate fetch logic (i.e., the have a get() method that
> you could just change to do the right POST thing).  And as long as we don't
> *forbid* responding to GET requests, servers can support both options for
> the time being.
> >
> > To illustrate what change we'd need to make, I went ahead and wrote up a
> PR:
> >
> > https://github.com/ietf-wg-acme/acme/pull/445
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email