[Acme] Conflicting requirements for retrieving an ACME account that is already bound to an external account
Rob Stradling <rob@sectigo.com> Wed, 11 November 2020 16:02 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DB03A0C8E for <acme@ietfa.amsl.com>; Wed, 11 Nov 2020 08:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sectigo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNiyRtt6M7ms for <acme@ietfa.amsl.com>; Wed, 11 Nov 2020 08:02:50 -0800 (PST)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2052.outbound.protection.outlook.com [40.107.93.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20EF53A0420 for <acme@ietf.org>; Wed, 11 Nov 2020 08:02:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gQH7ZgYA3DcID4wD7ny59VmV3jtlzjRVpx8ijBjnHEgNzhvbH/i760RUlcWCF1oebWm5Kww7u+EIovkY06DTxmq4lnIq+iexjfXhPsidXaUaAei9i71yZAE78mwlru5az8ncfbtJEmuePsl+aSdfWhkvXxzDOfTy2Y7OHjavpVfvc74annlLZ8JkkI0kMV1ySrRqNO/NvHtqpiZRQ0bZUEXIm+zw0Bk38hxUuf7mhGZ9gbyaRl5CS/IatkNBrNVTkOHkwT1y3FCv5G8F0QYeE5JVkXYa2yESlItsaFn6oURCj9vcKkqT142T98pptJGaMQ/VSxot0ZSBYnPS+NGi0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aV46k3GMrz/Hfig+0aGdmBw7eJxK7Imq/YrdHx/yGyg=; b=JQXA4HUyjMAbm90xMrEGtUrBph9BGm6o6c+HfOhHAHZ/Bxjka9sXLezb1rg6mtTGZHhCaWXWB+9uHbQoXiAEfnOtFKS7adRaOSwittH1cV7bqInyzdSH5DVZfcPr0W1Om/lMQ6NFRUNmVuk7qNr0M0I4IhuyAPVX+tpRlfKDtG/++IYWhuB5DVqMB14xqGZY0UOq7r+H/i0DinqmLv1oaK1mEbmFasYRDjYexGxsuiNxwcHpOIViWLilwXvbPhggLaq6hpcOiZtk8HfiOGs5dZXmnni7DxV344ecUicsv0El04ZrBSJRcb5C1bgxzKHKIYmZkiInCLP1XoJtP4ByCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sectigo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aV46k3GMrz/Hfig+0aGdmBw7eJxK7Imq/YrdHx/yGyg=; b=o1GtlFsBzfejBitExHqtdhK4SD3vTsW0rbPC57knNpkrHp2LvpxDKn2DJZCAKwXhHP1IGfkCMwlo0Sw+PtVIRERdKOCd7iLw7K/LubBfqLTSLCb7ZqyiunIdTySbn8HGJxBwH0us5IPXma8Y9YBjBG4t3ZWOe6WntlWmculvFqo=
Received: from MW3PR17MB4122.namprd17.prod.outlook.com (2603:10b6:303:44::15) by MWHPR17MB1342.namprd17.prod.outlook.com (2603:10b6:300:8e::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.22; Wed, 11 Nov 2020 16:02:47 +0000
Received: from MW3PR17MB4122.namprd17.prod.outlook.com ([fe80::81c7:e190:21c3:9983]) by MW3PR17MB4122.namprd17.prod.outlook.com ([fe80::81c7:e190:21c3:9983%8]) with mapi id 15.20.3541.025; Wed, 11 Nov 2020 16:02:47 +0000
From: Rob Stradling <rob@sectigo.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Conflicting requirements for retrieving an ACME account that is already bound to an external account
Thread-Index: AQHWuDbZ3Ca9ixTj50S2TXCWhBHWtA==
Date: Wed, 11 Nov 2020 16:02:47 +0000
Message-ID: <MW3PR17MB4122DD879FB24AEB6B856E28AAE80@MW3PR17MB4122.namprd17.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=sectigo.com;
x-originating-ip: [213.31.96.179]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 65574a0f-9e78-4961-b70c-08d8865b3bb1
x-ms-traffictypediagnostic: MWHPR17MB1342:
x-microsoft-antispam-prvs: <MWHPR17MB134256709E83DD588E3B30C3AAE80@MWHPR17MB1342.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aryTsU1bVOHGhPpHK46q27k3yZ1yKaxpe5LyE9NV/o2NMafU380NAIru4BoOrIFB6ZFL5ZxfOe3QtJhOz+GruJuT1LAw/mys8KSpdoxFn/wK1+nZNpmCnSO8EjiifnSdqxQKvCAhEoT4tRBTRkEKlbGnYb8edA0kxmehC2BjxL1lRWkcq6nmeKNx60Xf+EwLfgvxCKT/0RfNEw9NjPWgBRznxz0DiUZTqRs444tgbZ/mYVzns7gs3OF5tkMbEHI33KYFdm2G+GG7LHt7wbQKpE+c2zVKUi0gqhZZ5M7M9HnX3D7AmxoDNp/u4qlK+1MG/lsfxx4CmVi1xam/qbG+aIeI3i1gCDxJCZlNrnPCwDMI8hnEl7AYrg3kPyrZDk7h4QaVTIGIzYVaHi9qvTGFZA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR17MB4122.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39850400004)(366004)(346002)(376002)(136003)(26005)(9686003)(478600001)(71200400001)(7696005)(15650500001)(966005)(66446008)(8936002)(66556008)(64756008)(66476007)(55016002)(66946007)(33656002)(91956017)(76116006)(8676002)(52536014)(86362001)(2906002)(166002)(19627405001)(316002)(186003)(6506007)(83380400001)(5660300002)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: s9OOuoW4GT2ZsbXuI4an5Uyry/nSxhE1ZeUu8G8ULhI8htSnipc10wL1KhIFHTgiA4dhL2mVkulc/9EPExWxaQFc4Ua09MoGbQ+3XgrcHbSses4nV9k/IMF4Ly53mMZGwwSbSF/Tu3sVGJk0+a8pnxrsncUKjDpBpjwE8Rt4S5aj6NTsOQ5x9jVHYn82Yvqq0oo3sCtb3V0d80lrWicmvdNe60EK9IK9iB3mHJhXJPhWbpCT8LB+8KLl0agMc1X7ITakNa/rFq3RVU6iasVIoQE0z3j/O7b6ZUtNfRG0SMGf+w4n6LZQMePN6yEuPVozVQe8OyVbtCsAifOto2Xd11XY3RNarajbShkObl6otFOiTw+/BezzUXwYLO2ILJ2LLavat8KNPb/lqb8F7PyWE49OzhDlS7u1xa//+gaOBdQSgvAR3jZasNkaTcpEaSiP2NrrKKWYQaRNV6jf7YcEakaQD5nVjzyKcXicfXz+m56EQ1N8n5tUd2KJ3dv3oPcWXhyMMpM2esL4H9Y0yJwe0s8kEUGNHUqFm0qUuHI6aVPt3EBvo1mSZyOL0PgIcp2mpg5KB1+wnKSTSU9mGZS4EaMGHXpY0qh5z5BNksl55rUXXx4N6e3BkQsNrQyp5xyx2KwZFeyrbrJV0GaSuDGmOw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW3PR17MB4122DD879FB24AEB6B856E28AAE80MW3PR17MB4122namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR17MB4122.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 65574a0f-9e78-4961-b70c-08d8865b3bb1
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2020 16:02:47.2925 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x5fyh7Y4kqDkY3qmvbQECPrMkH2I3ibzWTTEjW2AZQDQnstNdOL8atgSuUHnhXBax1v63V2G1o7O+QrvAGjhwA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR17MB1342
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XCN54CzSQiL2_Xh2GsA7GITgWhg>
Subject: [Acme] Conflicting requirements for retrieving an ACME account that is already bound to an external account
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 16:02:52 -0000
https://tools.ietf.org/html/rfc8555#section-7.1.2 says (emphasis mine): 'externalAccountBinding (optional, object): Including this field in a newAccount request indicates approval by the holder of an existing non-ACME account to bind that account to this ACME account. This field is not updateable by the client (see Section 7.3.4<https://tools.ietf.org/html/rfc8555#section-7.3.4>). https://tools.ietf.org/html/rfc8555#section-7.3.1 says (emphasis mine): 'If the server receives a newAccount request signed with a key for which it already has an account registered with the provided account key, then it MUST return a response with status code 200 (OK) and provide the URL of that account in the Location header field. The body of this response represents the account object as it existed on the server before this request; any fields in the request object MUST be ignored.' https://tools.ietf.org/html/rfc8555#section-7.3.4 says: 'When a CA receives a newAccount request containing an "externalAccountBinding" field, it decides whether or not to verify the binding. If the CA does not verify the binding, then it MUST NOT reflect the "externalAccountBinding" field in the resulting account object (if any).' ISTM that there's a conflict between these requirements when an ACME account has previously been created and bound to an external non-ACME account (as per section 7.3.4) and a user now wants to retrieve that ACME account by "Finding an Account URL Given a Key" (as per section 7.3.1): - The ACME server's directory object provides (quoting section 7.3.4)... 'the value "true" in the "externalAccountRequired" subfield of the "meta" field in the directory object.' ...and so the client is required to include the "externalAccountBinding" field in the newAccount request. - The server is required to ignore "any fields in the request object" (per the part of section 7.3.1 quoted above). - Whilst the server is normally at liberty to choose "whether or not to verify the binding" (per the part of section 7.3.4 quoted above), the requirement to ignore "any fields in the request object" forces the server to not verify the binding provided by the client during this account retrieval operation. - Since the server has not verified the binding, its response 'MUST NOT reflect the "externalAccountBinding" field in the resulting account object'. So by attempting to retrieve a previously-externally-bound account, the ACME client has caused the "externalAccountBinding" field in the account object to be updated (from present to absent). Except that this can't have happened, because "This field is not updateable by the client" (per the part of section 7.1.2 quoted above) and because "The body of this response represents the account object as it existed on the server before this request" (per the part of section 7.3.1 quoted above). The upshot is that retrieving a previously-externally-bound account is currently impossible. At Sectigo we currently have customers affected by this problem, and I think an erratum to RFC8555 is needed to address it. I'm not proposing text just yet, but I propose that the outcome of the erratum would be that: 1. A client should be permitted to omit "externalAccountBinding" from a newAccount request when retrieving an existing account from a server that requires external account binding. (External account binding is a one-time operation; as soon as an ACME account and an external account are bound once, they're bound forever). 2. When a client does provide "externalAccountBinding" in a newAccount request to retrieve an existing account from a server that requires external account binding, the server should be required to verify that binding and ensure that it links to the exact same external account to which the ACME account is already bound. Do folks agree with my analysis and proposal? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [Acme] Conflicting requirements for retrieving an… Rob Stradling
- Re: [Acme] Conflicting requirements for retrievin… Jacob Hoffman-Andrews
- Re: [Acme] Conflicting requirements for retrievin… Rob Stradling
- Re: [Acme] Conflicting requirements for retrievin… John Gardiner Myers