Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 24 February 2022 18:30 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9483A0DD9 for <acme@ietfa.amsl.com>; Thu, 24 Feb 2022 10:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2GDqI0guJzy for <acme@ietfa.amsl.com>; Thu, 24 Feb 2022 10:30:49 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2070d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eae::70d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32093A0DD4 for <acme@ietf.org>; Thu, 24 Feb 2022 10:30:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PkK4B3utlkpzuXo2HkLy2BQIXmYW91KHcmhi0QTFc/VWcrjWCqw8bl713mhdY4vqxDz/ON8P3zxszVyVro+cUZY7/+pvp9VO1jaeKv1g6ebRRshaBY0X5K54s25qV8rNP7vXuE2ipJfNLJ1kGUmdaATJ85ZmhuAGTsnK/DTD4HSpGYoWrvC0Ryr92MdKz/3z8PftBIz5LRKplQF6cdQgY1wrcPz2Eb0NJKdG7x75wfyAuSIOZeDxRK7By/9wa07HZbn1xQiI6EQAuFBbCBvZytAykP3Mrahpzh6Fs8ke808CBTn/uOuGmFqwt+Y8qspmFUtIAu8OOmUYY8yHUJlzhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=g5kJyc3FiDzaFv4tdJ7ngYSDdC1H/DrllDY9JGDql1M=; b=iroCEgVmkqrXJPwhbXiFej7gauZ5sCbwSwDp/vK6EM3fSfa4UkIrUdauN3euJz/uH9v8SXz/5cevxKC+Og4S61FEB9enTmuodIhHtOl4eSKWX7JllNmWNtGEEybJEHu2evLuYcxPuuZ8N+YZ2nc6dMdn/oLTdf0QbrGvLKHum/E3vPfVV/qBdx3Z3K80eUO3NjeZwa1USXWXj9RuLxj4sUieCDYt8Of/ow5aPpn9ZwBgkhcBIQAXpzKquRDQ8dQ8jJ0tZf4kUVCvKTQpnjCjgEEaMqcrStReL+DrfET6jr5ASnFi4nTSmQl5ECsrsueulqDHz1PTpra/xsWQpl/Xow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=eff.org; dmarc=pass action=none header.from=eff.org; dkim=pass header.d=eff.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eff.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g5kJyc3FiDzaFv4tdJ7ngYSDdC1H/DrllDY9JGDql1M=; b=FRJTGrhVY1W+jSg1H5r+hTdwtc/9A7dXZhNZ72/bTjShppkTWe/stJwZlrOkNprmpDut9Z3ubg87TVwLtTz0t1KigkuG0+zoYf6Y2XzZuud4dd/+h1eiOSwraYG0FyZ93MQLoPkvA1PuoYpbMMKOkFJ7JXMr8Aq/jjNuzW7ThzmXfV+3RVsvWgzrJTbSEsaNBLRuC4dNIxAI92hI95dcwo+B5c8bMBNReaLg4QZ7+JSyihw8z6cRX6M7cgK5EpOLbUVOnnJdWvO20MoSUpTC06RNW8mmAy0ABsJQQktGF/qLRUzLRCvYpX1Koj7uwWnPYq9W8axLA2w6c/mvBkylBw==
Received: from MWHPR2001MB1901.namprd20.prod.outlook.com (2603:10b6:301:23::10) by MN2PR20MB2637.namprd20.prod.outlook.com (2603:10b6:208:ea::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Thu, 24 Feb 2022 18:30:45 +0000
Received: from MWHPR2001MB1901.namprd20.prod.outlook.com ([fe80::bc34:6f7c:a445:1c28]) by MWHPR2001MB1901.namprd20.prod.outlook.com ([fe80::bc34:6f7c:a445:1c28%11]) with mapi id 15.20.5017.024; Thu, 24 Feb 2022 18:30:45 +0000
From: Jacob Hoffman-Andrews <jsha@eff.org>
To: James Kasten <jdkasten@umich.edu>, Benjamin Kaduk <kaduk@mit.edu>
CC: Richard Barnes <rlb@ipv.sx>, Daniel McCarney <cpu@letsencrypt.org>, Roman Danyliw <rdd@cert.org>, "decoole@nsa.gov" <decoole@nsa.gov>, "debcooley1@gmail.com" <debcooley1@gmail.com>, Yoav Nir <ynir.ietf@gmail.com>, IETF ACME <acme@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [Technical Errata Reported] RFC8555 (6843)
Thread-Index: AQHYHSm8FxaqS2N/0ka5U2vGqsDZG6yKyWEAgACO8wCAF8Y+EA==
Date: Thu, 24 Feb 2022 18:30:45 +0000
Message-ID: <MWHPR2001MB190159D2320512B79C12EFF9DB3D9@MWHPR2001MB1901.namprd20.prod.outlook.com>
References: <20220208202323.A644DE9747@rfc-editor.org> <20220209065416.GT48552@kduck.mit.edu> <CAAEpsx8k3ysjYnj6cRYzepZnfZEsFv-emHpiz3bXG-hEW8NK_g@mail.gmail.com>
In-Reply-To: <CAAEpsx8k3ysjYnj6cRYzepZnfZEsFv-emHpiz3bXG-hEW8NK_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: ba6a2430-00c0-d391-f146-f1a5ab79cb54
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=eff.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 984ecf9f-9887-4692-5c95-08d9f7c3c55d
x-ms-traffictypediagnostic: MN2PR20MB2637:EE_
x-microsoft-antispam-prvs: <MN2PR20MB26374EACA4E068800183AB7FDB3D9@MN2PR20MB2637.namprd20.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sLlAN5Ap99yF/dnIFG0zMtlmq1zfGoovFhtPQ0sAsBKhtdo2KoDpi4zx5qoHkEift8JzS/EZwPRdKiBu0wQuOvSFEaa0RjdCZqRU5eSaQbZ8WTOIFgm9xjjKCi9gKI3Ef0533WbDkPINGv7xkrDKGXAv98zlDcnsIbDpvOWShKHMtNcf2c2aqMigcCDQ+03fwUwgUX6yO7bMuUE7bFaZm7+9JP0Kzivy7yezz7e6uh+MoZSNiHtdGQ4ZCMTUv7BJwctW2am+qn0TogPTaPux9yjBPJDBgvnLl0kRHL/VByO7Rd6903GqlQJ1jO485UgYEacLgs53FHG3/cvSJKKf8jG+zmCLJw5mhzF+6C6Fba1iGcru2ChDhEsXY56eSnB+1TwAv7FKuIMh/nwmf4wnRjhl4+VFCSQ8edQWU/lCUDiehrD6V3/Ds78dugztoIXV5wqYJ/s417AHmcr/TpYQ8MxauR6YFeV4lwm+E8B+5Q52BNyVYfRJEiVVCaiUuuc70Y4/0NEWYFLip1PMLW2c/iaxQBLJtW/203StCGoZ21A76svKbGz1CDfA23fSP9otVRURuvNJXBYr05oKkmY+sgnQu8YRwnmHcZLtuN+vh3uugDPaLwpD1LGXU+Jk+0wzqNJtRhYQPijysJDxCFt+XRVOFo9Be9CdBMHCXc02wwOTILCYGs6UBIfPVjRr+FqCeb3GBRwBzyzAvXdn/HXq0T0VOdWYctSCZwjCdqLufXG80u0DFZAIsmvy6pJmzZJAN86n1Onn0ZsBIiwdiIMzq5mwtIH00S30MiCdMy4DGDzZEffgQBtwXS+/qcUEYxxe
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR2001MB1901.namprd20.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(39840400004)(136003)(376002)(346002)(396003)(366004)(83380400001)(2906002)(110136005)(8936002)(54906003)(7416002)(166002)(122000001)(8676002)(5660300002)(966005)(52536014)(4326008)(33656002)(76116006)(66556008)(66476007)(66446008)(64756008)(316002)(66946007)(508600001)(19627405001)(38070700005)(71200400001)(86362001)(38100700002)(53546011)(6506007)(7696005)(9686003)(55016003)(186003)(19400905002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7thpOWr6j8YczpQOEq5MliabHVitbhcjHVYyvYJL6lxDTycyGmtIonNH9pWOfa9Lcm+iA0lJ3fXZ27lOxi711QyfYuGomj0FzNTVMPxbHcH6GYmIaRIMq8L7U2H7Paenh2zhi5f/mpxnZlXEhxuFdWJGZGO01M2vUUMlp/NF/EFinFcLdp4klDhWTqUNd/yvqPHDYtYhGTerJA2p5hEJ+ZKbpSegGYnvi0ZfuCtIZw7j4wxhUUIERVMh/j3zNPzRwDSYoHJ7k12qoNTmCAgSg3ZVkq4C5r+PnzoZJkv6OMeJtNXY8EcrAmaVC43I/7zgNECwRHNd9DSpSJf8QgdJ5fLnrQTgvZKXH2azWu5YANhPPcjfEOKO/3TFKr/06dGRZag3TwyUcYf/MnSywXNyeZRJKQeO1yTKAi0XWHsXeX74/nHPfM38OqOJB6fS3PrByrZ2yu56no6/yf4+tUGkE97fr819dh0weYk/0Y5Pd7ZPwxurEYlufL52ChkwmcZ0eSEWKJkqMTgyZjL3yU0uF5gPGmgIz2AAeOTH0JLEynPCSsJnn42tCTLP9bz4e2QJ47EIoqlLgRlmaLlV9IrsH36jwqp5IUQ2otiLQF7+GCSuKYfc2W0FWQprQuBO1Jhi4eNjRbmk3JeZjAI4isARbKzeaMBpXtYlweiFFrlCweyA7uZWo+qZIEP9cIEBFmB1miK6rAUQ3MA73kF4KqEjcXvdkAtWthHxG92+E+k1BnJ6tTqcUytOy914QLKdMoL8QV44u5+XfVpRhXklAH6MvlsuWkOScwWGlEzFn0yfrBjKJH7XY0cfR36vGG7rvGd6UdFENBNQheYFlT7dQZWmaAfoM5INy8QvETGftCtY/yFvRaG2k3EQay+6VJfpCCp62xS50TIRznlYkwdjwX80HmPl7OKbztyrotGMYk/vZxmmHs8SuaNQ/8rQowmelNQpKzgK/bE8LhOFP2HcGZ9WswZIzS8x88F1779Z+Xeonc0uRssuxRDUNxIGSSD9dBZ8UC5LAUIFNcpDdOc2wCE8uVeYsjRhYuQcof7HAuYPm8tZXqDcqMaKudMa8nW/0XFo6nSB1vHuIOxJEcvw/Gp7MJdnYERVP7TOv3rhiAahHHi2zHOautu5UYNSlyXF0q8sCvycYkENUeniVX6xKcUnQMqOhCEKhj1q+mMr2CMMT4/VoAc4lirL48eAH95BGbdrfNUCRqEbw7vINch9+Om8nBzKpEqi1SLnBOgnrSwaRsrd7F9w2Dsu2fOkEY7wZS12M0fh4vziQMNOkvE88VNcmSub0ZgK1J1jSV9q2W5vGVuc+DWE95gRfSdwLHXXOKqMcBc1Ny3TYnRT0P7kxkgsx/C/fgl3Y3IpNZ7jLo+IONleZokbFJ4OLGuRPKDQKIkpFO+FbgpJUn6RCvZ4iNoH6Lnt/ns2b4utywX7pLPzXPxCtmU3Kg35jonQOH9x92XVL9t3ipwtziJc7m6HxUY8zKwUsiL6+SlvoSXjZRODqVMzcC2/xM3zp+dr+QhV3e2Epn3/Tlv3z8lHDETMn+CRtCPjR2y46pIB5vDIasVyjQCLHEi5JwG65y9L9bfgE6NvIeFUBTbmnjr70ajtO4s7qw==
Content-Type: multipart/alternative; boundary="_000_MWHPR2001MB190159D2320512B79C12EFF9DB3D9MWHPR2001MB1901_"
MIME-Version: 1.0
X-OriginatorOrg: eff.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR2001MB1901.namprd20.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 984ecf9f-9887-4692-5c95-08d9f7c3c55d
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2022 18:30:45.0924 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb51a9a9-63f3-48a7-9375-5dc6cfad72b9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BspFrF3pZhNtqu8eWZafwuIyMuol8c1G8HgK6Gv72srF7yRTK+XgaV1KS/SIS6WC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR20MB2637
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XuwaK-A2PjNp8zs2zNn6V2y_Juo>
X-Mailman-Approved-At: Thu, 24 Feb 2022 10:55:50 -0800
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 18:30:57 -0000
I agree with James' reading. The intent was to allow HTTP->HTTPS redirects during validation, and that is common practice today. The errata makes the language a little clearer around that, so I vote "hold for document update." ________________________________ From: James Kasten <jdkasten@umich.edu> Sent: Wednesday, February 9, 2022 7:25 AM To: Benjamin Kaduk <kaduk@mit.edu> Cc: Richard Barnes <rlb@ipv.sx>; Jacob Hoffman-Andrews <jsha@eff.org>; Daniel McCarney <cpu@letsencrypt.org>; Roman Danyliw <rdd@cert.org>; decoole@nsa.gov <decoole@nsa.gov>; debcooley1@gmail.com <debcooley1@gmail.com>; Yoav Nir <ynir.ietf@gmail.com>; IETF ACME <acme@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org> Subject: Re: [Technical Errata Reported] RFC8555 (6843) Hi Ben, Thanks for the response. Following redirects for the http-01 challenge is already recommended by the RFC's Section 8.3<https://datatracker.ietf.org/doc/html/rfc8555#section-8.3>. ``` The server SHOULD follow redirects when dereferencing the URL. Clients might use redirects, for example, so that the response can be provided by a centralized certificate management server. See Section 10.2<https://datatracker.ietf.org/doc/html/rfc8555#section-10.2> for security considerations related to redirects. ``` Section 10.4<https://datatracker.ietf.org/doc/html/rfc8555#section-10.4> also contains an additional warning or emphasis regarding redirects with SSRF, so I included a generic reference to both for completeness. ``` However, if the attacker first sets the domain to one they control, then they can send the server an HTTP redirect (e.g., a 302 response) which will cause the server to query an arbitrary URL. ... ``` I believe this errata resolves ambiguity in the current text. Popular ACME CAs and clients are relying upon "http-01" challenge redirects from HTTP to HTTPS today. As an author who is familiar with the origin of this text, my intent was for it to read as "must be initiated" rather than "must be completed" over HTTP. I am happy to hear others' thoughts. I do believe deviating from this interpretation is extremely harmful for the HTTPS ecosystem which I can elaborate on if desired. Best, James On Tue, Feb 8, 2022 at 10:54 PM Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote: Is there particular guidance from Section 10 that you had in mind to justify the following of the redirect? In light of the role of errata reports as indicating errors in the specification at the time it was published, I think the processing options here are either "hold for document update" or "rejected". -Ben On Tue, Feb 08, 2022 at 12:23:23PM -0800, RFC Errata System wrote: > The following errata report has been submitted for RFC8555, > "Automatic Certificate Management Environment (ACME)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6843 > > -------------------------------------- > Type: Technical > Reported by: James Kasten <jdkasten@umich.edu<mailto:jdkasten@umich.edu>> > > Section: 8.3 > > Original Text > ------------- > Because many web servers > allocate a default HTTPS virtual host to a particular low-privilege > tenant user in a subtle and non-intuitive manner, the challenge must > be completed over HTTP, not HTTPS. > > > Corrected Text > -------------- > Because many web servers > allocate a default HTTPS virtual host to a particular low-privilege > tenant user in a subtle and non-intuitive manner, the challenge must > be initiated over HTTP, not HTTPS. > > Notes > ----- > Completing the entire http-01 challenge over HTTP is unnecessary. The threat of default HTTPS virtual hosts is remediated by "initiating" the http-01 challenge over HTTP. Validation servers which redirect from HTTP to HTTPS should be permitted following the rest of the guidance within Section 10, Security Considerations. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC8555 (draft-ietf-acme-acme-18) > -------------------------------------- > Title : Automatic Certificate Management Environment (ACME) > Publication Date : March 2019 > Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten > Category : PROPOSED STANDARD > Source : Automated Certificate Management Environment > Area : Security > Stream : IETF > Verifying Party : IESG
- [Acme] [Technical Errata Reported] RFC8555 (6843) RFC Errata System
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Benjamin Kaduk
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… James Kasten
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Deb Cooley
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews