Re: [Acme] Onion address validation extension
"Salz, Rich" <rsalz@akamai.com> Tue, 21 July 2020 13:17 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9F63A0815 for <acme@ietfa.amsl.com>; Tue, 21 Jul 2020 06:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpNMMIYix4wf for <acme@ietfa.amsl.com>; Tue, 21 Jul 2020 06:17:23 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77CCD3A0805 for <acme@ietf.org>; Tue, 21 Jul 2020 06:17:23 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 06LDHGMx022675; Tue, 21 Jul 2020 14:17:22 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=Xsmh308PILo4HjgNShumOhH5QOvd3JWY4HfFsDM2gbA=; b=aPKxKbta4bUhK/mmulV2OjhyuzU/qq95vnNfeYt3x7aW9sErp3IN8whjwrdFY3By7xwB +BOF9PjW9u/j1RZis/JLxg0tcI2j0NmQmS9Sa2StC4G8UuGQYk4CH5OYixLcephNBW6l dXph/ITYzY5GhcjjvA3rssqZIs5UoEuL/qisNmixmiIdaK9dhj95jfvM/GxisUjZwtul orYsAoteNMpO941mCIEDn/D+TKJnblRDQ7cZRQcgklmr+5kQi2faEaMZOKI+0DzcyM83 xkZuCK1Ek2zfpq6a/Bg1hSAf5RSLCXt6gxQDgvfiaBJbzVrpTuDcAqA4ttv8EXX24E8c hw==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 32bs8rwuhq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 14:17:22 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06LCofCV023820; Tue, 21 Jul 2020 09:17:21 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint3.akamai.com with ESMTP id 32djnxv051-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 21 Jul 2020 09:17:21 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 21 Jul 2020 09:17:20 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.006; Tue, 21 Jul 2020 09:17:20 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Mailing List <acme@ietf.org>
Thread-Topic: [Acme] Onion address validation extension
Thread-Index: AQHWVU/R4lKn28UlT0KjLbXlffebjaj+TWoAgAE1LYCAAAi1gIASpRqA///nf4A=
Date: Tue, 21 Jul 2020 13:17:19 +0000
Message-ID: <24DCE2D6-D0A5-4B08-A147-58D292E2D580@akamai.com>
References: <CAF1ySfGWY3e=mdn0seJjy5M6jBmtZBMzkm1knvF-BF+hmxCBTA@mail.gmail.com> <002001d65552$1cd504d0$567f0e70$@sebbe.eu> <20200709123015.GA214719@LK-Perkele-VII> <CAErg=HFNBCMcQqbEecwcXKnyrN+SmPXEgmd3+1yRm_ka=zKDAw@mail.gmail.com> <20200721104501.GA464556@LK-Perkele-VII>
In-Reply-To: <20200721104501.GA464556@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.36.127]
Content-Type: text/plain; charset="utf-8"
Content-ID: <45258A94A7E19E48BEB061FE78CAB943@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-21_08:2020-07-21, 2020-07-21 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 suspectscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007210092
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-21_08:2020-07-21, 2020-07-21 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 malwarescore=0 clxscore=1011 priorityscore=1501 adultscore=0 bulkscore=0 mlxlogscore=999 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007210095
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Y4ThwKce_Ir9qYOZg6XAekfuqyc>
Subject: Re: [Acme] Onion address validation extension
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 13:17:25 -0000
We have time on the agenda, so I am going to add some open discussion time for this. On 7/21/20, 6:45 AM, "Ilari Liusvaara" <ilariliusvaara@welho.com> wrote: On Thu, Jul 09, 2020 at 09:01:25AM -0400, Ryan Sleevi wrote: > On Thu, Jul 9, 2020 at 8:30 AM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > For designing a cleaner mechanism to propose to CABForum, I think > > reasonable starting point would be to model it like the ACME key- > > change endpoint. However, signing JOSE messages with Tor key is > > not cryptographically kosher (just like singing CSRs with it is > > not kosher). However, again there should be no problems in practice > > (Tor itself never signs with this key, only derives other keys from > > it). > > > I think the odds of a change in the Forum are low here. I’ll readily admit, > I am intentionally rather hostile to JOSE / COSE being introduced into the > CABF, because of the consistent and persistent security failures these > formats lead to. > > That said, given the rather significant improvements to the cryptographic > constructions of v3, I’m also quite keen for any establishment protocol in > the CSR that can suitably demonstrate a POP within the CSR. It needs to be > robust to cross-protocol reuse, but I suspect that is now substantially > easier given the v3 construction. I suspect that would also make it easier > for ACME, but perhaps I’m overlooking why even a simplified form is > challenging? It turns out that signing messages with Tor key does not have harmful cryptographic interactions with the way Tor uses that key (due to EdDSA also hashing the key when signing). The main issue with the present CSR method is complexity. The applicant nonce does nothing useful (as due to ordering of the main EdDSA hash, R already strenghens it). The description of format is too hard to understand (an example would go long way to resolving the latter issue). There are simpler constrctions that would do the POP. For example (TLS syntax): struct { opaque public_key[32]; opaque nonce<22..255>; } PopInner; Sign PopInner structure using TLS 1.3 signature format with context string "ACME, tor-rendv3-pop". Base64url-encode the 64-byte signature and send it in ready for challenge request. CA can verify this by reconstructing the PoPInner from the known key nonce and verifying the given signature with the key. However, this does not do approval of ACME key (neither does the present CSR method). I think the reason of approving old key with new key in performing the key rollover is to prevent replaying new keys. Replay here is prevented by the CA nonce. And I think I found an issue in draft-shoemaker-acme-onion: It requires only 64 bits of entropy for CA nonce, while BRs require 112, and base ACME spec requires 128. Fix would be to change the first "64 bits of entropy" in section 4 to "128 bits of entropy". This is presumably due to confusing the two nonces, as applicant nonce can indeed be 64-bit. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_acme&d=DwIGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=kBAk8JLDrgKC0IPKbyr4bCQAQ8pEZPcETi7Q0vjkUzA&s=xCkQ_STqxFwHRKntBP8xAnybPBYEL0JHJbkstYIyFIE&e=
- [Acme] Onion address validation extension Roland Shoemaker
- Re: [Acme] Onion address validation extension Sebastian Nielsen
- Re: [Acme] Onion address validation extension Ilari Liusvaara
- Re: [Acme] Onion address validation extension Ilari Liusvaara
- Re: [Acme] Onion address validation extension Ryan Sleevi
- Re: [Acme] Onion address validation extension Sebastian Nielsen
- Re: [Acme] Onion address validation extension Roland Shoemaker
- Re: [Acme] Onion address validation extension Roland Shoemaker
- Re: [Acme] Onion address validation extension Ilari Liusvaara
- Re: [Acme] Onion address validation extension Salz, Rich
- Re: [Acme] Onion address validation extension Michael Richardson