Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 12 November 2020 10:33 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF403A1582; Thu, 12 Nov 2020 02:33:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xU4cox0BN4EF; Thu, 12 Nov 2020 02:33:54 -0800 (PST)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 9272A3A1580; Thu, 12 Nov 2020 02:33:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1605177233; d=isode.com; s=june2016; i=@isode.com; bh=qKtRPGMo5u2mgS8xnFhj4uqNZxTE/sHZMK2K0Jmzs/k=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qWzEyQ+gIC4udI1nX1rSvqXbR2RN16WbhZrCHPDM61Aiwfs/YjkCo3hlqUjFskvytTztSA NoZk+JYrR8nWhws0z9/89VgcGX8gbShNF4o/DHbo1bA+pkROlhmWgP7MjW9TQu/k7lGFbN 67c/qeim0701od0sJyIIduyQl3s/TBw=;
Received: from [172.27.253.87] (connect.isode.net [172.20.0.72]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <X60PkAB1e3O5@statler.isode.com>; Thu, 12 Nov 2020 10:33:53 +0000
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: rsalz@akamai.com, acme@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-acme-email-smime@ietf.org, acme-chairs@ietf.org
References: <160456339844.32027.10383263330343255957@ietfa.amsl.com> <4f0c0a3d-766a-3da7-f5b7-b2abd447298b@isode.com> <20201106222940.GK39170@kduck.mit.edu>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <d4eae80c-1b68-5672-7b39-48d97d5c6f2c@isode.com>
Date: Thu, 12 Nov 2020 10:33:37 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.2
In-Reply-To: <20201106222940.GK39170@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/YxrBC0O5HYLnlC_tGKp1_AXukX8>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-email-smime-10: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2020 10:33:56 -0000
Hi Ben, On 06/11/2020 22:29, Benjamin Kaduk wrote: > Hi Alexey, > > On Thu, Nov 05, 2020 at 11:07:02AM +0000, Alexey Melnikov wrote: >> Hi Ben, >> >> I am sending you a partial reply, as I am still editing the document >> based on some of your more detailed comments: > Sure, happy to handle things in batches. > >> On 05/11/2020 08:03, Benjamin Kaduk via Datatracker wrote: >> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> I have one point that I am not sure of the significance of and would >>> like to discuss further, and one point that I think has a fairly >>> clear/straightforward resolution. >>> >>> One of the key properties of ACME is that its authenticator provides >>> assurance that both a party controlling the identifier to be certified >>> and the ACME client jointly assent to the certification request of that >>> identifier. I'm trying to explore a bit more the "jointly assent" part, >>> and whether it is clear that all steps of the challenge/validation flow >>> are ultimatetly tied to the same order request. >>> In the validation flows for the challenge types from 8555, the full >>> token is returned to the ACME client, which then provides the token to >>> the entity that controls the identifier being certified, in order to set >>> up state to expect a verification attempt using that token. In this >>> email validation flow, though, the token-part1 is *only* present in the >>> challenge email, so there is no thread of continuity that allows the >>> email account holder to tie the validation attempt to the specific >>> request (i.e., token). Any message that comes in claiming to be an ACME >>> challenge would end up being treated as a validation attempt for the >>> pending request, so the ACME server (or a party pretending to be one) >>> does not have to provide any proof of knowledge of the pending >>> validation before the response email is generated. Some key properties >>> here seem to include: there is a portion (token-part2) to the response >>> email that can only be provided by the ACME client, there is a part >>> (token-part1) to the response email that can only be provided by an >>> entity that can receive email at the email address being validated, and >>> that the validation attempt, response email, and ACME order request can >>> be tied together by unique identifiers. It seems that we could achieve >>> all three of these by having the HTTPS response to the ACME client >>> include a token-part0 as well as the token-part2, with token-part0 being >>> used as the subject line of the challenge email and token-part1 being >>> conveyed in some fashion (whether body or headers) of the challenge >>> email. Does such a scheme provide any useful properties that are not >>> provided by the current scheme? >> We might need to have a conference call, as I don't fully understand >> your concerns here. But let me think about this a bit more. > [We have scheduled a call, out of band.] > > Maybe I can try to step through the http case and the email case. > I am sure I will miss some steps since the distinction between user, web > server/email operator, ACME client, and possibly other entities, can be > fuzzy at times. > > For HTTP, it's something like: > > 1) user wants a cert > 2) user makes ACME client create a new order > 3) ACME server creates the order+challenge, returning token to ACME client > 4) user gets token from ACME client and provisions the webserver to handle > a challenge with that token > 5) ACME server makes an HTTP validation query using the token value > 6) webserver responds to challenge using key authorization > 7) success > > Note that in (4) the webserver knows what token to expect, so the > challenge/response are tightly tied to the particular order (because the > token value is tied to the order). > > For email, it seems like we're proposing: > > 1) user wants a cert > 2) user directs email client to direct ACME client to create a new order > 3) ACME server creates the order+challenge, returns token-part2 to ACME > client > 4) user directs email client or other infrastructure to expect a challenge > (including token-part2) > 5) ACME server sends challenge email with token-part1 > 6) email client notes that an ACME challenge arrived, searches for > information about any pending expected challenges, and finds token-part2 > 7) user/email client produces challenge response including key > authorization (using token-part1 and token-part2) Thank you for this. I agree that this level of details is definitely missing from the current draft and I will expand on the above in the next version of the draft. > The part in (6) where the email client has to search for all/any pending > expected challenges seems much weaker than in the HTTP case, as *any* > incoming message formatted like an ACME challenge could elicit the response > message. As a side note: the above ("expecting challenges") is true for ACME-aware email client, but not for the case of unaware email client. > This would not directly leak token-part2 (IIUC -- there would be > a pretty straightforward copy/paste attack if we did!) since we hash the > key authorization before transport, but it still seems problematic (and > could, e.g., reveal that the client is expecting an incoming ACME > challenge). It seems "safer" in some intuitive sense if the email client > knows exactly what challenge to expect and that is tied to a specific > order. The challenge does need to include some information that is not > obtained in any other way, though, of course. Ok. I am open to suggestions about what should be included in the ACME email challenge. >>> The more straightforward point is that the procedure in section 3 >>> indicates that token-part2 is returned to the ACME client over HTTPS, >>> but the stated procedure does not otherwise involve an ACME client in >>> initiating the newOrder request. I think we need to clarify the >>> interaction/relationship between end-user/email client UI/etc and the >>> ACME client in step 1. In particular, I think that "[t]his document >>> doesn't prescribe how exactly S/MIME certificate issuance is initiated" >>> seems incompatible with requiring there to be an ACME client involved >>> (and the presumed newOrder ACME request, etc.) unless the "initiate" >>> operation is supposed to be the way by which the ACME client is >>> triggered to start the request. >> Yes. When I wrote this text I was thinking either user pushing a button >> on a CA's website saying "initiate S/MIME certificate issuance for me", >> running a command line tool a la Let's Encrypt or pushing a button in an >> ACME-aware MUA. Can you suggest how to clarify this? > I am not sure how the "button on CA's website" would work -- you need a > full ACME client with registered key/etc. in order for the ACME order flow > to work. I am pretty sure that the architecture assumes that the ACME > client is associated with the entity receiving the cert (often, but not > always, colocated), not with the CA. For the button on the website case I was thinking about integrated web mail and hosted email. Think of Gmail or Fastmail case. The ACME client will be a part of the web mail client and will be preconfigured to talk to a specific ACME server. > My current best thought is that we say up front that there is an ACME > client involved in the issuance process, which could be integrated into a > MUA, a local command-line command, etc. Yes. I spent some time drawing diagrams for cases when ACME client is a part of MUA, as well as when ACME client is a stand alone command line tool or a web server. Luckily the workflow is pretty much the same in all these cases. > Then the subsequent steps that > involve that ACME client have more context. > >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> The discuss point notwithstanding, if we assume that the current >>> validation process does provide the necessary linkage across steps, it >>> seems that the procedure would provide only similar properties to the >>> RFC 8555 validation flows -- I am having a hard time convincing myself >>> that we definitely have the 128-bit security level for all the >>> information paths at play. It seems like having both token-part1 and >>> token-part2 each be 128+ bits would be fairly low-cost and would give >>> greater peace of mind that we are not opening up any 64-bit attacks. >> Making them both 128 bits is fine with me. >>> Using "ACME:" as the Subject: marker for both challenge mail and >>> response mail potentially sets us up for various reflection/janus-like >>> attacks. >> Can you elaborate on this? Responses would have some kind of prefix in >> front of "ACME" (e.g. "Re: ACME: ..."), so they will never be the same >> subjects as in challenges. > I guess I had not looked closely at this subtlety, but having done so, I am > not convinced that we can really rely on the "ACME:" in the challenge being > the start of the subject (nor do we imply that the client needs to be > enforcing this attribute!). Consider, for example, how many "[BULK]", > "[EXTERNAL]", etc. tags are added in various environments. Hmm, Ok. Can we describe generic structure of these exta tags in ABNF? (See why below.) > So in practice, > I expect "Subject: <arbitrary stuff> ACME: <token-part1>" to match as both > a challenge and as a response. I am not sure what cost there would be in a > client changing it to use (e.g.) "ACME-RESPONSE:" in the response, and not > having to worry about reflection or misbinding attacks seems like a > significant benefit, so the cost/benefit analysis seems pretty clear to me > so far :) Using ACME-RESPONSE would work for ACME-aware email clients, but doesn't work if one just wants to continue using their Thunderbird or Outlook. (Because telling users that they need to paste something in a reply AND they have to modify the subject of replies is just too error prone). I still want the case of ACME-unaware email client to be supported. Best Regards, Alexey
- [Acme] Benjamin Kaduk's Discuss on draft-ietf-acm… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Alexey Melnikov
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Alexey Melnikov
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Alexey Melnikov
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Fraser Tweedale
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Alexey Melnikov