Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
Hugo Landau <hlandau@devever.net> Thu, 30 May 2019 20:17 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D579120114; Thu, 30 May 2019 13:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=devever.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weVVNXEuvPqy; Thu, 30 May 2019 13:17:34 -0700 (PDT)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E6D12001A; Thu, 30 May 2019 13:17:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id AF2EA1C055; Thu, 30 May 2019 22:17:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1559247447; x=1577436808; bh=J3uoMySVBTYxdLgoR5yai1ENqt7JVkFE3/VPvN/PbSc=; b= S0h7u+0GuZ9+F2IW3VSdtkUTzSPDAjH0KV2i1/GI+Ao8unlc1HyWt2IYilBXh1/M oqJHLuzpDjIRkcbxzmP1H4B6SPWnDdijHL27k3TkUwgOWsEHLznyxCyfxEPlp+nB O+J8jmngx2ssKgpvaXgOcf4znVm6rAT1WAZ3pqLGArdFzq7q2+9b3js/0pYLsWnE UZsDI8bvs7EEGk3S10K8Wf9N19T3CW10L7EdR52B0LOOcMU5XHiyaJNg7UzypUzi iyRE+KS7rBVWrJxNbTcDg2NnUuhUvL0MDfHl89VYpbaz4tOkAe0TIsi2NnRB96fj A3CtYmiw0pmzYZCzTc4tig==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 4xOHQ1yBsu-t; Thu, 30 May 2019 22:17:27 +0200 (CEST)
Received: from axminster (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id 5ED671C032; Thu, 30 May 2019 22:17:27 +0200 (CEST)
Date: Thu, 30 May 2019 21:17:27 +0100
From: Hugo Landau <hlandau@devever.net>
To: Warren Kumari <warren@kumari.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Message-ID: <20190530201727.GA18819@axminster>
References: <155915884273.5515.12483785841415224773.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <155915884273.5515.12483785841415224773.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.11.3 (2019-02-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Z4OeaLGgLmSB_jssALuCOkWpGJM>
Subject: Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 20:17:40 -0000
> ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Firstly, thank you for writing this -- I do however have some concerns around > Section "5.6. Use with and without DNSSEC" > > 1: "Where a domain chooses to secure its nameservers using DNSSEC, the > authenticity of its DNS data can be assured, providing that a given CA makes > all DNS resolutions via an appropriate, trusted DNSSEC-validating resolver." > A: DNSSEC does *not* secure nameservers, it secures the DNS data > itself (think object security vs channel security) -- I'd suggest > "When a domain is signed using DNSSEC, the authenticity..." Done. > B: I'm confused what"appropriate" means in "appropriate, trusted > DNSSEC validating resolver" -- if it is trusted I'd assume it is > appropriate? Please explain. Extraneous word removed. > C: The way that a resolver signals to a client that it has performed > validation (and that the answer validated) is to set a single bit (AD) > in the response - this is obviously something which should not be > relied upon for security sensitive stuff - I'd strongly suggest that > i) there be some text around getting the responses from the resolver > to the CA machine securely (e.g over DNS-over-TLS), or better yet ii) > that the CA machine itself do the DNSSEC validation - there are many > libraries / systems to make this easy, e.g Stubby, libunbound, etc. Done. Added: A CA supporting the "accounturi" or "validationmethods" parameters MUST perform CAA validation using a trusted, DNSSEC-validating resolver. "Trusted" in this context means that the CA both trusts the resolver itself and ensures that the communications path between the resolver and the system performing CAA validation are secure. It is RECOMMENDED that a CA ensure this by using a DNSSEC-validating resolver running on the same machine as the system performing CAA validation. > 2: "A domain can use this property to protect itself from the threat posed by a > global adversary capable of performing man-in-the-middle attacks, ..." > A: What is the purpose of "global" in "global adversary" -- I'm > assuming it is trying to communicate something important here, but how > is this different to a "local" adversary capable of performing > man-in-the-middle attacks? Added a paragraph introducing this concept. The first two paragraphs now read The "domain validation" model of validation commonly used for certificate issuance cannot ordinarily protect against adversaries who can conduct global man-in-the-middle attacks against a particular domain. A global man-in-the-middle attack is an attack which can intercept traffic to or from a given domain, regardless of the origin or destination of that traffic. Such an adversary can intercept all validation traffic initiated by a CA and thus appear to have control of the given domain. Where a domain is signed using DNSSEC, the authenticity of its DNS data can be assured, providing that a given CA makes all DNS resolutions via a trusted DNSSEC-validating resolver. A domain can use this property to protect itself from the threat posed by an adversary capable of performing a global man-in-the-middle attack against that domain. > 3: " Use of the "accounturi" or "validationmethods" parameters does not confer > additional security against an attacker capable of performing a > man-in-the-middle attack against all validation attempts made by a given CA > which is authorized by CAA where: > 1. A domain does not secure its nameservers using DNSSEC, or > 2. That CA does not perform CAA validation using a trusted > DNSSEC-validating resolver. > Moreover, use of the "accounturi" or "validationmethods" parameters does not > mitigate against man-in-the-middle attacks against CAs which do not validate > CAA records, or which do not do so using a trusted DNSSEC-validating resolver, > ..." > > Can this document simply say: "When using this method, CA's MUST use a > DNSSEC-validating resolver"? -- it will a: make the protocol more secure and b: > simplify a bunch of the document and c: isn't a large burden. During the > so-called "DNSpionage" incident, it seems that a specific CA was chosen because > it didn't do DNSSEC validation (or, perhaps would try validate, but would still > issue if DNSSEC validation failed) -- see: > https://mailman.nanog.org/pipermail/nanog/2019-March/099852.html Done, see above.
- [Acme] Warren Kumari's Discuss on draft-ietf-acme… Warren Kumari via Datatracker
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Hugo Landau
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari