Re: [Acme] dns-01 challenge limitations

Felipe Gasper <felipe@felipegasper.com> Fri, 11 September 2020 13:17 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F95E3A09A5 for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uce6pGyrlsfV for <acme@ietfa.amsl.com>; Fri, 11 Sep 2020 06:17:12 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CE73A09A4 for <acme@ietf.org>; Fri, 11 Sep 2020 06:17:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MLaB66p2N5DfR0NBdQoVMqb9Bf3ZXDpTxYzp3choyVQ=; b=PE1pRSzm3LmVfOGC08SlQiD1n JP1R6gEq6Cnp7M4jFJuNVT9dLoGG0cgCJmjsy27olRJ6ze8BHPbHK5vG6uGsgm0Th4zxOZo2B+5AY 7q1sZA6mvYrVZ1X3ANBHy3v2/Zso/7u+Z5co5hKANKYW/eTFmBpJ94CpI7Z4iC19j37PHwLVZCz2l 6rQxqU8mnXshkIWVvHoYV/F1106rc/fdmU3EgMHuU/imLXPZXKm9sfiLy5IbNpIjxqufRFA//L1k3 fZM/UqKQwzgM2fzPcr2MrKtHUk1V2vdJYh/VALbwNAMG9RtJ0pdSkFE5Ise2brjNsl1qaht725vy2 RuFgG1+zg==;
Received: from hou-4.nat.cptxoffice.net ([184.94.197.4]:61670 helo=[10.3.4.84]) by web1.siteocity.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <felipe@felipegasper.com>) id 1kGivO-00ACRC-2i; Fri, 11 Sep 2020 08:17:10 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr>
Date: Fri, 11 Sep 2020 09:17:08 -0400
Cc: "acme@ietf.org" <acme@ietf.org>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <394568F0-00BD-4789-8CF4-C1A00A078B6E@felipegasper.com>
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr>
To: Simon Ser <contact@emersion.fr>
X-Mailer: Apple Mail (2.3445.104.15)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ZOSRZjFltvBfIcwRCSET-c4IJKU>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 13:17:14 -0000

> On Sep 11, 2020, at 9:08 AM, Simon Ser <contact@emersion.fr> wrote:
> 
> For instance, it would be possible to require users to add a short public key
> in a DNS TXT record, then ask the ACME client to sign challenges with that key.
> Something like this would significantly ease the development of ACME clients.

This would seem to introduce a new vector--key compromise--for being able to impersonate the domain, wouldn’t it?

Such an authz method would be proving not access to the domain itself, but access to the key, and would be vulnerable to local misconfigurations. It seems thus not dissimilar to the erstwhile problem with tls-sni-01/02.

-F