IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 15 December 2015 14:32 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 750141A8A03 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7uR9d5Sp-mz for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:32:29 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C59241A8A04 for <acme@ietf.org>; Tue, 15 Dec 2015 06:32:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9C03FBE51; Tue, 15 Dec 2015 14:32:26 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGTgL43KWL6P; Tue, 15 Dec 2015 14:32:20 +0000 (GMT)
Received: from [172.28.172.2] (unknown [95.83.253.109]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 144ECBE32; Tue, 15 Dec 2015 14:32:19 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450189940; bh=46JzEO8SS5Z2OVdSF57g1T+64NNWAyu5GzTgNLXuiV0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=FL3/mnXvzyMWM7O7DuTlFi1AZ/qkUHqY44jf43OelH5wPh6N6lL0mWZnDWFNOD2Wi Hzvlh5dYKFtw228Z/XrDNNHLaPQ1vH2WQnMlFEyb77Gz8pZqlVrmkbj7pglZRbld4h L5umV/j0+bi3hTCQDlf15vrLSQp650/0z4+J/n+0=
To: Julian Dropmann <julian@dropmann.org>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <CAF+SmEr2LptJ81VrtmaAaKcFrwoC2mD2Pn0hQwi_2K8SpFLAtg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56702470.6040904@cs.tcd.ie>
Date: Tue, 15 Dec 2015 14:32:16 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAF+SmEr2LptJ81VrtmaAaKcFrwoC2mD2Pn0hQwi_2K8SpFLAtg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/_yPrJkMIKvAN9scM_qIt2jAc7Cs>
Cc: acme@ietf.org, Michael Wyraz <michael@wyraz.de>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 14:32:33 -0000

Hiya,

On 15/12/15 14:11, Julian Dropmann wrote:
> I think the problem here is not that its too complex stuff,
> the real problem is that you are not currently able to automate it in the
> real world.

Not sure I agree but I'm pretty sure it's moot:-)

> 
> I understand the reasoning that you subordinate every other goal, even
> security to this in order to reinforce the usage of TLS in general.

To "subordinate security" with no qualification is not what we're
discussing. We're discussing whether acme's baseline must be better
than what the current WebPKI provides to browsers. My take is that
if a proposal to be more secure can damage automation or the chances
of deployment, then that proposal is one to push back against.

If we can get this automation out there and being used, then we can
and I think will improve it over time.

No matter how many good (or bad) ideas are described in CMP, those
cannot be improved upon as CMP is not deployed. (Except in some tiny
wee corners of the Internet, last I looked.)

> 
> But there is a difference, if some random CA offers a proprietary
> verification mechanism doing this, then when there is a public standard not
> covering those issues.

We have many public standards for PKI management that are either just
not implemented, or not deployed or, at best, partially deployed in
ways that don't get useful interop with end entities. That leads to
both more use of cleartext protocols and to silly outages and errors.
Those are the differences about which I care more here.

> 
> There should at least be an optional way for implementations which shows
> how it should be done in a more optimistic scenario, then the current one
> where, as you mentioned earlier "CAs only have p#10 in common". The same
> thing applies to domain registrars I guess.

As I said before, I think options are fine but need to not distract
from getting the initial work done and deployed. For me, that initial
work is basically: have "apt-get install apache2" install a cert that
works in most browsers so web sites default to HTTPS from day zero.
(Yes, I know the wg's goals are not precisely that, but it's v. close.)

Arguments that acme must do X because X is better need to be
carefully evaluated in that light.

Cheers,
S.

PS: In case it's not clear, all the above is without any IETF hat, just
as a consumer of the acme protocol and as someone who's wasted too
much of my working life on failing to solve this particular problem;-(

> 
> 
> On Tue, Dec 15, 2015 at 2:43 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>>
>> Hiya,
>>
>> On 15/12/15 13:02, Michael Wyraz wrote:
>>> Stephen,
>>>
>>> I agree that getting things started I very important for lets encrypt.
>>> But in my understanding, this is the mailing list for discussing the
>>> ACME protocol, not the 1st implementation of it.
>>
>> Yes, I understand that and didn't actually refer to LE at all in
>> my mail.
>>
>>> So shouldn't we
>>> think/discuss what comes after "now"?
>>
>> Basically, IMO only after we first get a "now" that works. I've seen
>> over-complex PKI management efforts fail for 20 years. Another such
>> failure isn't interesting.
>>
>>> IMO using SRV as an option for specifying which host/port (if any) is
>>> responsible for ACME is a step in the right direction. It can be
>>> optional which gives security-aware admins the possibility to make
>>> their system more safe without loosing comfort for those who don't care
>>> a lot about security.
>>
>> I like ideas that are additional to the easiest HTTP stuff. But that
>> easiest stuff is the core work here. But sure, additional things that
>> are optional are fine.
>>
>> Personally the optional thing in which I'm much more interested is
>> a simple put-challenge-in-DNS one where the CA pays attention to
>> DNSSEC, since that's the use-case I have and that would provide
>> some better assurance to the certs acquired via acme. I can see
>> that there might also be value for some (other) folks in SRV if
>> it means no need to dynamically change DNS.
>>
>> But, if someone is saying "we must all do these more complex things
>> for security reasons" then they are, in this context, wrong. And
>> my mail was reacting to just such a statement.
>>
>>>
>>> Have a look at all the discussions about "allow other ports than
>>> 80/443". People argue what could be safe ports for ACME and what not.
>>> Why do an assumption instead of let people declare the port with a
>>> fallback to 80/443.
>>
>> Ease of deployment wins IMO. I think an SRV based solution will be
>> a niche and ought not be used by the default/basic mechanism.
>>
>> S.
>>
>>
>>>
>>> Regards,
>>> Michael.
>>>
>>>
>>>>
>>>> On 15/12/15 03:03, Julian Dropmann wrote:
>>>>> I agree that the problem would still remain on a global scope, but
>>>>> the argument, that there are other "dirty" CA's so we have to be
>>>>> "dirty" too, is very questionable... at least...
>>>>>
>>>>> Is this a race to the bottom: The CA with lowest security standards
>>>>> wins?
>>>>>
>>>>> Why should one trust any of those?
>>>> I think you are not taking into account what I think is the
>>>> point of acme. The overwhelming goals here are automation and
>>>> real (*) deployment of a standards based way to manage PKI
>>>> for the most popular applications using PKI.
>>>>
>>>> Once we get the above done, then the security/assurance bar
>>>> can be raised over time in a useful manner. Today, it cannot,
>>>> as the CAs only have p#10 in common really and the rest of
>>>> what they do is effectively proprietary.
>>>>
>>>> So it is entirely valid here to argue that "same security as
>>>> current WebPKI" is a good starting point.
>>>>
>>>> Cheers,
>>>> S.
>>>>
>>>> (*) I say that as a co-author of RFC2510 and successors which
>>>> was afaik the original but by no meanss the only failed attempt
>>>> to do this. My experience with all of that tells ms that it is
>>>> more important to prioritise initial deployment over almost all
>>>> else.
>>>>
>>>>
>>>>>> On 15 Dec 2015, at 03:32, Noah Kantrowitz <noah@coderanger.net>
>>>>>> wrote:
>>>>>>
>>>>>> And the counter to that is the huge number of existing CAs that
>>>>>> allow URL-based verification. We would pay the costs of increased
>>>>>> complexity for setup (for example, the existing LE client would be
>>>>>> totally impossible) but don't actually reap any benefits until the
>>>>>> last of those CA shuts down. Hence, pragmatism with a bias towards
>>>>>> improving accessibility. If the person running your website is
>>>>>> actively hostile, they can probably get into some pretty serious
>>>>>> mischief anyway :-/ (all of my arguments are absolutely dismissible
>>>>>> as "slippery slope" fallacies for those playing along at home)
>>>>>>
>>>>>> --Noah
>>>>>>
>>>>>>> On Dec 14, 2015, at 6:20 PM, Julian Dropmann
>>>>>>> <julian@dropmann.org> wrote:
>>>>>>>
>>>>>>> The important difference is, that only zones which intent to use
>>>>>>> ACRE would create such an SRV record in the first place. With the
>>>>>>> current design any A record host in the world can obtain certs.
>>>>>>> By using an ACRE specific SRV record the domain owner at has at
>>>>>>> least shown the intent to use ACRE for his zone. And also he
>>>>>>> could limit it to a specific port number/service on that host. I
>>>>>>> think this would be a very huge security improvement, and of the
>>>>>>> verification quality in general, but only if this would not be an
>>>>>>> optional thing.
>>>>>>>
>>>>>>>> On 15 Dec 2015, at 00:02, Noah Kantrowitz <noah@coderanger.net>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> It wouldn't matter anyway because even with a SRV delegation
>>>>>>>> for the challenge, the final cert is still issued against only
>>>>>>>> a hostname, not a specific service. Combined with the fact that
>>>>>>>> there are existing CAs that do a rough equivalent of http-01
>>>>>>>> and we can't expect that to go away any time soon, it isn't
>>>>>>>> hard to see why pragmatism won out in the initial design.
>>>>>>>> Fixing this for reals requires TLS-level protocol improvements
>>>>>>>> for per-service certificates. Not against that, just saying
>>>>>>>> you've got a long road ahead of you.
>>>>>>>>
>>>>>>>> --Noah
>>>>>>>>
>>>>>>>>> On Dec 14, 2015, at 2:47 PM, Michael Wyraz <michael@wyraz.de>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> I thought about all the DNS stuff and came to the conclusion
>>>>>>>>> that focussing ssl certs for https only and ignoring all the
>>>>>>>>> rest may cause further security issues. E.g. if I delegate
>>>>>>>>> http (via A-record or CNAME) to someone else, he can now
>>>>>>>>> create valid ssl certs for my mail server which I did not
>>>>>>>>> delegate. IMO A-record should be dedicated to http(s) (for
>>>>>>>>> legacy reasons, see
>>>>>>>>>
>> http://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records
>> )
>>>>>>>>> and all other services (inclusing ACME) should use their own
>>>>>>>>> srv records.
>>>>>>>>>
>>>>>>>>> Looks like a decision between comfort and security - let's
>>>>>>>>> bet what will win...
>>>>>>>>>
>>>>>>>>>> Fair, adding a DNS-level opt-out would be a reasonable
>>>>>>>>>> addition for future iterations, but not a hugely pressing
>>>>>>>>>> issue given the expected use cases.
>>>>>>>>>>
>>>>>>>>>> --Noah
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On Dec 14, 2015, at 12:55 PM, Michael Wyraz
>>>>>>>>>>> <michael@wyraz.de> wrote:
>>>>>>>>>>>
>>>>>>>>>>> So just leave out the part with "then switch completely
>>>>>>>>>>> from A to SRV" and allow both. This gives people the
>>>>>>>>>>> comfort to use A/CNAME stuff while others who prefer
>>>>>>>>>>> security use SRV. Both are happy, problem solved ;-)
>>>>>>>>>>>
>>>>>>>>>>>> Using normal A/CNAME records matches the default use
>>>>>>>>>>>> case of HTTPS a lot more smoothly and allows a lot of
>>>>>>>>>>>> cool transparent upgrade stuffs from folks like
>>>>>>>>>>>> DreamHost or Fastly that already do the CNAME setup as
>>>>>>>>>>>> part of user on-boarding and can run http-01 on the
>>>>>>>>>>>> behalf of the user to set them up on an SNI
>>>>>>>>>>>> termination. If all the major CDNs did this, it would
>>>>>>>>>>>> be worth the negative issues where HTTP is delegated to
>>>>>>>>>>>> an untrusted service. If TLS ever grows per-service
>>>>>>>>>>>> restrictions that would be appropriate here, but that
>>>>>>>>>>>> is waaaay out of scope for ACME I would think :-/
>>>>>>>>>>>>
>>>>>>>>>>>> --Noah
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> On Dec 14, 2015, at 11:17 AM, Michael Wyraz
>>>>>>>>>>>>> <michael@wyraz.de>
>>>>>>>>>>>>>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Julian,
>>>>>>>>>>>>>
>>>>>>>>>>>>> the issue your described here is caused by the
>>>>>>>>>>>>> assumption that any the A-record points to a host
>>>>>>>>>>>>> that should be allowed to create certs for that
>>>>>>>>>>>>> domain. IMO a solution would be simple: use some
>>>>>>>>>>>>> special SRV record that points to a service that does
>>>>>>>>>>>>> the challenge. Allow users to set this record to
>>>>>>>>>>>>> something like "none" to completely disallow
>>>>>>>>>>>>> ACME-based cert generation. Use A-record as fallback
>>>>>>>>>>>>> for a given time (e.g. one year), then switch
>>>>>>>>>>>>> completely from A to SRV,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Problem solved ;-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> And it's almost as comfortable as using the A-record
>>>>>>>>>>>>> because it needs just one single additional step, no
>>>>>>>>>>>>> change of the client, absolutely minimal change to
>>>>>>>>>>>>> the server, no extra software or support for dynamic
>>>>>>>>>>>>> DNS updates or such.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As a side effect it solves many problems with ACME in
>>>>>>>>>>>>> complex environments like geo-distributed dns.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Kind regards, Michael.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> maybe I am just a naive concerned user, but in my
>>>>>>>>>>>>>> opinion there is one major issue with the Simple
>>>>>>>>>>>>>> HTTP challenge and possibly other challenges,
>>>>>>>>>>>>>> specified by ACME:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any host which is specified by an A/AAAA record of
>>>>>>>>>>>>>> that domain zone can obtain trusted certificates in
>>>>>>>>>>>>>> the name of the domain zone owner. Lets assume I
>>>>>>>>>>>>>> host an private XMPP server using TLS on my own
>>>>>>>>>>>>>> domain using an SRV record, and I point an A record
>>>>>>>>>>>>>> to a third party hoster which hosts my public web
>>>>>>>>>>>>>> blog. Now this third party hoster would be able to
>>>>>>>>>>>>>> obtain signed certificates for my domain using ACME
>>>>>>>>>>>>>> and use that to host an XMPP service on that domain
>>>>>>>>>>>>>> using the standard port. Clients which trust that
>>>>>>>>>>>>>> CA are now perfectly happy connecting to that
>>>>>>>>>>>>>> entity.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> By creating an A record I ofcourse need to trust
>>>>>>>>>>>>>> that host to some degree, but I still would expect
>>>>>>>>>>>>>> the CA to verify if the requester has control over
>>>>>>>>>>>>>> the DNS zone itself an not just over a single
>>>>>>>>>>>>>> service running there.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> And consequently if it is valid to verify over
>>>>>>>>>>>>>> HTTP, then maybe another CA validates the domain
>>>>>>>>>>>>>> ownership by a mail service/MX record, and a third
>>>>>>>>>>>>>> one over XMPP/SRV.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This effectively means, as a domain zone admin, I
>>>>>>>>>>>>>> have to trust every single service I define, not
>>>>>>>>>>>>>> just to properly deliver this service, but also not
>>>>>>>>>>>>>> to exploit his ability to obtain signed
>>>>>>>>>>>>>> certificates in my name.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Also you rely on the fact that on UNIX only root
>>>>>>>>>>>>>> can bind on port 80 and 443. Lets assume there is
>>>>>>>>>>>>>> an OS out there which does not enforce this
>>>>>>>>>>>>>> restriciton, now any user on that host is able to
>>>>>>>>>>>>>> obtain signed certificates for that domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Maybe I missed something here, but overall this
>>>>>>>>>>>>>> seems to be a very bad idea to automatically issue
>>>>>>>>>>>>>> certificates without requiring a change in the
>>>>>>>>>>>>>> actual DNS zone the certificate is issued for.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Kind regards, Julian Dropmann
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Acme mailing list
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Acme@ietf.org
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>>>>>> _______________________________________________ Acme
>>>>>>>>>>>>> mailing list
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Acme@ietf.org
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>>>>> _______________________________________________ Acme
>>>>>>>>>>>> mailing list
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Acme@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>>>> _______________________________________________ Acme
>>>>>>>>>>> mailing list
>>>>>>>>>>>
>>>>>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>>>
>>>>>>>>>> _______________________________________________ Acme
>>>>>>>>>> mailing list
>>>>>>>>>>
>>>>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>>>>> _______________________________________________ Acme mailing
>>>>>>>>> list Acme@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>>>> _______________________________________________ Acme mailing
>>>>>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>>> _______________________________________________ Acme mailing
>>>>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>> _______________________________________________ Acme mailing list
>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>> _______________________________________________ Acme mailing list
>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
>>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
> 
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email