IETF Logo Mail Archive

[Acme] Can we say dns-account-01 challenge's account label isn't for security?

Seo Suchan <tjtncks@gmail.com> Sat, 16 March 2024 21:22 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE3E1C14F691 for <acme@ietfa.amsl.com>; Sat, 16 Mar 2024 14:22:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.606
X-Spam-Level:
X-Spam-Status: No, score=-6.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFvDXdaO_h0E for <acme@ietfa.amsl.com>; Sat, 16 Mar 2024 14:22:00 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DAACC14F619 for <acme@ietf.org>; Sat, 16 Mar 2024 14:22:00 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-3664b08a419so16757695ab.0 for <acme@ietf.org>; Sat, 16 Mar 2024 14:22:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710624119; x=1711228919; darn=ietf.org; h=content-transfer-encoding:autocrypt:subject:from:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=yBTc557iSEeD0x2Nij+qby1dx71mE2AbF1Rb17bQMFE=; b=LZ3juSJc2RukP3w7deGL9IuEo2NgKuH8eeD05BsxgTlxbef1zeR2Lp/VxkD+W0yCfK 4rK7GWXfWx6CYAudrrDFR04rz3gYNvglpDUQNiqXMyMZzxAh8W5mX48ua+FoOAheUweJ eqZ0dzXwVfLbgPWpXK155zCu20f5Zg19kc+5pH2PWhu+6jwADflCAOKMjM0BYeOrodoI 5iIEFg+++yiesKVrBKT22EP7ftJaanDbxOijLsZAKMRvYRfPzNGgmRGXjTenJiNBeI+W GLj4uIlYD2XDZA6+po+otZJkzmAHQEBNyPyCmoMCGS7gSXeTlR9bktHlT5TxK0tHeu10 1dzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710624119; x=1711228919; h=content-transfer-encoding:autocrypt:subject:from:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yBTc557iSEeD0x2Nij+qby1dx71mE2AbF1Rb17bQMFE=; b=spK1vcM3ilmkDpxJ8LGXG0KZfFcXT/8bGeC4aSNPVOS1LwnElBurDfTFD9jq3b0v3j 8//GvrAMaC69IwrQBVKgc8oL2hPZLSFAW6AGQ3ZmJVox6DE9V8NajLWftOVxnKpAiRJX mQL7A0z5vF6hXBb4feZi59LhmT1GPZgSmOA0o03gLWUINKlEzNvY8G6chd3LdYbF8apJ B4DRRzpacu8v49CokqhoPKWm3pROap0BM7FBBVsytFSQu2MbpcSYJuylk7oUBqrRMeQR Y3uLeyFYoyMCq/c00FVZDnqgdoSuUPFv+3iwtIdi3nC7MEbZrY0L0hMBzRVmDb/0ewBm Jbnw==
X-Gm-Message-State: AOJu0YxfCC9UxEbJVQl85b0NTo2ZttUhk6Sx4YED7TJdsnzukHrx7JTB VYlOGm3SDm3aN15f0+zXuF0/EMaQBpupNezjq8LaRXhn9JOMY+smFDGm0Fgp
X-Google-Smtp-Source: AGHT+IGz9taww3yVuiQ6df7iBX/rAosR4ChiuHsWIZlZIBZ1sKhcJIw+pc01i4RRZkeWdcAnTQtuBQ==
X-Received: by 2002:a92:cf45:0:b0:366:8ac1:d511 with SMTP id c5-20020a92cf45000000b003668ac1d511mr6873573ilr.14.1710624119064; Sat, 16 Mar 2024 14:21:59 -0700 (PDT)
Received: from ?IPV6:2406:5900:1038:12bf:9941:f079:fac1:fb8? ([2406:5900:1038:12bf:9941:f079:fac1:fb8]) by smtp.gmail.com with ESMTPSA id e24-20020a656898000000b005dc8c301b9dsm3936094pgt.2.2024.03.16.14.21.58 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 16 Mar 2024 14:21:58 -0700 (PDT)
Message-ID: <fc3729f1-90dc-46ac-8cec-c662b6a0f634@gmail.com>
Date: Sun, 17 Mar 2024 06:21:57 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, ko
To: "acme@ietf.org" <acme@ietf.org>
From: Seo Suchan <tjtncks@gmail.com>
Autocrypt: addr=tjtncks@gmail.com; keydata= xsDNBGN7GSUBDACv4kxByGqR6X+g16a+ZGb/I4ahDx2I8ZSDLro/bdnzeF4sxc50TeQAwk7F gFx9UYj0x5FXZTTkkhk1VysfS/ZRtr9LDJ8ZGrDX/kcyNRYdXbPYwnMd7A6eAS2NEcMpgh1z JEo8WA+rVgSoc7nNdHR8WpCgtuBZs3j08+3LzfSbuCFXNxf/mMU6+1fqBBqkUGb8z1b6Jcmi 9D3PLiVIOnyj5HcNEKKz18gKWr5HrM9MUpRHciTP0Z5/wR/KlEYbb7lI7lSiEM3F5wsPnfDV F52GX1x6d/j8swWech/N6h42mm2MNdU5K17Ob0j+u4X0ZVQjBSNpSYLkgOhIwZ1x2UaMrUbC ouPrCEVOD7bWCyBFYpsiiJ0B/Nauu2G8sJDLpyeH9QA431+XQ5wj2TwTreqC/KpMWc+ikTyt YKmGoLzY93rakDsPw7fXm3Cve2mZ0qBj2XRTClsM/6x0p3ghj4wynA+UJ2N4vJ0V4qILEyAF A+3XGEpN0BtNCWiqO8PwtMMAEQEAAc0eU2VvIFN1Y2hhbiA8dGp0bmNrc0BnbWFpbC5jb20+ wsEHBBMBCAAxFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSUCGwMECwkIBwUVCAkKCwUW AgMBAAAKCRDsujolzumKae2rC/9UPZIY36sVDh/fuNs6z7Y4SF8nvfNIkkAdeD891sju2rUd kri3OFUlMGJDLfGjth+ZZPb94CndO+vFql94VyEIiI8q6OGwlNM7L3cntV8vSCo9i8OVsNvM S8PjDlqRqcq/tm0kX9q4ELxQtsBqSgTREVHNb8PTMHn7mPlZIuFkx6H4zGtyQxMmz5TH4rH/ jrW6vtJn+yFwnt8rux0hpOU7UNyA0BmGiJOD44oHgb/knrexJ+KQY4mVf/Bgzuarfqnp3JSB R6HxMk3px+gH/oz35vVTJNqKJN2Lt4Vo/ku1YzyLAjE+wPp+8zJjTEAZyBhxTp9kVci41blw J+PR6GY/JjlVw0mC8Ab8G3uLj5NvOTnP2rbFHmO9ecWNEP/7xN8rQy0s7r8ojJrarj+tZwpk 2AP5QLwLHNKwHwsqPk6+96/c6ANYdflQl8uOvLPAXEayBmbEYo/KownLgp3B41iaIqYCRpVv Fxux/zSK32QCbnTsfHOu/NlRpq4VfXll6SnOwM0EY3sZJgEMAOOp2sC96VCGwDluPA1MTtWS ptbvr2s4MBBCfYIDQAqpW9Zhuaj+tH2Z8OYlgf6U5WouhlaxDrKIrVNn1uFjZFmoC89NmlnQ hEDxzXa8sRzudrxsPrZTagDIOKm/DQW6OUZi9TuduoQ+xHZMpc4H56bueWOzitzNPqogf0D0 z3qu1UUqR1+w+dnoSlV5y75cW6eX9bZeXR9Zqimv2Q/WjPAFphPMG+WD4+kpsPKodQGhArmx WDkM+tu/n/U88vrUnzjCfs+qt69a5lZSGodf/YzkGaeZpXmzX1OIBjVMEe4++6euhWSkS/c7 RZeHVUaebOj9vP713I6iHMiPOOTpvatlxK8gxIsY9gBerEymgtd9JjbWS7mLRt8Inn8A4mIK 9/30R57f33heKZ5xgqxgBdAHmtrh/13bTw0r6Sh/3izQyN+WGjiJqbpSnvuGtqaSB93gbpLK U8Px8VcaWOuY5WKkE2t/rSU5w27Kf72a79LWnSJ+l8jv1fFnhmigkqH0+QARAQABwsD2BBgB CAAgFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSYCGwwACgkQ7Lo6Jc7pimkY8Av+OGVS 59yLCXxr5UK3SPZrh8KcyQQdqqpMW7UDse8Fo6shXWL9VAh26gFhfaKo6seAHCeedSDhVvop FkoxpWM+TK8dEMZBD+Xru3gEhQW7lBGn45E0AHPIe/trXDidGRXC4HDJ1Xk8aavfGSBMnc6M nmwm23VjDXppKEhjk+iEUWwiDxzeahV63KkcWIXx/j+IBnXwMi7HkXEK5dVWP9kuM5d8soIb BbEZ2fl4IJNjy+SBWK6/fR+WgxfWLth5f/mIBm1nsF7UUXDjOS5ZR918cKtoK6VZaWZu/N6C aAVD4gZtOZCParum5cMx79ggrfQxOqVCcfmxM43aroOB6bElAe34t+F/cD9bxCVspJ37RsAW dS7rT7WyCfQPlP4Szf4XAQoVdfiszKPUdTCrnvMKHqnPP0JD6SmK67e1uF4gKZKs3X5qOiF6 CQZ+JBWAq4BxoUfqpkuPsD5m82P7eWO66SzztUJp5BJ47wRBdmGyizGb9Hc9ro+61/QeLCtD Yyjs
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/aTXUB7uslGGazYV0QYgX4ymHMBI>
Subject: [Acme] Can we say dns-account-01 challenge's account label isn't for security?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2024 21:22:01 -0000

reading it again I'm no longer sure we can say account label isn't 
security perpose: entire point of this challange is those 
account-specific hostname CNAMEed to some delegated dns server for acme 
perpose (like https://github.com/joohoi/acme-dns). and when clients are 
using 3rd part DNS hosting service for that most trivial attack method 
from delegated DNS server for such dns server would be trying to create 
an account that using same validation domain. While I'm think while 
current way is safe enough as it needs createing more than 2^40 accounts 
to expecting some collison, I don't think we can say it's non-security 
and should mention this lable need some collision resistence.

v2.23.0 | Report a Bug | By Email