IETF Logo Mail Archive

Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)

Alan Doherty <ietf@alandoherty.net> Tue, 01 October 2019 23:29 UTC

Return-Path: <ietf@alandoherty.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2260120132; Tue, 1 Oct 2019 16:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.658
X-Spam-Level:
X-Spam-Status: No, score=-0.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67Ly5J6-lBBm; Tue, 1 Oct 2019 16:29:54 -0700 (PDT)
Received: from bigsvr.orionnetworks.ie (hosting.orionnetworks.ie [195.2.202.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD470120089; Tue, 1 Oct 2019 16:29:53 -0700 (PDT)
Received: from host249.freudenhaus.alandoherty.net ([193.120.128.249]:1520 helo=alans-p4.alandoherty.net) by bigsvr.orionnetworks.ie with esmtpsa(TLSv1:DHE-RSA-AES256-SHA:256) (auth-as tel1) (nexus 1.3.4.80.1) (envelope-from <ietf@alandoherty.net>) id 1iFRaT-0001tt-6w ; Tue, 01 Oct 2019 23:29:47 +0000
X-AD-RPFS-HEAD: for info on below codes https://www.alandoherty.net/mailsystem/mail-tagging/
X-AD-RPFS-GOOD-0: AV-SCAN-PASS SA-SCORE--1.1 SA-BAR-(-)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 02 Oct 2019 00:29:00 +0100
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
From: Alan Doherty <ietf@alandoherty.net>
Cc: draft-ietf-acme-ip@ietf.org, tim.chown@jisc.ac.uk, acme@ietf.org, cpu@letsencrypt.org, joelja@bogus.com, acme-chairs@ietf.org
In-Reply-To: <156994353133.23716.18054738012405816713.idtracker@ietfa.am sl.com>
References: <156994353133.23716.18054738012405816713.idtracker@ietfa.amsl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <E1iFRaT-0001tt-6w@bigsvr.orionnetworks.ie>
X-VIRUS: NONE {no virus found, This is no guarentee}
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/awMXjLq8e0jAojjUIyqEd89kx4c>
Subject: Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 23:29:57 -0000

At 16:25 01/10/2019  Tuesday, Warren Kumari via Datatracker wrote:
trimmed

>This is either a huge issue, or a complete non-event -- I'm not sure which -
>please help me understand / convince me I'm missing something.

imho non event


>Contrived, but simple example scenario: My local coffeeshop runs their Point of
>Sale (POS) system on 192.0.2.10. They have a certificate for this (e.g from
>LE), and all of their credit card machines contact the POS system using
>https://192.0.2.10. I now visit the coffee shop, and using e.g ARP spoofing
>grab 192.0.2.10. I then use ACME to request and get a cert for 192.0.2.10. I
>now fire up a webserver, the credit card machines happily connect to me, I
>present a valid cert, and they send me those sweet, sweet credit card numbers.

same issue with all names/certs
if host 192.0.2.10   was using the cert https://very-secure-pos.webcafe.com
you equally by stealing the ip could get a cert for same name and get same ability to impersonate (though why public ips viable on a cafe wifi is a bit worysome)

the securing of ips from theft is not really relevant as once stolen all impersonation possible whether cert is name or ip based

(in the scenario above acme would be a poorer choice than long duration self signed cert and cert pinning on the limited client side)

acme and any trusted root cert is only sensible for those wanting to verify identity to wide public audience (where key verification by other means impossible/unfeasible) 

or just obviously not having any equipment on the same network as untrusted customers (most aps capable of multiple ssids/vlans etc) so wifi card readers shouldn't be talking via same network 

for myself the only utility in ip verification in acme is finally being able to add https://ip to the san certs already on my hosts so visitors don't click through accept prompts before getting the http redirect to the correct name ;)

v2.23.0 | Report a Bug | By Email