IETF Logo Mail Archive

Re: [Acme] draft-misell-acme-onion

Q Misell <q@as207960.net> Sun, 16 April 2023 15:59 UTC

Return-Path: <q@as207960.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D83FC151548 for <acme@ietfa.amsl.com>; Sun, 16 Apr 2023 08:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-uJB5H_tVH7 for <acme@ietfa.amsl.com>; Sun, 16 Apr 2023 08:59:28 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E4A8C151542 for <acme@ietf.org>; Sun, 16 Apr 2023 08:59:27 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id fy21so15053077ejb.9 for <acme@ietf.org>; Sun, 16 Apr 2023 08:59:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1681660765; x=1684252765; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cYGojS/utAtHX4plcOdl7WTxb5ZlLZ6ix9pN6bGYIrs=; b=abYO+ZRxHwZ4ymVbb7wzpmD+6vup0ldc5CqJ5z0bdpgy9Ez1eqog23Gasq6iq2/LUg WsVn1n/q0P965/zb48Qylc+T/lE/jJQ4W7HB0tObcW+BinVtewzR7JA6jKFvnq0q3skQ umvQ8iud/9/2f84yDd6OJKyH48ghO00D5/4mFzACtN0XP4aCLXUKDzfviu1trbvbtBX0 POWk2b8lFRDY80d6Veqx5dS5/mZ0smS5YG2xwA6gP3D+tuTGq25CR4G9srVfcqUaWZCP Bt0Ii9dWRy5VYIAWMG/1HVjU2eIBEzlYj7d5yRjEjPXGnZR3PBTvZjwwuQU7m5DgdwRh Emng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681660765; x=1684252765; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cYGojS/utAtHX4plcOdl7WTxb5ZlLZ6ix9pN6bGYIrs=; b=CBfHtd2pqWqHppCpBmx9fzwg/Yyti3QOPDteyOKCmJlhLmYoPuWLwsganbAYoLHPsZ clQedKhFdrYyRZ2fIaloQHM6iGcvfQOmVqqdDWsryxz+7CVxLRrVept/GDdS7lW3izqa zTd5vZ/Mvjv98qVHxUUvOvwk0dp4bA6DCObqliFiEui+FoKwyTJfm+92XSVltxHpgRRU oix7TPT6/ntpGcIOa8LJwtvAyIOQAiIBingkTzqVL0l4CT1ffLFUhDLRrmuJribLkbSd mL4s1pwPeiJjJl7YcGCRWWJcc+xBCs+C7ORUVFBZ09MuVPKObs02MS+k93MMo0KYsxk6 nFdw==
X-Gm-Message-State: AAQBX9fyHS2vxKzue9pNi17NJJUZ0Y2Niv3N8/vwH0qQnoH3m2ml8hfo mgEfzR61RPCkAR/1sUqk/xBXjUlYwvWdZipIXVp7tUpWFoL3vyrbc9vEJspm
X-Google-Smtp-Source: AKy350bx91siwGYpcEwAq8FqSvk3GCOMZlCLoHuwKWbRAenpWxxLueCwFQn5dQchiC4Rcc+ysU7svp7gwHdH9l4DqOM=
X-Received: by 2002:a17:906:3844:b0:93b:1ca6:6adc with SMTP id w4-20020a170906384400b0093b1ca66adcmr2379637ejc.7.1681660765452; Sun, 16 Apr 2023 08:59:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMEWqGuuRsYF-EoFs44DSZ0X0z5iOuKa8iMC38Yuh24F0fWYXQ@mail.gmail.com> <214b80c1-b234-07ae-e33c-bda3d6c1f542@gmail.com>
In-Reply-To: <214b80c1-b234-07ae-e33c-bda3d6c1f542@gmail.com>
From: Q Misell <q@as207960.net>
Date: Sun, 16 Apr 2023 16:58:48 +0100
Message-ID: <CAMEWqGuTDGyEQ+ZsiMqo5q9XiYHLr4Uxrp0gUOi3vRFFPV6dKg@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008ed58605f976280f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bjcsIZYSntZ0UP6uQvgRHYuiJgg>
Subject: Re: [Acme] draft-misell-acme-onion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Apr 2023 15:59:32 -0000

Hi,

Thanks for the comments. I'll fix the typos.

With regard to running a Tor client or not I don't think it is too much of
a ask from CAs to run a Tor client (it needn't even be that feature
complete to simply fetch a HS descriptor), for the added benefit of CAA
enforcement.

Regarding your comment about CSRs I think you've misunderstood how the CSR
is used. RFC2986 section 3 states that the CertificationRequestInfo
contains the public key to be included in the final certificate
(subjectPKInfo),
whilst the entire CertificationRequest can be signed with a different key
entirely, and this is what the CA/BF rules permit, and indeed what they
were designed to achieve and how HARICA implements this.

Thanks,
Q

On Sun, 16 Apr 2023 at 03:44, Seo Suchan <tjtncks@gmail.com> wrote:

> 5.2 has few typos CAA when it should mean CA: (CAA can't read any
> descriptor, it's a text)
>
> For running CAA in general, I think appendix B of CA/B BR method b made in
> a way that CA doesn't have to run Tor client at all. And it actually allows
> signing a cert for not yet hosted onion domain, given they control right
> private key to induce that domain name. In that case making CA required to
> run Tor client to read CAA conflicts this goal.
>
> And challenge 3.2, it doesn't work for public CA:  in acme context, CSR's
> pubkey sent in finalization is what CA will sign, but for challange
> perspective key there need to be ed25519 key (because it's onion v3 private
> key,) but CA/B does not allow signing ed25519 key in TLS certificate, you
> can't reuse CSR for both purpose.
>
>
> 2023-04-16 오전 1:22에 Q Misell 이(가) 쓴 글:
>
> Hi all,
>
> Hope you've all recovered from IETF116, it was lovely seeing you all
> there. Thanks to those who already gave me feedback on my draft.
>
> As promised in my brief presentation at the WG meeting, here's my post
> introducing my draft draft
> <https://datatracker.ietf.org/doc/draft-misell-acme-onion/>
> -misell-acme-onion
> <https://datatracker.ietf.org/doc/draft-misell-acme-onion/> to ease
> issuance of certificates to Tor hidden services.
>
> DigiCert and HARICA already issue X.509 certificates to Tor hidden
> services but there is no automation whatsoever on this. From my
> discussions with the Tor community this is something that bothers them so
> I've taken to writing this draft to hopefully address that.
>
> The draft defines three ways of validation:
> - http-01 over Tor
> - tls-alpn-01 over Tor
> - A new method onion-csr-01, where the CSR is signed by the key of the
> onion service
>
> An explicit non goal is to define validation methods not already approved
> by the CA/BF, however if someone can make a compelling argument for an
> entirely novel method I wouldn't be entirely opposed to it.
>
> Looking forward to your feedback, and some indication that this would be
> worth adopting as a WG draft.
>
> Thanks,
> Q Misell
>
> _______________________________________________
> Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email