Re: [Acme] WGLC for ACME DTN Node ID
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 01 April 2021 16:18 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C923A09A8 for <acme@ietfa.amsl.com>; Thu, 1 Apr 2021 09:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8ZTq_meiW6C for <acme@ietfa.amsl.com>; Thu, 1 Apr 2021 09:18:30 -0700 (PDT)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DA453A098A for <acme@ietf.org>; Thu, 1 Apr 2021 09:18:30 -0700 (PDT)
Received: by mail-pf1-f172.google.com with SMTP id q5so1800286pfh.10 for <acme@ietf.org>; Thu, 01 Apr 2021 09:18:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pksLmLSJDpRyYc+/wEdmZgJ1x9Vlf/TMb9wD6gJSl8M=; b=bt0qJIQAWWHNL2WW/uAlKsuX9PMCcwvYb54/E+qLxi33nVTMhheKoUjGx1pkcM0nGF okTMOyB8jkrHULvr1bXWcXZcreNRfODMgmFIv86JSHnWCxe9wtpx4ZLlIwRDkJKR8Gou yAuWgeO6C4KV2iHxiq/WBbo6MafJTJkTrRQjRCOAfETgEKG1wSwB6PRCMrjLk6EElyT+ txmitE75KDkIuQKcU2jSldnT1W81vVbPuG4hv4MHnb6Tzz02Gc5YobzT/wZ6uRx2zUWa Bp/wMDUUSHhBvy+ppqY6+0cvGep3NiD/z8Qt3GXBWit1tp50dQw2H1Yn1QvR6Maw1xCN 6mlw==
X-Gm-Message-State: AOAM531Yd11aBVsaqk3kqClziBPaUMnsaMuMcbxH6glzch+p6WpFHpzc lYFKt5gaXR/e3u8J+1hbMxfH3JgzOw8=
X-Google-Smtp-Source: ABdhPJxH97oFnc4M2OZYRnZVxw6wVsMerY8IkeeFt0NNUgva25WA5+yu036Qcx4YsTMlR6FgN/vluA==
X-Received: by 2002:a63:2265:: with SMTP id t37mr7926989pgm.452.1617293909453; Thu, 01 Apr 2021 09:18:29 -0700 (PDT)
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com. [209.85.210.178]) by smtp.gmail.com with ESMTPSA id w23sm6048269pgi.63.2021.04.01.09.18.29 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 01 Apr 2021 09:18:29 -0700 (PDT)
Received: by mail-pf1-f178.google.com with SMTP id s11so1828709pfm.1 for <acme@ietf.org>; Thu, 01 Apr 2021 09:18:29 -0700 (PDT)
X-Received: by 2002:a65:6641:: with SMTP id z1mr8039788pgv.399.1617293908826; Thu, 01 Apr 2021 09:18:28 -0700 (PDT)
MIME-Version: 1.0
References: <13D99104-A557-4D14-BC49-2F2F9391910E@gmail.com>
In-Reply-To: <13D99104-A557-4D14-BC49-2F2F9391910E@gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 01 Apr 2021 12:18:17 -0400
X-Gmail-Original-Message-ID: <CAErg=HFXXROGECa2NOrVSE9As1dtHkM=mwRJTamqDaVEryGmzg@mail.gmail.com>
Message-ID: <CAErg=HFXXROGECa2NOrVSE9As1dtHkM=mwRJTamqDaVEryGmzg@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eedfb005beeb946c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/c34ti4guNcb_0AB9mK6rAC66J0c>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 16:18:33 -0000
With admittedly very little context for this specific use case, a few things stand out: Section 2 states "Any identifier of type "uri" in a newOrder request MUST NOT have a wildcard ("*") character in its value." This seems to unnecessarily constrain the character space. While I suspect the purpose was to exclude wildcards from the authority-part of a generic URI/specific to a particular scheme, it ends up defining the semantics for all URIs. Given URI's well-known ambiguity in representation across implementations, and the ability to do things like include pct-encoded characters in reg-name (it's only a must requirement, not a MUST requirement), this both seems unnecessarily restrictive and fails to achieve the goal, especially since such decoding to prevent this scenario, at the ACME server, is SHALL NOT'd by the same section. If the goal is to prevent wildcards that imply certain semantics for a given scheme (e.g. "dtn:"), then that probably deserves a separate section detailing the requirements for the extraction and validation of the Node ID from the URI, and can define any restrictions on the character namespace. Alternatively, since identifier labels are cheap, making the identifier type a dtn-uri (rather than the acknowledge-generic URI) seems like a way to impose requirements specific to DTN URIs without risk of overfitting for other types of URIs. Section 3 describes how this cribs from ietf-acme-email-smime, but provides no clear explanation as to the _why_, only the _how_. For example, the statement "requires that the ACME client have access to the results of each channel to get both parts of the token" describes a result, but does not describe the motivation that necessitates such a design. This seems like it might be relevant for security considerations, but documenting the rationale for this design seems relevant to successfully and securely implementing/extending this spec. This becomes equally relevant when attempting to understand why the choice of 128-bits of entropy within Section 3.1, since it seems the choice in the size of the parts is equally related to this undocumented threat. In Section 3.1, I'm probably just not familiar enough with the underlying specs, but as far as I could tell, it's not clear why Step 3 the ACME client needs to indicate the <token-part2> to the BP agent, versus just the source. The source Node ID is clear, at least, but it seems like, at best, <token-part2> might just be serving as a "request ID" of sorts (judging by 3.4) The reason I highlight this is because I think it diverges from some of the classic assumptions about ACME and challenge design, because it seems to suggest that <token-part2> may transit the network in the clear and/or be held by multiple parties, which is a very different model than the history of ACME's DNS/TLS challenges being tied to the CA/Browser Forum's Request Token (which not simply a random value, but uniquely bound to the original request and is single-use). I *think* this might just be a terminology issue here, but would it make sense to name these according to their structural purpose, rather than just "token-part1" / "token-part2"? In Section 3.3, it's stated "The ACME server SHOULD NOT perform URI normalization on the Node ID given by the ACME client.". It seems like this deserves its own section within Security Considerations, because as with the above remarks, when, where, and how URI normalization is performed seems like it has significant security impact. Even if this protocol uses unnormalized URIs throughout the entire protocol, if implemented on top of anything that performs normalization, or the certificates that are issued are used by clients that perform normalization, you can end up with ambiguities / confused deputies. Normally in a security protocol you would want to validate and normalize your 'hostile' inputs as early as possible in this flow, and that's one of the key roles of the ACME Server / CA, so that it uses identifiers that are post-normalized/unambiguous. This seems like a major oversight, but it could be that I'm misunderstanding something specific to DTN. Section 3.3 states "BP agents SHALL refuse to respond to a Challenge Bundle which is signed by a known ACME server but has an invalid signature.". It seems like this also deserves a note within the Security Considerations, both in terms of how BP agents/ACME clients should determine whether an ACME server is "known" and how they can successfully determine an invalid signature (i.e. how to maintain the expected signing keys). This might merely be a spec reference to DTN, but this normative language appears to be trying to mitigate an undocumented security threat. I agree with Russ' comments on Section 4 where the EKU MUST be included in the issued certificate. Related, the profile from that Section 4.4.2 seems problematic for implementation (around keyUsage), but alas, that's a whole other issue for a whole other spec :) Section 6.1 feels unnecessarily light for explaining why it's not a concern. It feels like a bit of a handwave, rather than a statement of how the conclusions are reached. If I'm correctly understanding, the reason you're saying both the challenge and response are fine to be publicly known is that they can only be used in conjunction with the ACME account performing the challenge, which relies on a private key which is not communicated. Is that right? It doesn't seem like that provides much assurance, for the reasons detailed in Section 6.2
- [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Ryan Sleevi
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Benjamin Kaduk
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos