[Acme] Validation methods for alternative services and SVCB/HTTPS targets
Jeremy Saklad <jeremy@saklad5.com> Thu, 27 October 2022 16:45 UTC
Return-Path: <jeremy@saklad5.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF75C1524AF for <acme@ietfa.amsl.com>; Thu, 27 Oct 2022 09:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=saklad5.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxK8Fr0whtEI for <acme@ietfa.amsl.com>; Thu, 27 Oct 2022 09:45:07 -0700 (PDT)
Received: from ms11p00im-hyfv17291101.me.com (ms11p00im-hyfv17291101.me.com [17.58.38.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA4DC1526ED for <acme@ietf.org>; Thu, 27 Oct 2022 09:44:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=saklad5.com; s=sig1; t=1666889071; bh=2eAB8Zu5X2555APUdtE2PBA95z9QqC8nYpgzX/QMPsA=; h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To; b=LGCMlPUDu8epfG6ipaFnO1Nd+LlSN5vwKCZ9G7cE/ma3jhpUx1J7d5Dnm1+EUmJ4s 9pzEIy4ZxHcrzSZ9JiCj2XfUm6dfXZ/quOK0x+jdIia4yEAmuMT6tsgG6VJ4XUhDrX czXJ0DkigkxcaGcKQz3BD7fdDpy5odoRdUwia36+/bhU2TzrldP6WklSmIxSSvdreP OkEZWbpPB82I+XSSgkUJOVlRRWHLpGcOdx/RDkQKKNQJwBPrK5cezV6WC5LpuTX/wg OEv1n/9xMAZPZW1lSKMej6h6Daj1Mvia8+oolCi/alOgzk/mc7b89XsIpx3vtXBAnt +2rJHeNAy7Bjw==
Received: from smtpclient.apple (ms11p00im-dlb-asmtpmailmevip.me.com [17.57.154.19]) by ms11p00im-hyfv17291101.me.com (Postfix) with ESMTPSA id C2B61760384 for <acme@ietf.org>; Thu, 27 Oct 2022 16:44:30 +0000 (UTC)
From: Jeremy Saklad <jeremy@saklad5.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Message-Id: <5C1E5169-D395-4099-89BB-C07386B7751D@saklad5.com>
Date: Thu, 27 Oct 2022 11:44:29 -0500
To: acme@ietf.org
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-Proofpoint-GUID: xV5U1zdaRACZyapCVPONevUNQIh8U0tk
X-Proofpoint-ORIG-GUID: xV5U1zdaRACZyapCVPONevUNQIh8U0tk
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.138,18.0.816,17.11.62.513.0000000 definitions=2022-01-18_01:2020-02-14_02,2022-01-18_01,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=611 adultscore=0 suspectscore=0 mlxscore=0 phishscore=0 clxscore=1030 malwarescore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210270092
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dIfbBLij_SCeXKoE47tpIVkavTs>
Subject: [Acme] Validation methods for alternative services and SVCB/HTTPS targets
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 16:45:11 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Right now, most of ACME’s validation methods can only be used by clients with IP addresses in A/AAAA records corresponding to the identifier, as well as specific open ports. This is perfectly acceptable for most use cases right now, but it becomes problematic when managing certificates for the likes of HTTP alternative services or SVBC/HTTPS targets. Such configurations require a certificate for the original identifier, but (usually) do not share the same IP addresses. dns-01 sidesteps this limitation, but is often less secure since it usually requires credentials for DNS zone modifications to be accessible by clients. I don’t think it is too early to start thinking about more practical solutions, in advance of draft-ietf-dnsop-svcb-httpssvc being finalized. Perhaps a new form of TLS-ALPN method that uses an SVBC/HTTPS record instead of 443/tcp and A/AAAA records? It would need to ignore the normal precedence rules, as they would preclude lower-priority targets from getting certificates. Jeremy Saklad -----BEGIN PGP SIGNATURE----- iMwEARYKAHQWIQST9JhYTT2FVNyHHwCUsC6j0LZIGwUCY1q0mlYYJ2h0dHBzOi8v b3BlbnBncGtleS5zYWtsYWQ1LmNvbS9maW5nZXJwcmludC9GRERGQzRBNEE2N0Qw NEVGRkVCOEU0MjQ5Q0EyMTQ5NTgzRURCRjg0JwAKCRCUsC6j0LZIG4EiAP9hYryM 5LLiPaLuGiEIB7cnB9nXFPGrry/HCi9sCwvkhwD/YRcpLTl40wXYNLDwDOxcu+Zq /uQM9RN1jnOd6Tyqtgs= =A00V -----END PGP SIGNATURE-----
- [Acme] Validation methods for alternative service… Jeremy Saklad
- Re: [Acme] Validation methods for alternative ser… Ilari Liusvaara
- Re: [Acme] Validation methods for alternative ser… Martin Thomson