IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)

Daniel McCarney <cpu@letsencrypt.org> Mon, 24 September 2018 15:54 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67FB1200D6 for <acme@ietfa.amsl.com>; Mon, 24 Sep 2018 08:54:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htzhtigWOPd8 for <acme@ietfa.amsl.com>; Mon, 24 Sep 2018 08:54:55 -0700 (PDT)
Received: from mail-it1-x131.google.com (mail-it1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD706120072 for <acme@ietf.org>; Mon, 24 Sep 2018 08:54:54 -0700 (PDT)
Received: by mail-it1-x131.google.com with SMTP id o72-v6so4040879ita.1 for <acme@ietf.org>; Mon, 24 Sep 2018 08:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=LM0OSR7qvlPRGppuIOFzA9GdJEpxXI7bO2Fvi/OThBA=; b=Xy2QoFgW4aWputKqJMFZsmACwkaXml+fjzdT10GbpgV2J+AI82kBs6cYzGKI0/J2Ur SnUqJ1xzMBLOPIoMXlNOWsUugZBCjO8CuY4Q6C8W2A9gpQ9KLvZAUAWbDnz0FGxwq+vX bQfAcq3Uk/zk0XcxJtHdCd1J46wQZbw1715Z8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=LM0OSR7qvlPRGppuIOFzA9GdJEpxXI7bO2Fvi/OThBA=; b=JRaNe0yfF3nWQwIjB92heWhOobUomD8ggYyrxqqHCMKejJtjlAKzBTi9kQUGkjPZ4r j3jlUlqsoqKLEmeaZZa+GbblDUtudhX49oWY9eofxKz38fAa/hv1F3ua09wbepu6eOGB pJpfufKqpwqfLXRUzoS86tZaESSPtZYAtZMBa1aAWFNoDCTr9ENtE+cAHGhe57zZ+K1e kxuj349fgWnFTo6yzCYw6yReM7nGhUUttK/Z5SPTn1Puy7+pZ0xl6iTYgaqv4inSFzG1 UMv5QgRUhI2bU0YjViopv4rQNgbpS/kH9V1lBGIyCd0503LhPGQgbYlqFxg/9XE0wr+Y utBg==
X-Gm-Message-State: ABuFfogJrCchozawy498w1aZJG8zdWK3nEroyRnHaGPa8RNn4AEBf9CG qn8J335IyTApPayzf1A4dvc/gjRsGaM9AbBHsvMbPQ==
X-Google-Smtp-Source: ACcGV60Xmv0BUMopciGhcyNFKQb5D7r6/PdmAz1aiFwMgcqOdi0eYTbZTgatZs6zmiPuJ1MgrKihHsi9KJSlSBZxzx8=
X-Received: by 2002:a24:41e9:: with SMTP id b102-v6mr8666827itd.19.1537804494047; Mon, 24 Sep 2018 08:54:54 -0700 (PDT)
MIME-Version: 1.0
References: <153556883241.14872.599302420878484743.idtracker@ietfa.amsl.com> <CAL02cgQoC1YAA1wjftoFSMBfm7Vi4KUXUQW633GZ5tM9VMMrmg@mail.gmail.com> <CAKnbcLgNrmqWp4BUz=c2-Y5NQ3FqfPe3-RqRp_ocWxv+c+jWWA@mail.gmail.com> <20180916015154.GU48265@kduck.kaduk.org> <20180916173537.1fe0d18d@rovaniemi> <20180916154142.GZ48265@kduck.kaduk.org> <20180916154734.GA48265@kduck.kaduk.org> <20180916224226.771fb83f@rovaniemi> <20180916222905.GA63180@kduck.kaduk.org>
In-Reply-To: <20180916222905.GA63180@kduck.kaduk.org>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Mon, 24 Sep 2018 11:54:42 -0400
Message-ID: <CAKnbcLgwYSrOdaHTQ_oE9y581TufFHdt=w5udpX5n6Fq+VpypQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009a2c220576a00270"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/eLDn_0Gafwez-mTZC4foIOJBqrs>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2018 15:54:59 -0000

Here's another PR with further feedback:
https://github.com/ietf-wg-acme/acme/pull/453

Replies in-line below.

> Perhaps dropping the "to clients" would remove the reading that
> there is nonce/client tracking without losing any significant information,
> but this seems to fall under editorial discretion, so it's all yours.

I think that's a reasonable change if it will reduce confusion. Done.

> How about "It is also used, with some media types, from certificate
> resources [...]"?

Works for me. Done.

> And my intent was to suggest that there is a new paragraph for
"alternate",
> maybe:

>> The "alternate" link relation is used when a CA can provide multiple
>> distinct certification chains (e.g., chaining to different root CA
>> certificates) for a provided certificate.

I don't think this is needed. Section 7.4.2 "Downloading the Certificate"
says
almost the same thing when describing the "alternate" relation. I think
this is
the location in-document where the information is most relevant.

> Ah. This table is slightly cramped, so it may not be worth a change, but
> even "order's certificate" (and the matching "order's authorizations")
> might help.

Ok, changed to the possessive forms.

> Mostly I just want the document to be clear and consistent about whether
> exactly one successful challenge suffices to authorize, and exactly one
> unsuccessful challenge suffices to fail authorization

Ok. I think this has been made clear in #447. One authorization is
sufficient to
authorize. One failed challenge fails the authorization/order.

> I was expecting something like '''a stub account object optionally
containing the
> "contact", "termsOfServiceAgreed", "onlyReturnExisting", and
> "externalAccountBinding" fields.'''

I understand now, thanks! Updated to say "and optionally the
"onlyReturnExisting" and "externalAccountBinding" fields". I think that will
cover this.

> If "termsOfService" is present in the directory, is the client required to
> agree to the terms before service is provided?  The text, to me, seems to
> allow a server to use this field to provide some optional additional
> documentation without requiring clients to agree to it.

I don't think the text suggests that. Section 7.3 "Account Creation" says:

> If the server wishes to present the client with terms under which the
> ACME service is to be used, it MUST indicate the URL where such terms
> can be accessed in the "termsOfService" subfield of the "meta" field
> in the directory object, and the server MUST reject new-account
> requests that do not have the "termsOfServiceAgreed" field set to
> "true".

So if termsOfService is present you MUST send termsOfServiceAgreed to be
able to
create an account. I don't think there is a reading of that text that would
allow the server to provide additional documentation without requiring
client
agreement.

> I think it would help to say '''MUST ignore any updates to [...], the
> "status" field (except as allowed by Section 7.3.7), or any other [...]'''

Good suggestion. Done.

> It seems that they would then be removed from the listing on page 46 (of
> the -14)?

I think the best fix here is to remove "valid" from "After a valid request
to
finalize has been issued". I've made this change.

> This would be § 4.4.2 of RFC 8446

Thanks. Added a ref to RFC 8446.

> Well now I'm really confused.  If I look at the example exchanges for the
HTTP challenge.

Apologies. I forgot that the HTTP-01 challenge type does send the token in
the
request by way of the request path.

I removed the language that says it "expresses a domain holder's
authorization".

> In particular, right now I think that the text about "participating in the
> creation" is inaccurate.

Rephrased to say that the entropy requirement only prevents guessing the
token
and removed text about "participating in the creation".

Thanks.


On Sun, Sep 16, 2018 at 6:29 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Sun, Sep 16, 2018 at 10:42:26PM +0200, Felix Fontein wrote:
> > Hi,
> >
> > > > > > > >    [...] Secondly, the entropy requirement
> > > > > > > >    prevents ACME clients from implementing a "naive"
> > > > > > > > validation server that automatically replies to challenges
> > > > > > > > without participating in the creation of the initial
> > > > > > > > authorization request.
> > > > > > > >
> > > > > > > > IMPORTANT: I'm not sure I see how this applies to the HTTP
> > > > > > > > mechanism -- couldn't you write a script to reply
> > > > > > > > to .well-known/acme-challenge/<foo> with <foo>.<key
> > > > > > > > thumbprint> for a fixed key thumbprint?  The validation
> > > > > > > > thumbprint> server would ned to
> > > > > > > > know about the ACME account in question, but not about any
> > > > > > > > individual authorization request.
> > > > > > >
> > > > > > > It would also need to know the <foo> value, which is not
> > > > > > > provided in the validation request specifically to avoid
> > > > > > > this.
> > > > > >
> > > > > > As I said above, "[w]ell now I'm really confused."  In the
> > > > > > example HTTP challenge exchange (duplicated here):
> > > > > >
> > > > > > GET
> /.well-known/acme-challenge/LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0
> > > > > > Host: example.org
> > > > > >
> > > > > > HTTP/1.1 200 OK
> > > > > > Content-Type: application/octet-stream
> > > > > >
> > > > > >
> LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI
> > > > > >
> > > > > > Doesn't the path in the GET include the <foo>?
> > > > >
> > > > > Yes, and some people are already using this to add a generic
> > > > > authorization replier (which needs the thumbprint of the account
> > > > > key). For example, the acme.sh client supports this "stateless
> > > > > mode" (as it is called there):
> > > > > https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
> > > >
> > > > Okay, that matches up with my understanding and maybe un-confuses
> > > > me.
> > > >
> > > > But does this state of affairs nullify the text in the -14 about:
> > > >
> > > >    [...] the entropy requirement
> > > >    prevents ACME clients from implementing a "naive" validation
> > > > server that automatically replies to challenges without
> > > > participating in the creation of the initial authorization request.
> > > >
> > > > ?
> > >
> > > Also, if we wanted to prevent this sort of dumb script, it seems like
> > > we could have the ACME server do a
> > > GET /.well-known/acme-challenge/<hash-of-token>
> > > instead of
> > > GET /.well-known/acme-challenge/<token>
> > >
> > > and expect the un-hashed token in the response body.  (Witih obvious
> > > questions about explicit hash agility vs. hardcoding a hash per
> > > challenge type.)
> >
> > That would work. However, I'm not sure whether this should really be
> > disallowed. I also understand the text from draft-14 as you do, but I
> > since this incorporates the account key hash, it doesn't validate for
> > challenges coming from other ACME accounts.
>
> Whether or not it should be disallowed is probably a function of the
> severity of the XSS risk (which I don't have a good picture of right now)
> -- as I attempted to note in my ballot text, the token is only created by
> virtue of the account key holder's explicit request, which could itself be
> seen as an authorizing action.  The echoing of the token by the HTTP server
> serves to confirm possession of the domain name, more than the specific
> authorization, in that worldview.
>
> > Also, there has been a proposal
> > (https://github.com/ietf-wg-acme/acme/issues/393) to allow something
> > similar for DNS validation (as dns-02), which explicitly mentions this
> > automation. Since nobody responded that such an automation is unwanted,
> > my assumption is that this automation is a feature and not a bug. It
> > would be nice if this would be more clear from the text, though.
>
> Agreed that the text could be more clear.  In particular, right now I think
> that the text about "participating in the creation" is inaccurate.
>
> -Benjamin
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email