Re: [Acme] kinds of proof

Viktor Dukhovni <> Fri, 28 November 2014 21:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C93AE1A1B83 for <>; Fri, 28 Nov 2014 13:37:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a1yLFfok08Bn for <>; Fri, 28 Nov 2014 13:37:26 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 201F81A1B7E for <>; Fri, 28 Nov 2014 13:37:25 -0800 (PST)
Received: by (Postfix, from userid 1034) id BA50C284AD4; Fri, 28 Nov 2014 21:37:24 +0000 (UTC)
Date: Fri, 28 Nov 2014 21:37:24 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [Acme] kinds of proof
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Nov 2014 21:37:28 -0000

On Fri, Nov 28, 2014 at 10:37:01AM -0800, Paul Hoffman wrote:

> >  * Does the web server have to be on port 443 with TLS enabled
> >    (perhaps with a temporary self-signed certificate)?  Or is it
> >    sufficient to control port 80 or some other port with or without
> >    TLS?
> > 
> >  * If on port 443, is an existing certificate from any of the
> >    usual public CAs (other than LE) (if also usable as a TLS client
> >    cert to authenticate to the provisioning system) accepted as
> >    evidence of authenticity for bootstrapping trust with LE?
> Why should ability to control port 80 or 443 be a determinant
> for proving control of "web server" at "domain name"? Not all web
> service is run on port 80, and not all secure web service is run
> on port 443. A CA can validate that the requestor can control some
> HTTP service on some port at the domain name. If a CA has a policy
> that is more restrictive than that, ACME can trivially support that
> policy with more error codes.

Because unfortunately, Web PKI certificates are host-wide, they don't
specify a port.  Anyone who can run some program on a machine can
bind to some random port and start a web service.  Possibly port-forwarded
somewhere else via SSH!

It is far from clear to me that every "shell" user of a machine
should be authorized to obtain certificates for the whole machine.

> >  * If the domain is DNSSEC signed, is it reasonable (I hope)
> >    to raise the bar, and require proof of DNS control?  Since
> >    bootstrapping with just web server control and no existing
> >    credentials is vulnerable to MiTM, and signed domains are
> >    making an effort to harden against such attacks?
> I disagree that ACME-the-protocol should raise the bar past what
> we use for domain verification today. It's fine if a CA who uses
> ACME does.

The protocol is just a syntax, and indeed I asking a question about
appropriate CA policy.  Perhaps some guidance to CAs implementing
the protocol would not be amiss.

As for not raising the bar, "today" there is essentially no DNSSEC
deployment (just under 1% of domains in the Alexa top 1,000,000).

So this is not "raising the bar" for any established scenarios,
rather asking whether we should maintain the bar at the same woefully
insecure level, even when DNS is beginning to provide greater

At the very least I would expect the CAs resolver that validates
control over DNS to have DNSSEC validation turned on to drop "bogus"
replies.  However, I would also advocate that web server control
boostrapping over much weaker channels should not bypass stronger
DNS security (the domain owner has signalled the capability to
authenticate control of the domain, and we should not allow downgrade