IETF Logo Mail Archive

Re: [Acme] Trust and security in DNS challenge validation automation

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 16 January 2018 16:21 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60B611315E7 for <acme@ietfa.amsl.com>; Tue, 16 Jan 2018 08:21:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0eqpsbWqou2Z for <acme@ietfa.amsl.com>; Tue, 16 Jan 2018 08:21:48 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EDF21315ED for <acme@ietf.org>; Tue, 16 Jan 2018 08:20:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C69025DE81 for <acme@ietf.org>; Tue, 16 Jan 2018 18:20:57 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 9zkv2TpAWJdc for <acme@ietf.org>; Tue, 16 Jan 2018 18:20:57 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6BCEAC4 for <acme@ietf.org>; Tue, 16 Jan 2018 18:20:56 +0200 (EET)
Date: Tue, 16 Jan 2018 18:20:56 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: acme@ietf.org
Message-ID: <20180116162056.GA27940@LK-Perkele-VII>
References: <1a6f7bfb-d6dc-bd1a-fcb5-ec78ec4497cf@eff.org> <20180116155925.GA27134@LK-Perkele-VII> <2bf52bc7-a258-871e-fe14-2af7a1534f36@eff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <2bf52bc7-a258-871e-fe14-2af7a1534f36@eff.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/fNnfnB5rtK1N9AytTZ5veOuxqZw>
Subject: Re: [Acme] Trust and security in DNS challenge validation automation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 16:21:55 -0000

On Tue, Jan 16, 2018 at 06:05:55PM +0200, Joona Hoikkala wrote:
> On 16.01.2018 17:59, Ilari Liusvaara wrote:
> > I earlier had idea of Public Key Pinning with CAA records. It
> > would be much safer than HPKP (because if keys get lost, they
> > can be rather quickly changed) and could actually help against the
> > issue (as CAA is proactive, not reactive like CT). I should post a
> > draft about it...
> This actually already exists, check out:
> https://tools.ietf.org/html/draft-ietf-acme-caa-03

I mean pinning the TLS key, not the account key. Even if the
compromised automation can not outright dump the ACME key (and
most probably it can), it can still misuse the key.



-Ilari

v2.23.0 | Report a Bug | By Email