Re: [Acme] DNS challenge spec doesn't support CNAME model

Thomas Lußnig <lussnig@suche.org> Thu, 17 December 2015 15:56 UTC

Return-Path: <lussnig@suche.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF141B2EFD for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 07:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.049
X-Spam-Level:
X-Spam-Status: No, score=0.049 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, J_CHICKENPOX_65=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxtLRybWKmDi for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 07:56:44 -0800 (PST)
Received: from relay-mx.smcc.de (relay-mx.smcc.de [194.50.33.90]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14F971A0074 for <acme@ietf.org>; Thu, 17 Dec 2015 07:56:43 -0800 (PST)
Received: by mx-32.smcc.de (Postfix, from userid 65534) id 0CF066462F; Thu, 17 Dec 2015 16:56:41 +0100 (CET)
X-Spam-SCL: 1
Received: from localhost (localhost [127.0.0.1]) by mx-32.smcc.de (Postfix) with ESMTP id 37EF864547; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mx-30.smcc.net
Received: from relay-mx.smcc.de ([127.0.0.1]) by localhost (relay-mx-02.smcc.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTu549fNom52; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
Received: from [192.168.1.3] (unknown [5.147.109.14]) by mx-32.smcc.de (Postfix) with ESMTPSA id 1CA4F64355; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
To: acme@ietf.org, eric@konklone.com
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
From: =?UTF-8?Q?Thomas_Lu=c3=9fnig?= <lussnig@suche.org>
Message-ID: <5672DB38.3030900@suche.org>
Date: Thu, 17 Dec 2015 16:56:40 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Thunderbird/43.0a2
MIME-Version: 1.0
In-Reply-To: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/fcJoHrc_G3xsZAIGPqbOmYC4eo8>
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:56:45 -0000

Hi,

even better it would be if it does not introduce an new record.
The challenge could be that the user sign an random token + random value 
from him with an private key.
So CA send (token, challenges[...])
User reply (userToken, SIGNED(token,userToken),publicKey,"tlsa-311")

This has two advantages over the current model:
1) There is no dynamic update required
2) The CA can direct verify the challenge since the user can pre publish 
the tlsa record.
3) It is not more insecure than any other dns-01, tls-sni-01 or http-01 
since if he have controll
over the DNS he can select the ip.
4) It should be compatible with cname.

Gruß Thomas