Re: [Acme] Threat model for claiming domains

[Richard Barnes <rlb@ipv.sx>]

Hey Rob,

Thanks for this.  The HTTP one looks more or less as I would have
expected.  We should probably tighten up the ACME one to look more like it.

With regard to the DNS validation:
1. Is there a reason you guys use CNAME instead of TXT?
2. W.r.t. using a subdomain vs. the name itself: When we wrote the current
ACME spec, the thinking was that it might be possible for an applicant to
provision a subdomain without being able to provision a record under the
name itself.  For example, with my Dreamhost hosting account, I can
register any records I want under "<md5>.dreamhosters.com", but I can't
provision under "dreamhosters.com".  Are you accounting for this risk
somehow?

I notice that there are mentions of an API in that document.  If you have
other API documentation you could share, that could be useful.  In
particular, it would make it easier to make ACME something that you guys
could transition to :)

--Richard



On Mon, Dec 22, 2014 at 5:43 AM, Rob Stradling <rob.stradling@comodo.com>
wrote:
>
> Hi Richard.  This pdf has some more details on Comodo's other domain
> validation methods...
>
> https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf
>
> On 20/12/14 00:25, Richard Barnes wrote:
>
>> Hey Tony,
>>
>> I just got around to thinking about this for a moment.  Obviously, our
>> baseline here should be whatever the CAs are doing today, since we have
>> empirical evidence that those methods are more or less OK.  I did a
>> quick and dirty empirical survey of the top few CAs this afternoon:
>>
>> https://docs.google.com/a/ipv.sx/document/d/1KVKIS6abA2KL-
>> yHvFsMql6U3qUjVhgO6p19Hzci0vQo/edit?usp=sharing
>>
>> For the most part, they rely on sending an email to either the
>> registered WHOIS contact, or something like admin@domain.  GlobalSign
>> supports validation based on a DNS record or a <meta> tag in index.html.
>>
>> With regard to your concern about services colocated on the same IP
>> (presumably for simpleHttps and DVSNI validation): This seems to mostly
>> be addressed by not allowing the ACME client to specify the port that
>> the ACME server connects to.  That means that the attacker has to
>> control not only something on the box, but the default port for HTTP or
>> HTTPS.  If that's not the case, normal routing based on the Host header
>> or SNI should ensure that the validation request goes to the right place.
>>
>> Nonetheless, I agree that more analysis would be useful, across all the
>> validation methods.
>>
>> --Richard
>>
>>
>> On Mon, Dec 1, 2014 at 7:33 PM, Tony Arcieri <bascule@gmail.com
>> <mailto:bascule@gmail.com>> wrote:
>>
>>     Is there a published threat model for claiming domains? I haven't
>>     been able to find it, but I'd certainly like to read it!
>>
>>     If we simply accept a service running on the same IP that a given
>>     DNS name points to, there seems ample opportunity to register
>>     certificates for services colocated on the same IP.
>>
>>     --
>>     Tony Arcieri
>>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>