IETF Logo Mail Archive

Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

Tim Hollebeek <tim.hollebeek@digicert.com> Thu, 30 August 2018 06:11 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D5F130ED2; Wed, 29 Aug 2018 23:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CF7at-sZPhO; Wed, 29 Aug 2018 23:11:39 -0700 (PDT)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F196A130E37; Wed, 29 Aug 2018 23:11:38 -0700 (PDT)
Received: from [67.219.246.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-b.us-east-1.aws.symcld.net id E1/80-18521-99A878B5; Thu, 30 Aug 2018 06:11:37 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTf0wTZxjHee+ud8ePLueB8oiwZDVbNkwbigm 5bG5xS8zqHybboiOTOXbYjjYpBXrFFfePoEFpkSGl0HYK9SdZnRoVNjThVwM4a0Yd2yRxUcYw mSvGgrrhnGG7uxfd/OfN930+33ve7/PmXpbkJ5gc1uJ2WZwO0a6j06i44SinD3r2lhT82Z0pD CajhDA4GyKEyG/vCoGTTuHqHUY4/A0tBB4fIAV/8+vCPz2NlHB8bI5Yn2byjYRJ04XYEG26EL rBmI4d+4sw+c6GKFNst9EUCU7R7zBbNTZHWaX7Y401MHUOVQWCyH374hy1C33dhDwojaW4JhI aBo/QyobnDhDgu9uswZtfEJzu88q2VJbmCuBa/yVC0VncehiNJwnFRHJXCAiOxlWQyX0EfTP3 aWwqhSPdI4wHsbIuhv76IkVS3ItQN7ZScWi5bfDr5RiBz9pDwr2OUVIBqdx7MFV/XdWIWwELs a/U9iSXDddvdakauCyY/v4KjfVy+H1mUYP9H8Kh+9Glug7qbgdJrPNgosurjgzcIAPDca8GAz 3M+f2kEg64TXDj5x24PCEPf5LHOh8S/vElux2Sn//B4D5nEEzOHqIweB4i+6cpDHpJOHM2zmC QC546L4HBtzR49o+p8XjODG2RKN2C1oT+N11IvdUwggfXHtIh9Z6WweXgLQqbtsLQUIzAOh/8 pxJL9TVw4vAsGZKnILlXYOwH3bNlRtbroMeMqy9Am3eawboIGsbn6TBKj6CiMqet3OqqEG12v bGgQG80FurX6guNaw3iTn2ZoUbSW0TJpTcaxE8lg1Rbsd1uNjgsrnNI/o/NVeRPfahrX3kUrW QJ3XLtYntDCf9cWaW51ipK1lJnjd0iRVEuy+pAe7Bxbwm/zGkpt7g/sdnlx/AEA5uhy9I+2Cd jrVQlVki2coxiaAM7/mVrK8mO3GyT16vq+jjpl9cBb3sryVOOSoclJ1vrVnpzysfWGsfT1k+e 2gTKy8nUopSUFD6jyuKssLme5QmUzSJdpna30iXD5nA9TZCQwxFyOM/NPUo4l/gfytmFzltXB Vavqp/saNk4wKf7coulOz/6dt49FS/67lJpXvZrvfOBmtp+b7LwfHX4UeTl1DeGv6CabQ8zUv 8uDl/c0nh0+4rNG3tnOj+L9TWtq1796tSmbdJxaeGDN19KhDvdmkXCPnnP8P6G9Pb57kc9vUO nFzbzLQc7Owa6qom3T+x4q3NYR0lW0ZhPOiXxXw8KwgNlBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-8.tower-384.messagelabs.com!1535609496!3373859!1
X-Originating-IP: [207.46.163.16]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29070 invoked from network); 30 Aug 2018 06:11:37 -0000
Received: from mail-dm3nam03lp0016.outbound.protection.outlook.com (HELO NAM03-DM3-obe.outbound.protection.outlook.com) (207.46.163.16) by server-8.tower-384.messagelabs.com with AES256-SHA256 encrypted SMTP; 30 Aug 2018 06:11:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cgZOTfYDduf59Ck+p39zpzWNzjl4rCdK6XQv/i2E09Y=; b=mEQvvRAz2W8rpM8w+Sk4ylHNOPkjHraKlhb0/sKUqEdb4cDTGfeR56lY0r1qRQSzjHWQRmC6R7gikWfejJ3nlhOdSeCJtXLG4WupoAU47xFwXPvQaG1k6RuIPf8PgHYbe3dpjOtgVbvd76Jal74mV07yTOD5ZIcvQ0xv7kFgIUg=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1364.namprd14.prod.outlook.com (10.172.149.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.16; Thu, 30 Aug 2018 06:11:34 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9%11]) with mapi id 15.20.1101.007; Thu, 30 Aug 2018 06:11:34 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Richard Barnes <rlb@ipv.sx>, "Salz, Rich" <rsalz@akamai.com>
CC: Alexey Melnikov <aamelnikov@fastmail.fm>, "draft-ietf-acme-acme@ietf.org" <draft-ietf-acme-acme@ietf.org>, IETF ACME <acme@ietf.org>, Daniel McCarney <cpu@letsencrypt.org>, Yoav Nir <ynir.ietf@gmail.com>, The IESG <iesg@ietf.org>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, Alexey Melnikov <alexey.melnikov@isode.com>
Thread-Topic: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Thread-Index: AQHUP4mC7CXm6zFnoUO/dEqEqrQp/KTW08mAgAAGcACAAAtvgIAADVuAgAAEJYCAANcDoA==
Date: Thu, 30 Aug 2018 06:11:34 +0000
Message-ID: <BN6PR14MB110631971E10452BF7EC6F0F83080@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com> <CAKnbcLikPk7vxrJdRT1bAqbOkBy7kLwyA5ToFKYFJfiVNCS7xg@mail.gmail.com> <5EDC099D-6070-4DC6-9561-C08BB1483041@akamai.com> <CAL02cgRG-TGziXB9ro116dVR0iMN8CrRuzA4PRTk2jEPj7nrzw@mail.gmail.com>
In-Reply-To: <CAL02cgRG-TGziXB9ro116dVR0iMN8CrRuzA4PRTk2jEPj7nrzw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [81.250.177.159]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1364; 6:hqY6ZLPrAler988mI1DiBq5SZW9W47hRq1X1nk5WuPCcvQbw4B7YmDNj/ldZKwmCsgrPlg9y3H1/lAUewiF0am69V640dO9vxXbGqQRU4GZ4Oc1rSmZq2qw5eqKodxfbse7NAxTk14aS8uwY7T2pcZCU58PzPG0c6HpRTHlfsiUTvMhXZIXiywDVBTnWe5n5M23gtMOVCZYZ2NQoL+hnJjhGKbG0dFusiJORErZm10A6uoJl8z0Ema51GWHCElB0CdIzptWLXbwQIy+xBRiDPuWb7kIES14Tlj4iUTJnMKXO6GhsHiawiRpEy9F0M+N41YzNbBdXubvt1o8r5AvUaiVA/9fGiuqV4QrIdWKFF/hxq0/0WrPX5YeNpC78wdSXHKnQTPmzoOwRKD1HuwSVmlY4IhuHoSqb0MhUE2M//PDj3qtQY0IyTNYNa56AwbAy3hozneB27k8E4bmZs732Hw==; 5:mmwvz8q7yAYVRB1RDr4o19DVzzx2xa8pXcmnnKGFuM3VfnrjwQ+16wo3D5WYtbMaryZzSBi54Aq1hOmE7nGBliNH+W25Dn41DNlbcMlBzWbWOOi45g5L6/F5fof1W5xfw42my3g4XDmePovBHyMXijF2hQravlXc0rm5OZQliHE=; 7:KSruMMrjFoEHH2Ij8wU9sXocIGHYkUpyfP+MsolyT1ABEbxJ3W+T7acHREuPU4TpIRHzO5sn5TIOwrj467AWXD3qNDJw0Mwgn0d+7ojtxF8toWMaq8sS9M8C9zmf5PzsUd4XxswkHjKcAujB//DjpKR92JXWTPUlCGdVsDkG1jbOnsUjUUpQFDfFfioywfudYC4Xs3+/YGIWvPyaOLBfEeuqqEFBAqrbqsbpz1urAzeRdRWgfC/OyZaHAL31yhIs
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c40e4266-05ff-4657-f0b2-08d60e3f6ff3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1364;
x-ms-traffictypediagnostic: BN6PR14MB1364:
x-microsoft-antispam-prvs: <BN6PR14MB136441771E9C71B3BFEB4ABF83080@BN6PR14MB1364.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(166708455590820)(192374486261705)(85827821059158)(21748063052155)(79290750141951)(269456686620040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699016); SRVR:BN6PR14MB1364; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1364;
x-forefront-prvs: 07807C55DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(346002)(376002)(396003)(199004)(189003)(76176011)(551934003)(44832011)(33656002)(6116002)(54896002)(7416002)(478600001)(3846002)(99286004)(106356001)(5660300001)(54906003)(93886005)(66066001)(186003)(14444005)(7696005)(2906002)(316002)(86362001)(790700001)(606006)(2900100001)(110136005)(53386004)(6246003)(486006)(39060400002)(966005)(229853002)(256004)(446003)(9686003)(25786009)(4326008)(99936001)(11346002)(6436002)(26005)(236005)(6506007)(5250100002)(14454004)(53936002)(53546011)(81156014)(55016002)(81166006)(6306002)(74316002)(102836004)(1680700002)(97736004)(68736007)(8676002)(8936002)(476003)(7736002)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1364; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: hfBV4wKWlMzBeMNmZilSk5Mnm9pNnWyHxyRwnOJ9RUcn/HeEZxTnfFdNoafCcJrC+yV9QwPRs1PU5h9EfCKAcb8rP0/oLj/YCLTU0H/ATXA7uzQMwfuG/D0PiasCMi5SO+c0sk3jzzQOvYjcdWBupMFJMQOpohp2gcPBsmwC6OvqU4+TGz0HlAAiEoyt5RpSCsQoqHd6PN61uw+TShVUjY2hHJFP2/HgNPNDY07d2xvlyjNhMhK3YvtYOxDrxyblUovpyz+tlSsBj09PbDmseDr+j74vRM+V2sMvnFkTp9o1jlGlVu8BZWXz0nHMFLIG6QVdgloCSIOFN4HWTf8aLphBHrSXOyZNpILvbmFqtVA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_02BA_01D44039.0BF2C4C0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c40e4266-05ff-4657-f0b2-08d60e3f6ff3
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2018 06:11:34.2159 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1364
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vodOiNpVQYdpff1NMyvLAyOVQLA>
X-Mailman-Approved-At: Thu, 30 Aug 2018 05:02:16 -0700
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 06:11:43 -0000

For what it’s worth, there’s a discussion going on in the validation working group right now about how redirects should be handled.  The most likely outcome is either pretty severe restrictions around redirects, or completely disallowing them.  

 

In the interest of openness, CAs were asked to disclose their current redirect behavior as a basis for a discussion about what the requirements should be.  Two CAs have done so.  Others are strongly encouraged to do so.

 

There is no explicit text allowing them, so it could be argued that the BRs currently don’t allow following redirects.  On the other hand, redirects are part of HTTP, so the argument can also be made that “retrieving a web page” can involve arbitrary redirects, including potentially things like meta refresh and javascript.  The fact that such a diverse range of interpretations are possible is something we’d love to fix.

 

In particular, non-HTTP redirects that involve parsing page content introduce a great deal of complexity and risk into the validation process, and I’d like to clarify that that definitely isn’t allowed.

 

Redirects to a location outside of the domain being validated are viewed with particular suspicion by many, including me.  Redirects within the same domain seem less problematic, and indeed useful for handling large numbers of domains.  Though it’s not clear this solves a use case that is not already handled by the ability to validate and Authorization Domain Name and use it for subdomains.

 

The main reason to allow redirects within a domain is if there is a unilateral redirect from example.com to www.example.com <http://www.example.com> , which is of course incredibly common.  It seems one should be able to validate example.com using that redirect.

 

At least one large CA supports the “no redirects at all” position.

 

-Tim

 

From: Acme <acme-bounces@ietf.org> On Behalf Of Richard Barnes
Sent: Wednesday, August 29, 2018 7:10 PM
To: Salz, Rich <rsalz@akamai.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>; draft-ietf-acme-acme@ietf.org; IETF ACME <acme@ietf.org>; Daniel McCarney <cpu@letsencrypt.org>; Yoav Nir <ynir.ietf@gmail.com>; The IESG <iesg@ietf.org>; <acme-chairs@ietf.org> <acme-chairs@ietf.org>; Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

 

I noticed that we already had some text in the security considerations about redirects, so I reverted to SHOULD and added a forward pointer.

 

> More limited forms of delegation can also lead to an unintended
> party gaining the ability to successfully complete a validation
> transaction. For example, suppose an ACME server follows HTTP
> redirects in HTTP validation and a website operator provisions a
> catch-all redirect rule that redirects requests for unknown
> resources to a different domain. Then the target of the redirect
> could use that to get a certificate through HTTP validation since
> the validation path will not be known to the primary server.

 

https://github.com/ietf-wg-acme/acme/pull/442/files#diff-8430e2aa241beb4ac49b252db20d4ee8R2492

 

Alexey: Can you live with this solution?  There is some residual interop risk, but (1) that's kind of unavoidable given the uncertainty here, and (2) redirects are an easy-ish thing to debug and adapt if there's a mismatch.  And at least the reasoning is pretty well documented now.

 

--Richard

 

On Wed, Aug 29, 2018 at 12:55 PM Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com> > wrote:

I read the link you posted, thanks.

 

As long as we’re not breaking the HTTP spec, I agree that SHOULD seems to get the most interop.  As long as we’re getting signed reponses back, I don’t think it matters much where the redirect sends you.

v2.23.0 | Report a Bug | By Email