Re: [Acme] Issuing certificates based on Simple HTTP challenges
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 15 December 2015 17:48 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FB91A9098 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 09:48:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8OZT_QrMsas for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 09:48:39 -0800 (PST)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4AE41A8BBF for <acme@ietf.org>; Tue, 15 Dec 2015 09:48:38 -0800 (PST)
Received: by mail-lf0-x231.google.com with SMTP id p203so12422814lfa.0 for <acme@ietf.org>; Tue, 15 Dec 2015 09:48:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=E9HsyuArvQYksoKByQcGCVlV7r4FtiJKWpzbe3fgD+U=; b=JSdMfCJNF/82M6Yj/yJbwcuZGQe3JpjLpjopy92dqy79w1hkpfOqKkzG0UqOpbrNPa WQ/p4SOL9HUk4ki+GKL3UPK9dUDMP6OcbrnOU/5H/WP8HxTKQUyCLZI2/f5DjEyKO/U/ pv0NHZvHeb5twREDRU199EN0ZI8kYHuBYPvrPnILfPukV+UKG59m5rP33vmZNHWypcW+ 39OlkxiJkojoRQMOawaAxQRvr9jPbUC8pXdkBz7M0lqSb+iwnlsuoPTxxYgOZbOujFa3 UvOS3WaMc3mfn7rUXZIvBDvx8R6nV9brESwEfTd1+2sAVoblC4D/V3/a1kCZkt1eWsoH oMmQ==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr13104795lfg.166.1450201717077; Tue, 15 Dec 2015 09:48:37 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Tue, 15 Dec 2015 09:48:36 -0800 (PST)
In-Reply-To: <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net>
Date: Tue, 15 Dec 2015 12:48:36 -0500
X-Google-Sender-Auth: or56iePlixqmfaINguq3QBptZxM
Message-ID: <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Noah Kantrowitz <noah@coderanger.net>
Content-Type: multipart/alternative; boundary="001a1141257e32fef00526f366f3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/jXVOugiwAvgDWW-t8DYQtQpPwzM>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 17:48:41 -0000
On Tue, Dec 15, 2015 at 12:25 PM, Noah Kantrowitz <noah@coderanger.net> wrote: > > > On Dec 15, 2015, at 7:17 AM, Michael Wyraz <michael@wyraz.de> wrote: > > > > Stephen, > >> Yes, I understand that and didn't actually refer to LE at all in my > mail. > > I'm sorry if I missunderstood you with that. > > > >> Basically, IMO only after we first get a "now" that works > > We have a working HTTP-01 spec, implementation and CA. What's missing > > for "a 'now' that works"? > > > >> Personally the optional thing in which I'm much more interested is a > >> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC, > >> since that's the use-case I have and that would provide some better > >> assurance to the certs acquired via acme. I can see that there might > >> also be value for some (other) folks in SRV if it means no need to > >> dynamically change DNS. But, if someone is saying "we must all do > >> these more complex things for security reasons" then they are, in this > >> context, wrong. And my mail was reacting to just such a statement. > > Why not just placing a static public key to DNS that is allowed to sign > > ACME requests for this domain? Simple, no need for dynamic updates (yes, > > it's standardized for years but AFAIK not seen very often in real world > > scenarios). > > Anything that makes deployment _harder_ than the current LE client is a > move in the wrong direction. UX matters, with security more than just about > anything else. Unless you can propose a user flow to go with this change, > no amount of hypothetical correctness is worth having a tool no one will > use. > Harder for whom? The current scheme isn't going to work for any geolocation based systems and is a terrible fit for enterprise. The workflow for using a LRA would be as follows: 1) Set up your ACME local RA on some host, e.g. lra.example.com 2) Generate a self signed cert for the LRA 3) Calculate the fingerprint of the KeyInfo blob (see https://tools.ietf.org/html/draft-hallambaker-udf-00) MD2UR-3PN64-TMQ26-HERIT-PVDOR-6FI42 4) Create a CAA record with some tag: example.com CAA acme 0 "lra.example.com lra=MD2UR-3PN64-TMQ26-HERIT-PVDOR-6FI42" At this point, we have published all the necessary control information to allow acme clients to automatically discover the LRA they are to connect to for issue of certificates and the issuing CA has all the information needed to authenticate the requests. Note that in this particular case, the mechanism used to authenticate the client to the LRA is out of scope of ACME because it is no longer a WebPKI authentication, it is an internal configuration decision. The simplest mechanism is probably for the acme client to generate a keypair for that particular host and use that to authenticate host requests to the LRA. The LRA would require some UI to authorize requests of course. In a production environment, it might not be desirable to generate the server keys on the servers that are actually going to use them. Alternatively we might want to use the co-operative key generation technique I demonstrated at CFRG in Prague. If you are managing one server, a simple protocol is simplest. If you are managing more than one then it probably is not. One of the main ways in which PKIX became so complicated was that people tried to make it much simpler than the problems required. So instead of one revocation/status/validation mechanism we ended up with four incompatible schemes. The use of LRAs has been absolutely standard in enterprise PKI for 20 years. This is a feature we know is essential CAA was originally designed to present all the information required to manage certificate issue.
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell