IETF Logo Mail Archive

Re: [Acme] lack of nonce for external account binding (was Re: Benjamin Kaduk's Discuss on draft-ietf-acme-acme-14:) (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 10 October 2018 22:42 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8260D129C6B for <acme@ietfa.amsl.com>; Wed, 10 Oct 2018 15:42:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohaFIycQ_Hx7 for <acme@ietfa.amsl.com>; Wed, 10 Oct 2018 15:42:55 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5961294D7 for <acme@ietf.org>; Wed, 10 Oct 2018 15:42:52 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id 22-v6so5481821oiz.2 for <acme@ietf.org>; Wed, 10 Oct 2018 15:42:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=reAI7jZrEUGPo/MAHEPUJkAwR/RiiZ3OiHFL2fpZbgE=; b=Tz1uE1mVjQBUygWbwrF/PJRu1WSrFzOcWlnKwMPvpFlmgWDg/QIXNh9y6XA9dT0En4 suV4GOTj6X+y2RzZZnU9mo2AgOBJ49g+AdDLoPtbz9v8J03vGMDL+AvnYN3bWNfHMRwa baqD7e7triR77+ELbFgnZVBLkeyZLtpLwlc9FDTJK2tyUmYP/2sIdEeOO8FEP/4pDRVW sB7rJEDu4OMjHNN6l8/uTEMM+8CfDH0bFGrxwZphAv4Zh+I/XdvW/msmYF2faHwdnQ2z YS+Q8Tuno1EvWy2PMeZGx+TX9L0ifZP+9HpnqhdhiYlEB+ANE0qvY2+2bQpL5+BI5EwC Gzlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=reAI7jZrEUGPo/MAHEPUJkAwR/RiiZ3OiHFL2fpZbgE=; b=T4AmjD2r+dwpbE8u3qDOXpyt+BstMPvtrvQ3m0RHZvHZXj+IrAJz052+vnPLfjswFn gMPme2qY4H2CHT3w2VAZl16Y0cwByQpDhsTlYdEEupdzeiA54BEIAuoSU2D4q7F/7OYB FY0TYg9oT/2kF0rG9C6fNDxKkHHa/reoIS1kBkddlnV8MnKX5OJhvNu5B4/ulmwDJR7G 5vBNbsbTZZmnerFQ/bo9J8t3ZcTQ9I4y32GtcxVoiKWkwOPbBm/3motolfYC9+7qbvnq KaANwOEARyplo3j6iNAgVZ3HFYokuaK2AGPaFjfdUIPpIL3wyNWM6xexwAFRdkqtRLaU 1UxQ==
X-Gm-Message-State: ABuFfoj0i9FhClmWxQEKk8MZW1QDlad3mJsXIHRDLEDKyr4RlCWAvPJG oSVqdfPeoh/BaD5eSLiKh6SDHd1wS8epZnV0mc2YYw==
X-Google-Smtp-Source: ACcGV63I4e2YPJnoyYbGV9osVyk4IaJufvFUuH/UOHdYouq7/sQaG8AuH2gCszaktuiJSg861lDw1lIhhHh6hjsRQeM=
X-Received: by 2002:aca:d05c:: with SMTP id h89-v6mr2670646oig.199.1539211371070; Wed, 10 Oct 2018 15:42:51 -0700 (PDT)
MIME-Version: 1.0
References: <153556883241.14872.599302420878484743.idtracker@ietfa.amsl.com> <CAL02cgQoC1YAA1wjftoFSMBfm7Vi4KUXUQW633GZ5tM9VMMrmg@mail.gmail.com> <CAKnbcLgNrmqWp4BUz=c2-Y5NQ3FqfPe3-RqRp_ocWxv+c+jWWA@mail.gmail.com> <20180916015154.GU48265@kduck.kaduk.org> <20181003155118.GF56675@kduck.kaduk.org>
In-Reply-To: <20181003155118.GF56675@kduck.kaduk.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 10 Oct 2018 18:42:33 -0400
Message-ID: <CAL02cgTK+RBpYOGP0MFeuFSGQ-Nmxs73rm7jH4wJoPW8LTpSqQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Daniel McCarney <cpu@letsencrypt.org>, draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, The IESG <iesg@ietf.org>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000001da480577e793bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/jfjq1CFrPcjlp7rtmRB9ymslAqg>
Subject: Re: [Acme] lack of nonce for external account binding (was Re: Benjamin Kaduk's Discuss on draft-ietf-acme-acme-14:) (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 22:42:58 -0000

On Wed, Oct 3, 2018 at 11:54 AM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Sat, Sep 15, 2018 at 08:51:55PM -0500, Benjamin Kaduk wrote:
> > On Fri, Sep 14, 2018 at 03:59:07PM -0400, Daniel McCarney wrote:
> > > > My co-author Daniel McCarney is working on the COMMENT comments.
> > >
> > > > IMPORTANT: I don't think I understand why "nonce" MUST NOT be
> present in
> > > > the external-binding JWS object, though I think I understand why one
> is
> > > not
> > > > needed in order to bind the MAC to the current transaction.  (That
> is,
> > > this
> > > > is in effect a "triply nested" construct, where a standalone MAC that
> > > > certifies an ACME account (public) key as being authorized by the
> > > > external-account holder to act on behal of that external account.
> But
> > > this
> > > > standalone MAC will only be accepted by the ACME server in the
> context of
> > > > the outer JWS POST, that must be signed by the ACME account key,
> which is
> > > > assumed to be kept secure by the ACME client, ensuring that both
> > > > key-holding entities agree to the account linkage.)  Proof of
> freshness of
> > > > the commitment from the external account holder to authorize the ACME
> > > > account key would only be needed if there was a scenario where the
> > > external
> > > > account holder would revoke that association, which does not seem to
> be a
> > > > workflow supported by this document.  Any need to effectuate such a
> > > > revocation seems like it would involve issuing a new MAC key for the
> > > > external account (and invalidating the old one), and
> revoking/deactivating
> > > > the ACME account, which is a somewhat heavy hammer but perhaps
> reasonable
> > > > for such a scenario.
> > > > Account key rollover just says that the nonce is NOT REQUIRED, and
> also
> > > > uses some nicer (to me) language about "outer JWS" and "inner JWS".
> It
> > > > might be nice to synchronize these two sections.
> > >
> > > I defer on this to the other authors/people that want
> > > externalAccountBinding to
> > > be a thing.
> >
> > Okay.  I would like to avoid having needless normative requirements if
> > there is in fact no reason for this requirement.
>
> My apologies if I missed it when it went by, but did we ever hear more
> about this requirement from the proponents of externalAccountBinding?
>

Picking this up...

I actually have the opposite inclination to you here -- if a field is not
used by the protocol, then it should be forbidden, in the spirit of [1].
By that logic, we should also forbid the use of the "nonce" field in
roll-over.  I think it was just an oversight that we didn't.  The security
analysis that Bhargavan et al. did long ago did not presume any use of
it.   I've made a PR making it a MUST NOT:

https://github.com/ietf-wg-acme/acme/pull/464

[1] https://tools.ietf.org/html/draft-iab-protocol-maintenance-00


>
> Thanks,
>
> Benjamin
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email