Re: [Acme] dns-01 challenge limitations
Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 13 September 2020 21:58 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786AD3A0C98 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 14:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JGBmQ4w8I8p for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 14:58:43 -0700 (PDT)
Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05A33A0C97 for <acme@ietf.org>; Sun, 13 Sep 2020 14:58:43 -0700 (PDT)
Received: by mail-pg1-f171.google.com with SMTP id 67so9906099pgd.12 for <acme@ietf.org>; Sun, 13 Sep 2020 14:58:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lIR9XyrA1U12peQUK+VTR2ONjIazsM7x+OxjrHmc2Zw=; b=dKZjewEMmt2K6Dd8mQnkE21nfLxb28inUMGJZDxcCnnnQIyZMd23uYv6O1lGoHrrcx fNjw1BJ/zTIjkR+66tMJPNv+IxZSL9tmOpBZNNM6vo3KBK026ldM5/ueUN/T1pA/1Z2R pxUjsxoW1k3xaZM2QMu+DZsGV/Q//OX/S7dbPerrsUWEYeE5vGi3X0u/jFYbObQjdKNJ orISTPw/VkiHJ1LVrJ2/1N+infnn2cNYH5EMThS6FfWWZWP56YdRgqkyv/rvIee6qwra zKFjDcH6hVo6eGRG8aRamxQ7X2b0puRQg2/jVnfzyIEpo951bpy22v+iYy4NwyB4+EEO mw+g==
X-Gm-Message-State: AOAM530kW5mFvhntpRUoMJgnuqDInKmc2h+0rWllIN63PfsQeyg8JSPA 0VfA/RXyaoLZkz265ylQ2EZZs1h3iuw=
X-Google-Smtp-Source: ABdhPJyi+ZxRXU2u8l0A9rW2ip2A5gTx/3hefm0mlPaQW8URrlCzewDi4RzYSScX1cjEJJ9mXgBbKA==
X-Received: by 2002:a63:2484:: with SMTP id k126mr4869427pgk.428.1600034322954; Sun, 13 Sep 2020 14:58:42 -0700 (PDT)
Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com. [209.85.215.172]) by smtp.gmail.com with ESMTPSA id x9sm8571236pfj.96.2020.09.13.14.58.42 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Sep 2020 14:58:42 -0700 (PDT)
Received: by mail-pg1-f172.google.com with SMTP id s65so8860532pgb.0 for <acme@ietf.org>; Sun, 13 Sep 2020 14:58:42 -0700 (PDT)
X-Received: by 2002:a62:ce8c:: with SMTP id y134mr10875521pfg.125.1600034322221; Sun, 13 Sep 2020 14:58:42 -0700 (PDT)
MIME-Version: 1.0
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <CACHSkNq9D5tYpaYm+_336+7WkJxuRw6_zPgEUtfMqaqbDr+zww@mail.gmail.com> <RIUPM_G4wCA2zxzlMxWZp78us6ljwnWaD3n4L4kRuxYeZkEudsnLnD4b6TllCoUoTlJy0FzcJIKQ5HHuNkYPWbrkmy6yGyDQPuYubQqsrQ8=@emersion.fr> <CACHSkNrc6Gnqwfq2OzgEqvCCrhKb3SLO9YJOcDRTPV3s27OZJQ@mail.gmail.com> <CAErg=HFTsQmzacEP2K542nFWrJhcGVWE+Q2GndMnAvpSMDBCeg@mail.gmail.com> <mWZh6EINiNadii7akjphaUVgUqHjKRG_rbv6M91CxWsaCuPq7wIGJi8TfgsJWu6tFrSpnFViVNvL4XNzBEPKcc4iB10qy9Bt5lauORap1pg=@emersion.fr> <CACHSkNpy7-ecN81in9ZXMsBguV8Fp0PxZp+dy6Tr_n_CLvtmUg@mail.gmail.com>
In-Reply-To: <CACHSkNpy7-ecN81in9ZXMsBguV8Fp0PxZp+dy6Tr_n_CLvtmUg@mail.gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sun, 13 Sep 2020 17:58:32 -0400
X-Gmail-Original-Message-ID: <CAErg=HHe2LOWpFN5Zp95xmgp-E+AHwwTf+n9ei4QTRomnzMQow@mail.gmail.com>
Message-ID: <CAErg=HHe2LOWpFN5Zp95xmgp-E+AHwwTf+n9ei4QTRomnzMQow@mail.gmail.com>
To: Philipp Junghannß <teamhydro55555@gmail.com>
Cc: Simon Ser <contact@emersion.fr>, Ryan Sleevi <ryan-ietf@sleevi.com>, "Matthew.Holt@gmail.com" <Matthew.Holt@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000067948a05af390531"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/k6r6dUStA5pKfJQq-Qu3-mqvJ6s>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 21:58:46 -0000
This is the least secure option and most likely to be deprecated going forward. Sending an email, even to the IANA-defined boundaries, is simply not a substitute for proof of domain control. On Sun, Sep 13, 2020 at 5:17 AM Philipp Junghannß <teamhydro55555@gmail.com> wrote: > maybe one could make it so an email specific to the domain that is > verified could be used instead to just screw the entire DNS thing? I mean > CAs have used e-Mail based issuance over the address in the whois (no > longer practical due to increase of whois privacy by default) or the > standardized hostmaster etc addresses. that way any given acme client would > only need access to the inbox of that specific mail which probably is a > whole lot easier than DNS stuff. > > Am So., 13. Sept. 2020 um 11:13 Uhr schrieb Simon Ser <contact@emersion.fr > >: > >> > On Friday, September 11, 2020 4:26 PM, Ryan Sleevi < >> ryan-ietf@sleevi.com> wrote: >> > >> > > On Fri, Sep 11, 2020 at 9:28 AM Philipp Junghannß < >> teamhydro55555@gmail.com> wrote: >> > > >> > > > problem is obviously also the CA/Browser Forum has certain >> requirements, >> > > > and I guess having access to some kind of direct verification at >> the time >> > > > of issue might be probably one of these. >> > > >> > > This is the correct answer. >> > > >> > > While the IETF can certainly explore developing voluntary standards >> for >> > > other methods, the ability for CAs to adopt these methods is limited >> by CAs >> > > customers: the browsers and operating systems that include and use >> CAs to >> > > validate domain names on their behalf. >> > > >> > > The explicit goal by several browser/OS vendors is to obtain a fresh >> proof >> > > of control over a domain, and reduce/eliminate any caching or reuse. >> > > Delegation (by keys or persistent records) is definitely an area of >> > > expressed concern. >> >> My take is that in theory it's an understandable goal, but that in >> practice, >> this detoriorates security. >> >> In practice, ACME clients: >> >> 1. Have a static, long-term token stored in their configuration file >> 2. The token is powerful and can update any DNS record in the zone >> >> How come browser/OS vendors are fine with this, but not with a different >> approach involving an ACME-specific key? >> >> Sure, since this happens behind the ACME/DNS protocols and is an >> implementation >> detail, this isn't ACME's responsibility anymore. However, because >> browsers/OS >> vendors have this requirement of not allowing delegated proofs, we end up >> with >> a worse situation than necessary. >> >> Ultimately, ACME clients need a way to update DNS records to solve the >> dns-01 >> challenge. Ignoring and pushing the problem down to the DNS operators >> does not >> fix the root cause. >> >> If an ACME client needs to prove that they have authority over a DNS >> zone, they >> will need some kind of authorization/key/token or similar, be it >> vendor-specific or not. Why not acknowlege this fact and come up with a >> reasonable standard? >> >> > > I think the suggest of more uniform APIs for managing DNS is very >> much in >> > > line with those goals, and would help far more than ACME. >> >> Yes, no matter what ACME requires, a standardized API to update DNS >> records >> would be nice. Michael Richardson suggested that such an API (or a subset >> of) >> already exists (via secure DDNS), but isn't supported by most DNS >> operators >> (even if supported by some DNS daemons). >> >> Establishing a new standard involves talking to existing DNS operators, >> and ask >> them to implement the new standard. For them, the new standard wouldn't >> have a >> high enough return on investment: ACME clients already volunteer to >> implement >> each and every proprietary API. Even if a good standard ticking the >> checkboxes >> of RFC 5218 existed, I don't think it would be successful (no "Positive >> Net >> Value" for DNS operators). >> >>
- [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Felipe Gasper
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Patrik Wallström
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ilari Liusvaara
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Simon Ser
- Re: [Acme] dns-01 challenge limitations Kas
- Re: [Acme] dns-01 challenge limitations Philipp Junghannß
- Re: [Acme] dns-01 challenge limitations Jesper Kristensen
- Re: [Acme] dns-01 challenge limitations Michael Richardson
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Ryan Sleevi
- Re: [Acme] dns-01 challenge limitations Jacob Hoffman-Andrews