IETF Logo Mail Archive

[Acme] FW: Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

Tim Hollebeek <tim.hollebeek@digicert.com> Thu, 30 August 2018 12:06 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E536C12F1A5; Thu, 30 Aug 2018 05:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Po46-3g07AK9; Thu, 30 Aug 2018 05:06:40 -0700 (PDT)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDBAA127AC2; Thu, 30 Aug 2018 05:06:39 -0700 (PDT)
Received: from [67.219.247.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-d.us-east-1.aws.symcld.net id C7/3D-21214-FCDD78B5; Thu, 30 Aug 2018 12:06:39 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTa0wTWRTHuTPTdkS6GcujRxZNbKKr6DStJlo TjX5Z3WSjIkQ/iK4OdqSjfWCnRPCDQaOStMtGEbASVx4qxmrdaFZLohZFBS1QBbEYFBQ1Popv Pxi1Ic70Fh8f5uR3z/9/zzn35g5Nag6oMmm+xMU77ZxVp0ymbuoPm9jwQHm+oW0YTC3DtYTJ9 2y5qSGgNHlje8mF1B9HjnwictAqhWAvcJSsU1jed3ymigJ+VHKnokZVhnbXITdKpinmbxKedr kV8kLD7CWg6XmvCi8eIjjsCxBuNIZWMgaIXGwnZCGNOYHgS9MgkoVU5i+4HgzFTWnMWmg8dlW FOR9eBUckpqUek+GfR0vltJpZA829xxBuECGhr3NQIXvGSHV2nHHIHsRkwMfQyXhJktFC/5O6 OAOTBkPdHUrM6fDi8YgC+1fDvx9aE/lJ0H3iS8I/AXrqPPFewLSo4GXoVEJg4W11NYl5CTQeC iPMPQj2eS2Ys6H3kp/CbIWWk+EE/4dgV3QW5ongqxiicIOzJNxrfJ8olAXu7R4CC91K8JUNxz trGDNU+UZH3UNCf0y1B2XX/nBSzPXSDZ+dUxu/sXFw48ATCudXQUvXs4QnG6r90UR+OjQ1DJO 10kWSzDRou637Oa2SeB78b8bZSVDlGVJhng27w++U9WisD80ucAqFFpeNE6ys0WBgjcaZ0sea DHpuK2vWF4ssz4ku1qjntoh6sdS23mrW23nXGSQ9R3PR2Jxm9PRoYSsaTxO6dPWCzvJ8zS8FD nOphRMta53FVl5sRVk0rQP1wH1JG+fkC/mSDYJVetOjMtApujT1n7KsFos4mygUYimEfqfDxy srSfrqYJUUb8Vj7E21FIOemkpSQ9kddj5Tq34gb2bkzZZi+7fSo39MD5qQmapGSUlJmpQi3mk TXD/rUaSlkS5V7ZCrpAh217cJotJwhDSce3CnPJyL+y5lliHhfPfBPDayaHV97sjz9kB5Utch 26JpGck5eVPa6rxLAryzwt+fnBIVQsvmE30fNZ2/rdQ2X97k3nhpSuk97bapK65593ec9mUEB 3JvZD0cv62rJjD39JX65l8veHeuy10cWbplzusPm++mrw+16/ryzq2ZEXy9MebPyY9Qnpj9Rd Cko0QLZ8wmnSL3FXsWRd8sBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-18.tower-424.messagelabs.com!1535630797!2933713!1
X-Originating-IP: [207.46.163.56]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15746 invoked from network); 30 Aug 2018 12:06:38 -0000
Received: from mail-cys01nam02lp0056.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (207.46.163.56) by server-18.tower-424.messagelabs.com with AES256-SHA256 encrypted SMTP; 30 Aug 2018 12:06:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IlM3K21eLmJS2CkBVlM1s1R1u70TTtTS0hb8DQNviXY=; b=QVzB0IiKpFgtGWXX45zayYcAu8Zk/niYApI4upBEDeJgGL1mja9FdRJZ5VD5hZZp2hMAFl2LSKhnIMY0bOOhNkyYbKF3KygG9sJW5GsJV50EuIIxrzoleKB7LA97oslC6sQs7sCBKI0Y/z1djo21aoo2O98IqU/PiCOw7uhi5sA=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1699.namprd14.prod.outlook.com (10.171.176.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.14; Thu, 30 Aug 2018 12:06:36 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9%11]) with mapi id 15.20.1101.016; Thu, 30 Aug 2018 12:06:35 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: "draft-ietf-acme-acme@ietf.org" <draft-ietf-acme-acme@ietf.org>, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Thread-Topic: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Thread-Index: AQHUP4mC7CXm6zFnoUO/dEqEqrQp/KTW08mAgAAGcACAAAtvgIAADVuAgAAEJYCAANcDoIAAZX2A
Date: Thu, 30 Aug 2018 12:06:35 +0000
Message-ID: <BN6PR14MB11060308213B4B64FFECB52183080@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com> <CAKnbcLikPk7vxrJdRT1bAqbOkBy7kLwyA5ToFKYFJfiVNCS7xg@mail.gmail.com> <5EDC099D-6070-4DC6-9561-C08BB1483041@akamai.com> <CAL02cgRG-TGziXB9ro116dVR0iMN8CrRuzA4PRTk2jEPj7nrzw@mail.gmail.com> <BN6PR14MB110631971E10452BF7EC6F0F83080@BN6PR14MB1106.namprd14.prod.outlook.com>
In-Reply-To: <BN6PR14MB110631971E10452BF7EC6F0F83080@BN6PR14MB1106.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [185.81.138.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1699; 6:CDQhq5S9qqMYCoUng4OfUrdrhCZ5TEskhQTP8dcweMcYfD5bahS6oOe7hpRtAy5Sq2TueUTgDC51CtKortgDW/z2xs0K2GlwlbEQpvAh3iVeawapp9/ZAXPFr1Sc0seEW50pyT6ESfRmCgQvtVbDspPUNhuzYTkNA0EcJ9uD8O6/yQveIEzBNgqYWk+Ewpy95bqHngq+FqCoNiJJEHu4DPg/3umi8o2KO5hULug/yHA0rxG8ofXUMoLN3LdeGzVWlGWO8N4q3/Wrc6yzQoRe0xgt2wQyoDrqlduyeu6kqgf1Uvra7f98hBvUchRPatJ3+nt87GlW64ERrRgAn+lon0N/GxpcqPlZ6VWf6oxcfoqtbT0u7tzs6MHnejZ6SW/tnAqESw5Vuv0JS1TO9ZDu0sef3i1E87mddQ54RQkL2cuDrWjHwjw6TmDQJDnO4gGcLydcWtm7nzeCnJx0tZlIDw==; 5:vWk9ALRCOElmq97V9q2ab5n8atr/SJvgJjqoDPky3x4qd46UM51/uFGhiokzI4vDL3wlzIJGiCkwedU/e5+pFK2WmeXrW8WK3AMRDkQPdGZWA4YrWMJMBiAVYxICd6EuAU4vUOcMc1SSsw9nxtHBRdPm2FFCyhT78w2dqNjZsH8=; 7:gvMkVjYK1ANPkuJ1lwtX7mT32pbhBafqoBJDcZNIm8A1hjJPqeYGbLj+njQbb9veMEg3PCGXHGBISnHBeZ0X9fNsoKPTH34qPxE1rgG2BfRTvxdrOpdRataKQTvV3U8FJGaty0R4I8OoHi0PjP+6sWw6HgWc98tGt/96a8pdCUQmaCVpupKb+9l6SELQgoJjvuu+84xaZZNPAmghI9j8mn/q8IhAGu7gD6L2s+UBIVlfjQvBu+GX841JdCXYZnYX
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c4c344ae-7f53-44e7-51ad-08d60e7108b0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1699;
x-ms-traffictypediagnostic: BN6PR14MB1699:
x-microsoft-antispam-prvs: <BN6PR14MB1699E48B3AEC02612BD4DBCF83080@BN6PR14MB1699.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(166708455590820)(192374486261705)(85827821059158)(269456686620040)(21748063052155)(79290750141951);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(201708071742011)(7699016); SRVR:BN6PR14MB1699; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1699;
x-forefront-prvs: 07807C55DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(346002)(136003)(366004)(376002)(189003)(199004)(2940100002)(11346002)(486006)(7736002)(105586002)(606006)(1680700002)(446003)(14454004)(6506007)(2501003)(14444005)(256004)(99936001)(3846002)(6116002)(790700001)(5660300001)(102836004)(53546011)(966005)(551934003)(2900100001)(74316002)(478600001)(2906002)(86362001)(8936002)(476003)(33656002)(44832011)(106356001)(110136005)(93886005)(26005)(93156006)(53386004)(68736007)(186003)(55016002)(236005)(99286004)(97736004)(8676002)(66066001)(450100002)(53936002)(7696005)(229853002)(81166006)(25786009)(5250100002)(6436002)(6306002)(81156014)(9686003)(316002)(2473003)(54896002)(76176011)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1699; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: +VnDhkQOKlM75YDXdeofz4csJOW9f5Hmu3qNyCY9x6RHT6ewoQ82JtYfdGyNyVZyTLXEXmnrhdAgD82kiycNGZamc/UEWHrmt+LaM9pPJ9fWHqSjTYGsYDmx5qWR88rwwin565HmeJSbOJU/4l+D0FgZuGh0O9BqbFuPb8PB0ayQ+sZk3E6AebZUlZMUftxlSgF8aB2cbCLrHZRhFIPe1nmUasXjRlZ1feUfIB7lqpQfZEzFyRpUFG9G/J7V3ngbPXeUlXyaZ7djA3ojbNs7iRqFqC24oWFg7Mr5ZV/vXfQD3sTS+Xe7tMgXVJFPjenMe8qX6UQrRwSa+1E1RH08W8JbFE/6bNcJbVjbWF9aJZI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_03A9_01D4406A.3E8A7780"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c4c344ae-7f53-44e7-51ad-08d60e7108b0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2018 12:06:35.1663 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1699
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/LDg60FP7Iv1aRSguS7lEdX3R6Zk>
Subject: [Acme] FW: Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 12:06:43 -0000

Trimming recipients due to moderation.

 

-Tim

 

From: Tim Hollebeek 
Sent: Thursday, August 30, 2018 8:12 AM
To: 'Richard Barnes' <rlb@ipv.sx>; Salz, Rich <rsalz@akamai.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>; draft-ietf-acme-acme@ietf.org; IETF ACME <acme@ietf.org>; Daniel McCarney <cpu@letsencrypt.org>; Yoav Nir <ynir.ietf@gmail.com>; The IESG <iesg@ietf.org>; <acme-chairs@ietf.org> <acme-chairs@ietf.org>; Alexey Melnikov <alexey.melnikov@isode.com>
Subject: RE: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

 

For what it’s worth, there’s a discussion going on in the validation working group right now about how redirects should be handled.  The most likely outcome is either pretty severe restrictions around redirects, or completely disallowing them.  

 

In the interest of openness, CAs were asked to disclose their current redirect behavior as a basis for a discussion about what the requirements should be.  Two CAs have done so.  Others are strongly encouraged to do so.

 

There is no explicit text allowing them, so it could be argued that the BRs currently don’t allow following redirects.  On the other hand, redirects are part of HTTP, so the argument can also be made that “retrieving a web page” can involve arbitrary redirects, including potentially things like meta refresh and javascript.  The fact that such a diverse range of interpretations are possible is something we’d love to fix.

 

In particular, non-HTTP redirects that involve parsing page content introduce a great deal of complexity and risk into the validation process, and I’d like to clarify that that definitely isn’t allowed.

 

Redirects to a location outside of the domain being validated are viewed with particular suspicion by many, including me.  Redirects within the same domain seem less problematic, and indeed useful for handling large numbers of domains.  Though it’s not clear this solves a use case that is not already handled by the ability to validate and Authorization Domain Name and use it for subdomains.

 

The main reason to allow redirects within a domain is if there is a unilateral redirect from example.com to www.example.com <http://www.example.com> , which is of course incredibly common.  It seems one should be able to validate example.com using that redirect.

 

At least one large CA supports the “no redirects at all” position.

 

-Tim

 

From: Acme <acme-bounces@ietf.org <mailto:acme-bounces@ietf.org> > On Behalf Of Richard Barnes
Sent: Wednesday, August 29, 2018 7:10 PM
To: Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com> >
Cc: Alexey Melnikov <aamelnikov@fastmail.fm <mailto:aamelnikov@fastmail.fm> >; draft-ietf-acme-acme@ietf.org <mailto:draft-ietf-acme-acme@ietf.org> ; IETF ACME <acme@ietf.org <mailto:acme@ietf.org> >; Daniel McCarney <cpu@letsencrypt.org <mailto:cpu@letsencrypt.org> >; Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com> >; The IESG <iesg@ietf.org <mailto:iesg@ietf.org> >; <acme-chairs@ietf.org <mailto:acme-chairs@ietf.org> > <acme-chairs@ietf.org <mailto:acme-chairs@ietf.org> >; Alexey Melnikov <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com> >
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

 

I noticed that we already had some text in the security considerations about redirects, so I reverted to SHOULD and added a forward pointer.

 

> More limited forms of delegation can also lead to an unintended
> party gaining the ability to successfully complete a validation
> transaction. For example, suppose an ACME server follows HTTP
> redirects in HTTP validation and a website operator provisions a
> catch-all redirect rule that redirects requests for unknown
> resources to a different domain. Then the target of the redirect
> could use that to get a certificate through HTTP validation since
> the validation path will not be known to the primary server.

 

https://github.com/ietf-wg-acme/acme/pull/442/files#diff-8430e2aa241beb4ac49b252db20d4ee8R2492

 

Alexey: Can you live with this solution?  There is some residual interop risk, but (1) that's kind of unavoidable given the uncertainty here, and (2) redirects are an easy-ish thing to debug and adapt if there's a mismatch.  And at least the reasoning is pretty well documented now.

 

--Richard

 

On Wed, Aug 29, 2018 at 12:55 PM Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com> > wrote:

I read the link you posted, thanks.

 

As long as we’re not breaking the HTTP spec, I agree that SHOULD seems to get the most interop.  As long as we’re getting signed reponses back, I don’t think it matters much where the redirect sends you.

v2.23.0 | Report a Bug | By Email