IETF Logo Mail Archive

Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge

Amir Omidi <amir@aaomidi.com> Wed, 07 February 2024 20:44 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19205C14F74A for <acme@ietfa.amsl.com>; Wed, 7 Feb 2024 12:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsDxyD8hjM8n for <acme@ietfa.amsl.com>; Wed, 7 Feb 2024 12:44:43 -0800 (PST)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFB19C14F616 for <acme@ietf.org>; Wed, 7 Feb 2024 12:44:43 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a34c5ca2537so148186566b.0 for <acme@ietf.org>; Wed, 07 Feb 2024 12:44:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1707338682; x=1707943482; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=e9TxvBJRjXOvNmc8nkzJoEupFufshEfqWl4pCF/qPig=; b=in5ld7fzXzWlW6oMQxIGVWH6pn33taiLtrgPDk2GVRmTyI0zrv7VzngO+CM+8e5lT7 pIapThIcJAeGhfhAXNZaf2rnsR48842gYm8rHK4tCwTVszBHXXVEFf/FW45yN5W250Vt oAUqv5PxtYGLMsMCaWpnY712AARQzQ1EaRcVDuW22Jjws58MuBL1G6QEu2/DmoNDkNZV CKwNNnuIS01OTDlZRULkbs4yAe0uhykoB5DlXb39IsnD8OjA6ku1BIg4P5UTNJ81ZtDg 0uaNEHxC0cO1ExgWtJ1We8A4kwpfWaOQz+xT9+4QiYBEfyC4/gpEn6IabMgZmphMUlZ8 s+Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707338682; x=1707943482; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=e9TxvBJRjXOvNmc8nkzJoEupFufshEfqWl4pCF/qPig=; b=h3A7ZT3mKbBAb79c8LM+HH1FiLMwZV3gkjVHux8KT46aNyNYWQYVOEof91GMvGXvlh gIrM9nx+pZVkcAcQJcs5mL6ztnZG9XVGzCxZKjzeGHz6JI/3ub1fZmENzN+OzR4AXE82 LQkYO2XisO8/650wEgntIPFR2k75XIeWDWN8wZlasqHcSblLPtG0Xbw37rdocAururYb pVz/J2TjI2vdEseVQ3qV85PkgDkW3nuhjCyiBylxJiduig1YPef9tB131PNCgYm6V+mi Jrb2heTvWxSA3c+nZwUptYmCwXD5HwJINA2oXNsGFxCG1oArGq4K8SwgjbBW+0jn+UYS jxTg==
X-Gm-Message-State: AOJu0Yw6yR0pKaMw92hNaALhpOvI79GgHFDt4dPCZe1Dpu8ttef8tDBn s3FC78jLtIC4htSqDrS3TmYSq1PbmnywD+ljeSqZTKVXeclMuOLTB6fW04jxWfaeDiAlRIzM+aN uRuRpyn5H4ZvrT4QdsiE9DTmFDdnNpYKa9fqSPQ==
X-Google-Smtp-Source: AGHT+IFOVmss6NuJ/k2MD+L7vUnjortcsxXtU6qAve8Cr0TCuKICvIT09oG3Bwer1YN8Up4zeIgyeAXGHGEoTsNVDr4=
X-Received: by 2002:a17:907:7da7:b0:a38:5a98:3a92 with SMTP id oz39-20020a1709077da700b00a385a983a92mr3254774ejc.25.1707338681479; Wed, 07 Feb 2024 12:44:41 -0800 (PST)
MIME-Version: 1.0
References: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com> <CAOG=JULrdnk4wYBKB-pfY4kXK=fF=ODi6PZ3wEj=zn7B4=nZXQ@mail.gmail.com> <ab7caac8-52b8-4416-9083-fe8533d51ec4@gmail.com> <CAOG=JUJvhTfN8b_giddEN0wH+3mf2Fh0j6FNij=qg=AXj+zzSA@mail.gmail.com> <CAEmnErfLN6cN21_-pJPb-d7u+tPCd1Dw97d-GmDzFm9wfT4d=w@mail.gmail.com> <CAOG=JULpYmjjfa=7m=L7keKHham+6P1BH7c+pXFzAmJXzK-bQQ@mail.gmail.com>
In-Reply-To: <CAOG=JULpYmjjfa=7m=L7keKHham+6P1BH7c+pXFzAmJXzK-bQQ@mail.gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Wed, 07 Feb 2024 15:44:29 -0500
Message-ID: <CAOG=JUJO3aaPbmNZLjUnq-RPFP1BvMVSLf_jCnTRD3-bSVJ9Pw@mail.gmail.com>
To: Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org>
Cc: Seo Suchan <tjtncks@gmail.com>, acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009f09040610d0c398"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/n-U5eVav7YhqFsaoNJKu4UevYYE>
Subject: Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 20:44:48 -0000

I've been thinking about this more.

I'm going to remove the uniqueness stipulation, and just formalize
something along the lines of "use the kid that was in the JWS of the
request". Obviously the normal "validate the JWS before you just blindly
trust it" still applies.

This way, the account KIDs no longer have to be unique, and I think it's a
more general solution to this problem.

On Tue, Feb 6, 2024 at 5:35 PM Amir Omidi <amir@aaomidi.com> wrote:

> We are using the `kid` value. And from my understanding in the ACME spec,
> when a client is responding with a POST request to the challenge URL, the
> KID is included in that JWS payload.
>
> That's the KID that should be used for constructing the validation domain.
>
> On Mon, Feb 5, 2024 at 12:22 PM Aaron Gable <aaron=
> 40letsencrypt.org@dmarc.ietf.org> wrote:
>
>> And I think the implication here is that, if an ACME server responds on
>> multiple URIs and reflects those multiple URIs back to the client in the
>> Location header, then that server must also support hashes of those
>> multiple URIs when conducting DNS-ACCOUNT-01. Does that make sense?
>>
>> Aaron
>>
>> On Sat, Feb 3, 2024 at 1:18 PM Amir Omidi <amir=
>> 40aaomidi.com@dmarc.ietf.org> wrote:
>>
>>> No, the accountURL/URI that new-account returns is the only
>>> authoritative path. I'll make sure that it is spelled out in the RFC. If an
>>> acme client has an account key, it can use the method described here:
>>> https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.1 to find the
>>> accountURL for that account.
>>>
>>> Since ACME does not define "what the ID part of an accountURL is", I'm
>>> much more inclined on just keeping the entire accountURL as the ID to be
>>> hashed for the challenge label.
>>>
>>> On Sat, Feb 3, 2024 at 3:59 AM Seo Suchan <tjtncks@gmail.com> wrote:
>>>
>>>> if it's stable but has multiple valid path (ex: acme-v1.ca.com and
>>>> acme-v2.ca.com) , would server need try for both subdomain and lookup
>>>> every possible valid path?
>>>> 2024-02-03 오전 1:35에 Amir Omidi 이(가) 쓴 글:
>>>>
>>>> From my understanding, under ACME we treat that entire accountURL as
>>>> the userID. So I think that URL will need to be stable.
>>>>
>>>> On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan <tjtncks@gmail.com> wrote:
>>>>
>>>>> for some ACME servers they have multiple allowed acme endpoint
>>>>> domains,
>>>>> and server doesn't know what domain name client used to access its API
>>>>> duce don't have full accounturl that used to craft challenge subdomain:
>>>>>
>>>>> like boulder (what Let's encrypt uses) allows to accessed from
>>>>> mulitple
>>>>> path ex:
>>>>>
>>>>> "accountURIPrefixes": [
>>>>> "http://boulder.service.consul:4000/acme/reg/",
>>>>> "http://boulder.service.consul:4001/acme/acct/"
>>>>>          ]
>>>>>
>>>>>   , and pebble and smallstep do not have host in config but allow any
>>>>> ip
>>>>> or domain pointed to them and reflect them to create link to
>>>>> account/order/ect
>>>>>
>>>>> would only using userid part of accountURL (ExampleAccount) from
>>>>> https://example.com/acme/acct/ExampleAccount have problem? while it's
>>>>> trivial to extract from hash to accounturl as accountID was
>>>>> autoincrementing counter, but was there are so few large acme provider
>>>>> it was trivial to make rainbow table anyway.
>>>>>
>>>>> _______________________________________________
>>>>> Acme mailing list
>>>>> Acme@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>
>>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>

v2.23.0 | Report a Bug | By Email