IETF Logo Mail Archive

[Acme] ALPN based TLS challenge

Roland Bracewell Shoemaker <roland@letsencrypt.org> Fri, 23 February 2018 01:48 UTC

Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17CEB12D93E for <acme@ietfa.amsl.com>; Thu, 22 Feb 2018 17:48:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDRVQX7nXIId for <acme@ietfa.amsl.com>; Thu, 22 Feb 2018 17:48:31 -0800 (PST)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AAF5126BF6 for <acme@ietf.org>; Thu, 22 Feb 2018 17:48:30 -0800 (PST)
Received: by mail-pf0-x22c.google.com with SMTP id q13so2878152pff.0 for <acme@ietf.org>; Thu, 22 Feb 2018 17:48:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=from:mime-version:subject:message-id:date:to; bh=alwFr6oECwR3tv7pHh/xhwJ2YYxIr79QIn5u1LQrR0E=; b=MJRv9xI97k64iWOGumatYxUL/np9kpbZqAH5v6YOfk7rHv02tflzUTqle5IwaGTsY6 E2t3OX//DMjGyyTfIZb+E0wlFEmthHtuptnpnDbhc2xcaQ4J5NEcpUB15BLF6rSqSnlh SAkt1xrfb/TqwNqntmda7k9qp1WSLwOribQYU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=alwFr6oECwR3tv7pHh/xhwJ2YYxIr79QIn5u1LQrR0E=; b=Ax0ZOmr7M52UpfOf8hs3JvbAVSgZAyut2Q5SOn+WRzpNA8CbvA2Vzo9pWAxN5dB0JE 7Vkv4yl2R0vH8YpvHu2Jc0n4TG9WEhaJGBdqbSxuc6ue/AdoEwfuT2e1Nmi4ZJGs2aBb QKkOPh77Og6+Aa6YV4EdRe991YJkKM0+mOvb41cvkoM+5p97ScinnT9kBNQ/+9Y2i+ya 44qp229nMjm3mDTp6/LUSEAnpb7hqVATFbVbZyNHA0wQhZmPw/ZBJQf6xcHfzJhh3nJd quFIPuGXEfuU6NKvySeWnsU513IzSljA36/IWROV1hmHjSO4AwjmcU48xK/9QG6RI/WD 30bQ==
X-Gm-Message-State: APf1xPCVkGDu/f7pfvbVqaU1CtCeF5cs/PCCeEW/vGX9rmJXDqvUl01V JJeR9KyT7vJD0EjTpSD/z/jagH7U1G0=
X-Google-Smtp-Source: AH8x226d1aI286UTnHJFa1BYCk8FDex09luUpY1btbO3Gi2QjvgTaa6Z97iJKS6mYH1BPhz10N/K+g==
X-Received: by 10.99.56.7 with SMTP id f7mr47867pga.114.1519350510207; Thu, 22 Feb 2018 17:48:30 -0800 (PST)
Received: from [172.20.10.2] ([172.58.35.79]) by smtp.gmail.com with ESMTPSA id f79sm1906166pfd.103.2018.02.22.17.48.28 for <acme@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Feb 2018 17:48:29 -0800 (PST)
From: Roland Bracewell Shoemaker <roland@letsencrypt.org>
Content-Type: multipart/mixed; boundary="Apple-Mail=_AB7F4401-063C-4C16-9527-C52A4E0D1183"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <0639F8AA-9E14-4FD4-A9A4-C03EB4D95962@letsencrypt.org>
Date: Thu, 22 Feb 2018 17:48:23 -0800
To: acme@ietf.org
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/o9QIj4Kv7QqwDe3nyJkl_w0lbwU>
Subject: [Acme] ALPN based TLS challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2018 01:48:34 -0000

Hey all,

After the issues with the SNI based TLS challenges were discovered there was interest from a number of parties in developing another challenge that did validation at the TLS layer. After some discussion about possibilities we’ve come up with a new challenge type based on ALPN which we believe provides the required security properties which the SNI based methods did not have.

I’ve attached the rough draft of a document which defines this new method and lays out the security considerations and design rationale for it. Given the interest in getting a new TLS method specified would the WG chairs be amenable to directly adopting this as a WG work product (assuming there is consensus on list) so that we can start work on it or is it required to be submitted as a individual draft first?

Happy to field any questions about the details. I’d also like to thank everyone who provided initial input and editorial opinions on this.

Thanks,
Roland

v2.23.0 | Report a Bug | By Email