IETF Logo Mail Archive

Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 29 August 2018 17:10 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C6D130E98 for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 10:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSmG4d8arrQb for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 10:10:12 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F12DE130E71 for <acme@ietf.org>; Wed, 29 Aug 2018 10:10:11 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id t68-v6so10415357oie.12 for <acme@ietf.org>; Wed, 29 Aug 2018 10:10:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L8ChrFZItFSkZCcswm3vFJlml1Elype+gPWGHq8Xj2U=; b=yPGlwU5c6bCHcEVcG9hfUXCeR53D0Mgbj3xzXPuRi81s+tWbidIEpJloRczxX+mkkR f+gK+WoaJjWuBcZfW59JK+sHkvYj7JHOiNq9TdN/NZkytwgORV9iBiIM/jJIKFgJ1WR6 TRClx0TgbazU/DvrKB9N4bC8ZtGsSsl1loE7syzQsW3e2dWl2tPt/vysgKrXxhrhgTRr 0zJUnM5bELZIDCaxX5weHXrdRkM2edTkcooV8riM8rVPrvjVD/K4Qj/VvanaRrWmzcr0 WJTD6Sfe4bc5itfqWl6mQxAZaavX8qRsH7r/3gAeaUOS5AxGO2NUIUwAzUP0OBOUfiYM VEpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L8ChrFZItFSkZCcswm3vFJlml1Elype+gPWGHq8Xj2U=; b=SOUzNdTR9UbM1AbsmJoGcXbWRPf7cGvlnnu8Mw56I6xkD2tok524BGe3qEDjaTGxJP zOjQ/m4DQyKn3o9U95lclju0EPWZBGM3FJXmUFUp6SIi6/F0EXNmQWNQ0eClv2a70yBp VO8mK9rAADpKLmFAww4c0t1izNEdqZLyfbm5J5h/juGWthHy25RgiLovC70AQ356pafP ckZYJDScUZq1oyAWvyNnnXWC7jfdVOX0hIzuZDdi7jLB1kcngSWlfynJ7fLsZ8dalnCW FpoxXXB6BfSizzI0F7Z/hYB1Hu8tmrtAo88KZTSuoh0ss3O/MR5wjCdYlS6lW1rqc1Jv mvYg==
X-Gm-Message-State: APzg51AYNB/izgEa+Bs60svO0IcUqJxI6CmL5K3clxMYK9FuK4EQ/kZU AtgNdKcc/WJVDijDV9Bmg8ehRd4H7MuAoJWompEo6g==
X-Google-Smtp-Source: ANB0Vdbw3yJIYYEx+XJkxGeGmWTg/SKxBY5GU0ZHfv8b1VrP3SzcKgfFdER+HpzIeZcymW5RXJuclgJ43xzS9tHA6rk=
X-Received: by 2002:aca:fd4f:: with SMTP id b76-v6mr3737719oii.307.1535562611066; Wed, 29 Aug 2018 10:10:11 -0700 (PDT)
MIME-Version: 1.0
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com> <CAKnbcLikPk7vxrJdRT1bAqbOkBy7kLwyA5ToFKYFJfiVNCS7xg@mail.gmail.com> <5EDC099D-6070-4DC6-9561-C08BB1483041@akamai.com>
In-Reply-To: <5EDC099D-6070-4DC6-9561-C08BB1483041@akamai.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 29 Aug 2018 13:09:59 -0400
Message-ID: <CAL02cgRG-TGziXB9ro116dVR0iMN8CrRuzA4PRTk2jEPj7nrzw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Daniel McCarney <cpu@letsencrypt.org>, Alexey Melnikov <alexey.melnikov@isode.com>, Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f69eea0574960797"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/poGMtiZhdL91YlT9DcQZUglhXM4>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 17:10:15 -0000

I noticed that we already had some text in the security considerations
about redirects, so I reverted to SHOULD and added a forward pointer.

> More limited forms of delegation can also lead to an unintended
> party gaining the ability to successfully complete a validation
> transaction. For example, suppose an ACME server follows HTTP
> redirects in HTTP validation and a website operator provisions a
> catch-all redirect rule that redirects requests for unknown
> resources to a different domain. Then the target of the redirect
> could use that to get a certificate through HTTP validation since
> the validation path will not be known to the primary server.

https://github.com/ietf-wg-acme/acme/pull/442/files#diff-8430e2aa241beb4ac49b252db20d4ee8R2492

Alexey: Can you live with this solution?  There is some residual interop
risk, but (1) that's kind of unavoidable given the uncertainty here, and
(2) redirects are an easy-ish thing to debug and adapt if there's a
mismatch.  And at least the reasoning is pretty well documented now.

--Richard

On Wed, Aug 29, 2018 at 12:55 PM Salz, Rich <rsalz@akamai.com> wrote:

> I read the link you posted, thanks.
>
>
>
> As long as we’re not breaking the HTTP spec, I agree that SHOULD seems to
> get the most interop.  As long as we’re getting signed reponses back, I
> don’t think it matters much where the redirect sends you.
>
>
>

v2.23.0 | Report a Bug | By Email