Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 23 April 2019 20:28 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8109D120123 for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 13:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLLTRnKcyMX1 for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 13:28:49 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B8051200E9 for <acme@ietf.org>; Tue, 23 Apr 2019 13:28:48 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.133]) by relay.sandelman.ca (Postfix) with ESMTPS id 235181F457; Tue, 23 Apr 2019 20:28:47 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id E42DB3B51; Tue, 23 Apr 2019 16:28:46 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
cc: "acme@ietf.org" <acme@ietf.org>
In-reply-to: <CAErg=HH2NqHH-+AUAXvMWBrmhOPH=86twOkr=b=F0TduB45KSw@mail.gmail.com>
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <CAErg=HGYuRc+tOBwRedx5a9tnH9iVm3bfWYhfXeiHCgcvp8gMA@mail.gmail.com> <MN2PR18MB2845DBA634A0BC648222C627C3230@MN2PR18MB2845.namprd18.prod.outlook.com> <CAErg=HG=LgqDxZ8QxVSAq2K6MsKJX36o6O7v0ojS3rsgUXuHVw@mail.gmail.com> <24216.1556044089@dooku.sandelman.ca> <CAErg=HH2NqHH-+AUAXvMWBrmhOPH=86twOkr=b=F0TduB45KSw@mail.gmail.com>
Comments: In-reply-to Ryan Sleevi <ryan-ietf@sleevi.com> message dated "Tue, 23 Apr 2019 14:43:07 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 23 Apr 2019 16:28:46 -0400
Message-ID: <32047.1556051326@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/pz57bSIM7H-CTbmjO_IlElumitA>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 20:28:51 -0000
Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > Now, the system can already dispatched based on hostname, ensuring that > good.example sessions are served Customer A's response, and > evil.example sessions are served Customer B's response. The issue is > whose response is served when there is no SNI? Under a TLS-ALPN (no-ip) > model, there's no restrictions or requirements there; you could serve > Customer A, customer B, or neither - and none would undermine the > security of TLS-ALPN (as a validation method) or of the security > properties you're trying for. okay, I'm with you so far. > In a world where IPs were possible to be validated using TLS-ALPN, and > the information omitted from the request, if evil.example/Customer B > can serve a certificate that confirms the response for 10.0.0.2, then > they could get a certificate for Customer A's IP. To do this requires that the cloud provider make a clear decision about what they are going to do with SNI-less requests above. I feel that the cloud provider did something wrong here. > In a world where we include the to-be-validated IP in the request, and > the Cloud Provider is observing the security invariants required for > TLS-ALPN (that any hostnames to be validated have been successfully > authenticated as belonging to the customer in question), then Customer > B would have to demonstrate control, to the provider, over > 2.0.0.10.in-addr.arpa in order to get such a certificate. I see. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Acme] SNI extension for tls-alpn-01 challenge in… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Salz, Rich
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara