Re: [Acme] Fixing the TLS-SNI challenge type
Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 19 January 2018 17:17 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8E3A12E04F for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 09:17:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6RlKd9aqmSX for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 09:17:15 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325F612E056 for <acme@ietf.org>; Fri, 19 Jan 2018 09:17:15 -0800 (PST)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-10.bemta-12.messagelabs.com id 75/34-03100-A18226A5; Fri, 19 Jan 2018 17:17:14 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTWUwTURSGezvTYURqLgXliBs2KgTTRsClagz 6oGlcIrwYrSY6lZFWu5BO0aIm4oayiCAYKGIQhGgqGCUaxQWk4gKNbCZIIEFJUUFEXDAqCWo7 U1zevnP+f875780dmpCNUKE0a7OyFhNjkFP+ZIvyolkxNUKrWZDXEahyvI1Xtb73Uw3fLSBVJ W5a5a4sJFUjr9KJlZS6LqcCqcvLf4jVDvtLSn2vqYdUd2cWU3ESjURv0pptOyS6U1mfiaT+Zb b2lhFxKipbmoH8aRIPi+HkaafEW8hwnhhSn9mRUDQgeNyVJ85AE2gKL4CO+094Dsab4FzXVT+ vicAVCHKaGj0FTQfhRXClQSF4FsOH48fIcf81Vw3hZRLPhbria/wcKd4GDWMPKWFZIQFnR27y wgS8EIYLCviPEZ4C35oq+T6BQ6Crr4RnwMHQ2+aiBJ4MA+6fEsG/Dc5/cfr6cuiu+o4EngHtJ Zn8yQB3+EFuVp3PpISbuUM+0wYYHOqRCKZLCByvM3xCJDx1pvl4D9R2N0sEXg4DzXd9/IKAN9 /DBJ4Ofe2/fIMaJfA8t4iPLcMJkO8Yj3cABro7qRwUWfTP6QQuQZDtUhTx1xQIjfY+Uugr4E7 tA0LgWXBrqNjHy6FwtJ4SeDbkZ/b6CbwIBh99QhcQ7UARHGvZy1oU0UuUWos+UWc1MnqDIioq WmlkOY5JZA2MllPuNBurkeftHRKJ0G1UfXitE02lxfLJ0r1jjEY2SWtOSNExnG67JdnAck40n ablIB2dp9XIAi1sImvbpTd4HvC4DHSAPFhKhHtkKZfEGDl9oiA1oRj6RsHbNILu7B9MI2SkyW xiQ0OESdhr1SWb/gwa/xna0YzQICkSiUSygCTWYtRb/9ffoRAayYOkq7wLA/Qm65997zxRxJ4 ouacYbxQr81cKTUVLj+9+MnokfPWKzq51+fsrt1Dy88s0s0rLcPhRU2NhfLaKGc1uJsds2pjr 6VFXnFUnNxdXgGH/Q1fp18xn5Snz+1o25p25fOKWu6VtX9g9+4H4menu9afXRX507atfHTtNX B1XHt+KZbGxc6rCckJ6Vw3Vrtm6XVvTM/GY/WBvVlaKnOR0TFQkYeGY376/uCoHBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-219.messagelabs.com!1516382232!207541210!1
X-Originating-IP: [207.46.163.111]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 3937 invoked from network); 19 Jan 2018 17:17:13 -0000
Received: from mail-sn1nam01lp0111.outbound.protection.outlook.com (HELO NAM01-SN1-obe.outbound.protection.outlook.com) (207.46.163.111) by server-9.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Jan 2018 17:17:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=37dsiFmMXa8drOIV7Veia1EVKJm/eU0xvLNyASckLZ4=; b=HQ39jxaAwLQn+4tn5zHcD5+p71gVtd+4SPXH3GkZ5GRb65crlEVO8yEFaEIVFR0Kc1QPluby8LYe98EFK6gk7ajYqc+u1GjG0ZNGT5ZsLWjbIMZ4cIF5ZY6CxfG7s/uno+BsdJj9V5Z8yNdyZL+IKsqnNGeh9yAl1narV6niZTE=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.7; Fri, 19 Jan 2018 17:17:11 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0407.012; Fri, 19 Jan 2018 17:17:11 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Daniel McCarney <cpu@letsencrypt.org>
CC: Jonathan Rudenberg <jonathan@titanous.com>, Patrick Figel <patrick@figel.email>, IETF ACME <acme@ietf.org>, Roland Bracewell Shoemaker <roland@letsencrypt.org>
Thread-Topic: [Acme] Fixing the TLS-SNI challenge type
Thread-Index: AQHTiz9G0+Dpp/43tke+4NU5ZM+pfqNvjg8AgADPoQCACvOtgIAAAiKAgAANIQCAABpgEA==
Date: Fri, 19 Jan 2018 17:17:11 +0000
Message-ID: <DM5PR14MB128940938238421C64F819AB83EF0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org> <0603b570-f790-88a7-5514-b324eff4f087@figel.email> <CAKnbcLj=eYhm8qRj0B0U5FOu=UMn0wY+5apkJ-aHhhfh+mS-uw@mail.gmail.com> <CAKnbcLj+UaUbu=EDbPU8UWwm9hUefXBKmtS=ZwSy7_2zCA=pmg@mail.gmail.com> <20180119153832.GA28022@LK-Perkele-VII>
In-Reply-To: <20180119153832.GA28022@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1289; 6:ucwMSeo7LShjNypMAvxk+MezdUbnAMi9HFUbkkYDQeSdEHP/l1/TomKF5OMhJgozdVedPQsQkWnNkq/7Mgq1nF9qaEdZJIO57+jhYAQvmcEd/CFN/zOQeNRH5gZQS0GvghTmh0DCQTfR7MP8UNdlRaxZnkErppsGVRwGeEBbHjQligtl5U6/8BZ3GFlRW9jjoVR37SoO2ij5ds99TjPq+rEDgfr8kh1eJbN7cNHLHWM/FIIXeG56U5i29AgVXc6o+AhE0bfYqtVISL+ZcYO/lp2c6+pkfCGaN4PN7V9b6ueRZt45A5HNKv0s5ZHoAplM4PGZJfx5ZnHTO2gYc7n+x4pKP4qa6+Fg3TnAAnbiDsG8mOeM3duyCFptDcVxuk0F; 5:r/bSIoewYhJch6FyhoplTNa6/f0Yr1kfLs+WeYnSshpayx7BdtBXI7el5ytnygBGBNu9nDYI2uQE3ALY76tUgJ1yDdLyi7b9zHgFTz/NLFzcxruGKK03K6zmazG3sqQWYC1Sj6B/khPxsR82+WVkvIP+KXinoUeeISzyIfY9G2I=; 24:o6NVqmozNLm9pj2sqv9x6JxOUGL/6wQrpgcnXJ8aBB6Cm4JAtR5HG4GL3uiNM02q8JUapPDjj4tnAFGmLZyK/frfreGYh7b7XHUHRcextus=; 7:OBW6wWsgPlA9y05dDi7FL3XbKLFCv1f5192zv5upv3mdMPVj90tunJGx3AlRg9x+8yqmGOAmYcj2Cxhjg8GEd6T567ZW/0Au+4uiNRmUBV7tFT5kqN8lze8lMTT6Hkf7kCP4pjBaIObMXkSlOSf9ODa64k8dtFj9dzGE9Amg03NyQTEWXqKbu900w6R6rab+rrAQk/h5Q8hpxrAdwS2MNiBImcMn3s4Tssa2P2W0jYQJo8IXGxvPp3P2NNGKGlRc
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: da44843a-6c84-496b-e664-08d55f607a4a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:DM5PR14MB1289;
x-ms-traffictypediagnostic: DM5PR14MB1289:
x-microsoft-antispam-prvs: <DM5PR14MB1289196602B7722E4737B37883EF0@DM5PR14MB1289.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(5005006)(8121501046)(10201501046)(3231023)(2400080)(944501161)(93006095)(93001095)(3002001)(6041268)(2016111802025)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1289; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1289;
x-forefront-prvs: 0557CBAD84
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(346002)(39380400002)(366004)(39860400002)(189003)(199004)(6506007)(14454004)(102836004)(6116002)(3846002)(99286004)(5660300001)(105586002)(2906002)(53936002)(106356001)(55016002)(9686003)(6246003)(4326008)(7736002)(97736004)(26005)(305945005)(86362001)(59450400001)(3660700001)(3280700002)(74316002)(76176011)(99936001)(7696005)(77096007)(316002)(2900100001)(93886005)(110136005)(54906003)(2950100002)(33656002)(8676002)(6436002)(25786009)(68736007)(81166006)(81156014)(8936002)(66066001)(229853002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1289; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: t1oV1rAu0i+DzLRinOJaX3Z77MSddqHpm27riZAQFTEiWbebvuQ5IykRGL3RqHihxqnPwCvTb1dObRDnw1nUpA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_04D5_01D3910E.A0560D00"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da44843a-6c84-496b-e664-08d55f607a4a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2018 17:17:11.4302 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1289
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/qLufr5VGehlBKo_Sgl0RHz7qUEM>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 17:17:17 -0000
> Basically, for security, one needs to put the domain to be validated to the SNI > field. Not doing that was the reason for the TLS-SNI-01/02 vulernability. I agree. Not only for security, but for compliance, both with the Baseline Requirements [1] and the intended use of SNI. Abusing SNI as an OOB communication channel was a bad idea and should not continue. -Tim [1] I am unpersuaded by tortured arguments used to claim TLS-SNI-01/02 complies with the Method 10 requirements.
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek