Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
Deb Cooley <debcooley1@gmail.com> Thu, 04 January 2024 11:58 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C63C14F6BE for <acme@ietfa.amsl.com>; Thu, 4 Jan 2024 03:58:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxCKAvutfg0n for <acme@ietfa.amsl.com>; Thu, 4 Jan 2024 03:58:14 -0800 (PST)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A95E4C15790F for <acme@ietf.org>; Thu, 4 Jan 2024 03:56:56 -0800 (PST)
Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-36068bdfe20so983025ab.1 for <acme@ietf.org>; Thu, 04 Jan 2024 03:56:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704369416; x=1704974216; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EzsWdzO6aUjWUAESput+zfhz8vraeiO0KpmbPikuABU=; b=ekuNBWxh2pNeRifdKn08Z5AUiR3LHaCZjWD3rqkPXK5EGxjLKvjS3tV4I0BM/DHUGZ q5wEQCCMOLef8xsi6ow8q8SwzxrzzdpMqqM0gdleobTS+iJzyswmmPHitJMPQA6CX2M8 XmHBOz9pL0K2ZrAy2ZG5WXba2uV2YcOaNC7SPCW8TJA6DgP/r1DBpo5pKeJLSDq/lGFC iQz4UTiti9cuEzT2aiRaJz420PfIvlVH5d6+ASgnaMS6FPV7EMVvWO47kMSm9ZFHjSTx LAowJuSo1cEtlwcJDwOL4C5CXKqZ3ttn+TnIMh6/81c/CalJ1XFNhIPDPd0wV+9zvXlT NYvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704369416; x=1704974216; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EzsWdzO6aUjWUAESput+zfhz8vraeiO0KpmbPikuABU=; b=TJ0mWdePEp7crAnmUcXfme8sPZQxJO3btEPEst+2JjUt1eqe2n2ayj2jg8hEZk5xX+ fXD3EYtSixl07kW5QuhAoEUPlxml2sJy7RZmM/0tUWhjM8bx1ZvrPg4x/JzzE4G41BdP Qa442qjSBinPwgks4NHlPPZv1eSPoeXlQzRbHMeNDlEVVs1yCd6xKugQ2aqRoleUElDg j4fsZ78uWqOPVm6YjGZhCO37pwuOTo+0baEYbrVvnkGi1HHoWrStQRyfnPqcSTgYh0AX C7/wM65kiuQak5aVk7cZAjaXhQ3CZ0Oy2bGQRfYlBkETSCXeFyi0K7LVF1TkVxLQk3Np Shyw==
X-Gm-Message-State: AOJu0YxX+iqcN+QT0wdf47Wj7a8rgqXwSiRZNQjkUCIceFcbBiHWeTU8 Lx6IofvOZ289t3t1h9XWcpGc7fwi9YldWrVigQ==
X-Google-Smtp-Source: AGHT+IEmecM4vLadR/m4xHA4IdClXFf45AzCJkCCOesdiYIgELsL1UAWyHE4IcDupey6g3HIgWfs0yMjFxGAjkIk+Zw=
X-Received: by 2002:a05:6e02:1985:b0:360:6fd:321e with SMTP id g5-20020a056e02198500b0036006fd321emr542420ilf.124.1704369415613; Thu, 04 Jan 2024 03:56:55 -0800 (PST)
MIME-Version: 1.0
References: <20220208202323.A644DE9747@rfc-editor.org> <20220209065416.GT48552@kduck.mit.edu> <CAAEpsx8k3ysjYnj6cRYzepZnfZEsFv-emHpiz3bXG-hEW8NK_g@mail.gmail.com> <MWHPR2001MB190159D2320512B79C12EFF9DB3D9@MWHPR2001MB1901.namprd20.prod.outlook.com>
In-Reply-To: <MWHPR2001MB190159D2320512B79C12EFF9DB3D9@MWHPR2001MB1901.namprd20.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 04 Jan 2024 06:56:34 -0500
Message-ID: <CAGgd1OfW8gJeFLob7x1g9+n+tGSQrGbiqv8Os7etJnnXVyGBrA@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, James Kasten <jdkasten@umich.edu>, Richard Barnes <rlb@ipv.sx>
Cc: Roman Danyliw <rdd@cert.org>, Yoav Nir <ynir.ietf@gmail.com>, IETF ACME <acme@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="0000000000009572fd060e1d6d93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/t8f0Sthge3wix4dbrw0VZ0Jj0nQ>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 11:58:19 -0000
Is this still accurate? I'll mark it as 'Verified' and hold it for update. Note: I'm stripping the addresses on these a little - cpu@letsencrypt.org is bouncing, and Ben isn't Sec AD currently. Oh and the chairs have to approve posts with more than a few addresses listed.... Deb On Thu, Feb 24, 2022 at 1:30 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote: > I agree with James' reading. The intent was to allow HTTP->HTTPS redirects > during validation, and that is common practice today. The errata makes the > language a little clearer around that, so I vote "hold for document update." > ------------------------------ > *From:* James Kasten <jdkasten@umich.edu> > *Sent:* Wednesday, February 9, 2022 7:25 AM > *To:* Benjamin Kaduk <kaduk@mit.edu> > *Cc:* Richard Barnes <rlb@ipv.sx>; Jacob Hoffman-Andrews <jsha@eff.org>; > Daniel McCarney <cpu@letsencrypt.org>; Roman Danyliw <rdd@cert.org>; > decoole@nsa.gov <decoole@nsa.gov>; debcooley1@gmail.com < > debcooley1@gmail.com>; Yoav Nir <ynir.ietf@gmail.com>; IETF ACME < > acme@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org> > *Subject:* Re: [Technical Errata Reported] RFC8555 (6843) > > Hi Ben, > > Thanks for the response. > > Following redirects for the http-01 challenge is already recommended by > the RFC's Section 8.3 > <https://datatracker.ietf.org/doc/html/rfc8555#section-8.3>. > ``` > The server SHOULD follow redirects when dereferencing the URL. > Clients might use redirects, for example, so that the response can be > provided by a centralized certificate management server. See > Section 10.2 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.2> > for security considerations related to redirects. > ``` > > Section 10.4 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.4> > also contains an additional warning or emphasis regarding redirects with > SSRF, so I included a generic reference to both for completeness. > ``` > However, if the attacker first sets the domain to one > they control, then they can send the server an HTTP redirect (e.g., a > 302 response) which will cause the server to query an arbitrary URL. > ... > ``` > > I believe this errata resolves ambiguity in the current text. Popular ACME > CAs and clients are relying upon "http-01" challenge redirects from HTTP to > HTTPS today. As an author who is familiar with the origin of this text, my > intent was for it to read as "must be initiated" rather than "must be > completed" over HTTP. I am happy to hear others' thoughts. I do believe > deviating from this interpretation is extremely harmful for the HTTPS > ecosystem which I can elaborate on if desired. > > Best, > James > > On Tue, Feb 8, 2022 at 10:54 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > Is there particular guidance from Section 10 that you had in mind to > justify the following of the redirect? > > In light of the role of errata reports as indicating errors in the > specification at the time it was published, I think the processing options > here are either "hold for document update" or "rejected". > > -Ben > > On Tue, Feb 08, 2022 at 12:23:23PM -0800, RFC Errata System wrote: > > The following errata report has been submitted for RFC8555, > > "Automatic Certificate Management Environment (ACME)". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid6843 > > > > -------------------------------------- > > Type: Technical > > Reported by: James Kasten <jdkasten@umich.edu> > > > > Section: 8.3 > > > > Original Text > > ------------- > > Because many web servers > > allocate a default HTTPS virtual host to a particular low-privilege > > tenant user in a subtle and non-intuitive manner, the challenge must > > be completed over HTTP, not HTTPS. > > > > > > Corrected Text > > -------------- > > Because many web servers > > allocate a default HTTPS virtual host to a particular low-privilege > > tenant user in a subtle and non-intuitive manner, the challenge must > > be initiated over HTTP, not HTTPS. > > > > Notes > > ----- > > Completing the entire http-01 challenge over HTTP is unnecessary. The > threat of default HTTPS virtual hosts is remediated by "initiating" the > http-01 challenge over HTTP. Validation servers which redirect from HTTP to > HTTPS should be permitted following the rest of the guidance within Section > 10, Security Considerations. > > > > Instructions: > > ------------- > > This erratum is currently posted as "Reported". If necessary, please > > use "Reply All" to discuss whether it should be verified or > > rejected. When a decision is reached, the verifying party > > can log in to change the status and edit the report, if necessary. > > > > -------------------------------------- > > RFC8555 (draft-ietf-acme-acme-18) > > -------------------------------------- > > Title : Automatic Certificate Management Environment (ACME) > > Publication Date : March 2019 > > Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. > Kasten > > Category : PROPOSED STANDARD > > Source : Automated Certificate Management Environment > > Area : Security > > Stream : IETF > > Verifying Party : IESG > >
- [Acme] [Technical Errata Reported] RFC8555 (6843) RFC Errata System
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Benjamin Kaduk
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… James Kasten
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Deb Cooley
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews