IETF Logo Mail Archive

Re: [Acme] [Technical Errata Reported] RFC8555 (6843)

Deb Cooley <debcooley1@gmail.com> Thu, 04 January 2024 11:58 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C63C14F6BE for <acme@ietfa.amsl.com>; Thu, 4 Jan 2024 03:58:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxCKAvutfg0n for <acme@ietfa.amsl.com>; Thu, 4 Jan 2024 03:58:14 -0800 (PST)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A95E4C15790F for <acme@ietf.org>; Thu, 4 Jan 2024 03:56:56 -0800 (PST)
Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-36068bdfe20so983025ab.1 for <acme@ietf.org>; Thu, 04 Jan 2024 03:56:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704369416; x=1704974216; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EzsWdzO6aUjWUAESput+zfhz8vraeiO0KpmbPikuABU=; b=ekuNBWxh2pNeRifdKn08Z5AUiR3LHaCZjWD3rqkPXK5EGxjLKvjS3tV4I0BM/DHUGZ q5wEQCCMOLef8xsi6ow8q8SwzxrzzdpMqqM0gdleobTS+iJzyswmmPHitJMPQA6CX2M8 XmHBOz9pL0K2ZrAy2ZG5WXba2uV2YcOaNC7SPCW8TJA6DgP/r1DBpo5pKeJLSDq/lGFC iQz4UTiti9cuEzT2aiRaJz420PfIvlVH5d6+ASgnaMS6FPV7EMVvWO47kMSm9ZFHjSTx LAowJuSo1cEtlwcJDwOL4C5CXKqZ3ttn+TnIMh6/81c/CalJ1XFNhIPDPd0wV+9zvXlT NYvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704369416; x=1704974216; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EzsWdzO6aUjWUAESput+zfhz8vraeiO0KpmbPikuABU=; b=TJ0mWdePEp7crAnmUcXfme8sPZQxJO3btEPEst+2JjUt1eqe2n2ayj2jg8hEZk5xX+ fXD3EYtSixl07kW5QuhAoEUPlxml2sJy7RZmM/0tUWhjM8bx1ZvrPg4x/JzzE4G41BdP Qa442qjSBinPwgks4NHlPPZv1eSPoeXlQzRbHMeNDlEVVs1yCd6xKugQ2aqRoleUElDg j4fsZ78uWqOPVm6YjGZhCO37pwuOTo+0baEYbrVvnkGi1HHoWrStQRyfnPqcSTgYh0AX C7/wM65kiuQak5aVk7cZAjaXhQ3CZ0Oy2bGQRfYlBkETSCXeFyi0K7LVF1TkVxLQk3Np Shyw==
X-Gm-Message-State: AOJu0YxX+iqcN+QT0wdf47Wj7a8rgqXwSiRZNQjkUCIceFcbBiHWeTU8 Lx6IofvOZ289t3t1h9XWcpGc7fwi9YldWrVigQ==
X-Google-Smtp-Source: AGHT+IEmecM4vLadR/m4xHA4IdClXFf45AzCJkCCOesdiYIgELsL1UAWyHE4IcDupey6g3HIgWfs0yMjFxGAjkIk+Zw=
X-Received: by 2002:a05:6e02:1985:b0:360:6fd:321e with SMTP id g5-20020a056e02198500b0036006fd321emr542420ilf.124.1704369415613; Thu, 04 Jan 2024 03:56:55 -0800 (PST)
MIME-Version: 1.0
References: <20220208202323.A644DE9747@rfc-editor.org> <20220209065416.GT48552@kduck.mit.edu> <CAAEpsx8k3ysjYnj6cRYzepZnfZEsFv-emHpiz3bXG-hEW8NK_g@mail.gmail.com> <MWHPR2001MB190159D2320512B79C12EFF9DB3D9@MWHPR2001MB1901.namprd20.prod.outlook.com>
In-Reply-To: <MWHPR2001MB190159D2320512B79C12EFF9DB3D9@MWHPR2001MB1901.namprd20.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 04 Jan 2024 06:56:34 -0500
Message-ID: <CAGgd1OfW8gJeFLob7x1g9+n+tGSQrGbiqv8Os7etJnnXVyGBrA@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, James Kasten <jdkasten@umich.edu>, Richard Barnes <rlb@ipv.sx>
Cc: Roman Danyliw <rdd@cert.org>, Yoav Nir <ynir.ietf@gmail.com>, IETF ACME <acme@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="0000000000009572fd060e1d6d93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/t8f0Sthge3wix4dbrw0VZ0Jj0nQ>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 11:58:19 -0000

Is this still accurate?  I'll mark it as 'Verified' and hold it for update.

Note:  I'm stripping the addresses on these a little - cpu@letsencrypt.org
is bouncing, and Ben isn't Sec AD currently.  Oh and the chairs have to
approve posts with more than a few addresses listed....

Deb



On Thu, Feb 24, 2022 at 1:30 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> I agree with James' reading. The intent was to allow HTTP->HTTPS redirects
> during validation, and that is common practice today. The errata makes the
> language a little clearer around that, so I vote "hold for document update."
> ------------------------------
> *From:* James Kasten <jdkasten@umich.edu>
> *Sent:* Wednesday, February 9, 2022 7:25 AM
> *To:* Benjamin Kaduk <kaduk@mit.edu>
> *Cc:* Richard Barnes <rlb@ipv.sx>; Jacob Hoffman-Andrews <jsha@eff.org>;
> Daniel McCarney <cpu@letsencrypt.org>; Roman Danyliw <rdd@cert.org>;
> decoole@nsa.gov <decoole@nsa.gov>; debcooley1@gmail.com <
> debcooley1@gmail.com>; Yoav Nir <ynir.ietf@gmail.com>; IETF ACME <
> acme@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org>
> *Subject:* Re: [Technical Errata Reported] RFC8555 (6843)
>
> Hi Ben,
>
> Thanks for the response.
>
> Following redirects for the http-01 challenge is already recommended by
> the RFC's Section 8.3
> <https://datatracker.ietf.org/doc/html/rfc8555#section-8.3>.
> ```
> The server SHOULD follow redirects when dereferencing the URL.
> Clients might use redirects, for example, so that the response can be
> provided by a centralized certificate management server.  See
> Section 10.2 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.2>
> for security considerations related to redirects.
> ```
>
> Section 10.4 <https://datatracker.ietf.org/doc/html/rfc8555#section-10.4>
> also contains an additional warning or emphasis regarding redirects with
> SSRF, so I included a generic reference to both for completeness.
> ```
> However, if the attacker first sets the domain to one
> they control, then they can send the server an HTTP redirect (e.g., a
> 302 response) which will cause the server to query an arbitrary URL.
> ...
> ```
>
> I believe this errata resolves ambiguity in the current text. Popular ACME
> CAs and clients are relying upon "http-01" challenge redirects from HTTP to
> HTTPS today. As an author who is familiar with the origin of this text, my
> intent was for it to read as "must be initiated" rather than "must be
> completed" over HTTP. I am happy to hear others' thoughts. I do believe
> deviating from this interpretation is extremely harmful for the HTTPS
> ecosystem which I can elaborate on if desired.
>
> Best,
> James
>
> On Tue, Feb 8, 2022 at 10:54 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
> Is there particular guidance from Section 10 that you had in mind to
> justify the following of the redirect?
>
> In light of the role of errata reports as indicating errors in the
> specification at the time it was published, I think the processing options
> here are either "hold for document update" or "rejected".
>
> -Ben
>
> On Tue, Feb 08, 2022 at 12:23:23PM -0800, RFC Errata System wrote:
> > The following errata report has been submitted for RFC8555,
> > "Automatic Certificate Management Environment (ACME)".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6843
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: James Kasten <jdkasten@umich.edu>
> >
> > Section: 8.3
> >
> > Original Text
> > -------------
> > Because many web servers
> > allocate a default HTTPS virtual host to a particular low-privilege
> > tenant user in a subtle and non-intuitive manner, the challenge must
> > be completed over HTTP, not HTTPS.
> >
> >
> > Corrected Text
> > --------------
> > Because many web servers
> > allocate a default HTTPS virtual host to a particular low-privilege
> > tenant user in a subtle and non-intuitive manner, the challenge must
> > be initiated over HTTP, not HTTPS.
> >
> > Notes
> > -----
> > Completing the entire http-01 challenge over HTTP is unnecessary. The
> threat of default HTTPS virtual hosts is remediated by "initiating" the
> http-01 challenge over HTTP. Validation servers which redirect from HTTP to
> HTTPS should be permitted following the rest of the guidance within Section
> 10, Security Considerations.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC8555 (draft-ietf-acme-acme-18)
> > --------------------------------------
> > Title               : Automatic Certificate Management Environment (ACME)
> > Publication Date    : March 2019
> > Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J.
> Kasten
> > Category            : PROPOSED STANDARD
> > Source              : Automated Certificate Management Environment
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG
>
>

v2.23.0 | Report a Bug | By Email