Re: [Acme] Artart last call review of draft-ietf-acme-tls-alpn-06
Roland Shoemaker <roland@letsencrypt.org> Tue, 01 October 2019 20:19 UTC
Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB44312006E for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 13:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6rQTa5sMuss for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 13:19:35 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD09B120059 for <acme@ietf.org>; Tue, 1 Oct 2019 13:19:35 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id k20so15673229oih.3 for <acme@ietf.org>; Tue, 01 Oct 2019 13:19:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5HsBV60NrQ5J6D3n9hHCeeP8TYqkUPA6mKjNRj6+7cQ=; b=A7KqTA71+pljVzWS5hw6XAWCocmfrLVYc98GqeiqnrAb/l+gzhqS8F4LcJFN48rFIs a/JS1E6q9DY12mNbUhumQdKNxPLDBLtAdI02uNwE2kKbHCnO04hAPjnpJFwaVpBV7IZe PBIK6+hDNeMD2Y6bMFWP+BY7LiWI1fzRNb35g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5HsBV60NrQ5J6D3n9hHCeeP8TYqkUPA6mKjNRj6+7cQ=; b=prWDOCcftJNeiAUyH63H4Gedv4uFQUNr7JjDr/YA43YG2rg1b6TAE/pmHYhvYLCExZ eGdo6EZTjZVElhBsNY8UOjuIlROt2DTjAhOkZC292By2CHj+7D2+uHxyYF01obl1eE5r loEeGjGrLc8meIOUPko32t/+E7lL/bKsFZ9tulv8nElXHvbd5+2110KdZ3OsZTftWeAt h/ifWVxrfzEhfzxohQ86oWlThOhaI9JxBlD2JjOhUhNsaT9kwlA3l2wPrHFPXueTNJeD Mo5MazzcY+IKfHlNzDyWSwHOQsbpUx3Gd2HrDm+ADf7OKAvcTUjEYi6NzHjOgIUCK2az 2K1Q==
X-Gm-Message-State: APjAAAVULyn83e4aORebPZVfx71A7ddULrCfY27Cxw8mo0bUZTr3FQh1 tJEF1syDDw0jgUxF0WkeHJ+JGQ==
X-Google-Smtp-Source: APXvYqydLRmnLymjQPBNzo4aRg3rRFA0OJ/1hxdKbC4Jq+oGvvs2SVByLDjVRYVMcqnk+z8UP3P8MA==
X-Received: by 2002:aca:56ca:: with SMTP id k193mr5077575oib.155.1569961174834; Tue, 01 Oct 2019 13:19:34 -0700 (PDT)
Received: from ?IPv6:2600:1700:bd50:a5b0:98b6:333c:5dd8:82ec? ([2600:1700:bd50:a5b0:98b6:333c:5dd8:82ec]) by smtp.gmail.com with ESMTPSA id n65sm5591996oib.35.2019.10.01.13.19.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Oct 2019 13:19:33 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Roland Shoemaker <roland@letsencrypt.org>
In-Reply-To: <156870601125.17470.11128908292563240208@ietfa.amsl.com>
Date: Tue, 01 Oct 2019 13:19:32 -0700
Cc: art@ietf.org, draft-ietf-acme-tls-alpn.all@ietf.org, acme@ietf.org, ietf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <36445804-1B33-4949-88FA-71BB9107C443@letsencrypt.org>
References: <156870601125.17470.11128908292563240208@ietfa.amsl.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/tQ1N1R7FzE-IiD5vaoHcvvI5te0>
Subject: Re: [Acme] Artart last call review of draft-ietf-acme-tls-alpn-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 20:19:39 -0000
Hey Martin, Thanks for the thorough review, I agree with all of the suggestions and will be incorporating the changes into the next revision. Following up on one point about Section 7, I believe you may actually be thinking about another issue we had with the http-01 ACME challenge. The issue here was as described, if the ACME server was using HTTPS to validate a http-01 challenge and the expected domain name didn’t have a proper virtual host configuration many servers would redirect the request to a ‘default’ handler. This is called out in RFC 8555 Section 8.3. Thanks, Roland > On Sep 17, 2019, at 12:40 AM, Martin Thomson via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Martin Thomson > Review result: Ready with Nits > > This is a clear description of a simple protocol that addresses a well-defined > problem. I didn't find any real issues, though I have some suggestions that > might improve the document a little. My view is that publication without these > would still produce a useful RFC. > > Suggestions: > > The document should probably talk about minimum TLS versions and expected > algorithms. I think that it would be enough to say TLS 1.2 minimum with the > mandatory cipher suites from that spec. You might also want to require > certificates with a PKCS#1v1.5 RSASSA key (as much as those are terrible), but > to permit use and negotiation of other alternatives. If your CA supports > ECDSA, I see no reason not to prepare an ECDSA certificate on that basis, but > that would be based on extra-textual knowledge, it's no guarantee of > interoperability. > > Section 4 > I have two suggestions here for making the properties you rely on with the > protocol clearer to readers. > > You should explicitly say that the "acme-tls/1" protocol as negotiated here > does not carry application data, it only requires that the server provide > certificate-based authentication. AND that the certificate-based > authentication provided uses an alternative method than that described in RFC > 5280, even though it uses X.509 certificates. Both of these are already > implicit in the text here, but I think that it would help to be very clear > about these as they are a little surprising ways to use TLS. > > You might also want to explicitly point out that though the protocol does not > depend on the server providing a valid signature, or even that it successfully > complete the TLS handshake, these are both required by the protocol and a > validator MAY withhold authorization if the TLS handshake does not complete > successfully. (This is implied in Step 4, but not explained.) > > Nits: > > Section 1 > The history lesson in the appendix is useful. It helps to articulate why the > design is this way. However, I don't think that you need to spend a third of > the introduction on a reference to that historical information. I'd cut that > paragraph entirely. > > Section 3 > https://www.quickanddirtytips.com/sites/default/files/styles/insert_large/public/images/937/use-utilize-pin.png?itok=Bt7A6RQq > > Step 3: s/AMCE/ACME; this sentence is two with a comma-splice > > Section 4 > This is taste only, but I find the extra version decoration on these > identifiers unnecessary. Decorate v2 if you are unfortunate enough to need one. > > Section 5 > > The parallel list construction in this sentence is a little awkward: > > "This means that if User A registers Host A and User B registers Host B the > server should not allow a TLS request using a SNI value for Host A to be > served by User B or Host B to be served by User A." > > The first part of this sentence is fine, but the second part "or Host B to be > served by User A" might be clearer if it said "or a TLS connection with a > server_name extension identifying Host B to be answered by User A." Or similar. > > Section 6.2 > Please don't use uppercase for an identifier when the actual protocol is > identified using lowercase ASCII. I know that RFC 7301 did this for HTTP/1.1, > but that was a confusing mistake that doesn't need to be propagated. > > Section 7 > This is not an appendix. You can make appendices using `<back>` in XML or by > moving the section under `---back` in kramdown-rfc2629. > > The implication of this text is to say that this is a replacement for an > important part of ACME. I would instead say that this is an iteration on an > earlier design that used the TLS server_name extension to carry the challenge. > And that that earlier design was shown to have some serious issues in practice. > > My understanding of the problem differs from what is described here though: the > problem - as I recall - was that this used high-entropy, generated values for > the server_name extension and an HTTP or absent ALPN identifier. These names > might not have as strong a binding to the user that controlled the validated > portion of that name (the suffix) as desired. Some servers would route these > SNI values to a "default" handler. The "default" handler could be under the > control of any user; in fact, users could in some cases choose a name that > would greatly improve their chances of having their certificate used as a > default (e.g., aaaaa.example.host or zzzzz.example.host. As formulated here, > particularly with the User A/Host B phrasing, you are almost implying that the > security property you rely on in the ALPN design doesn't hold. As far as I'm > aware, that security property does hold because you are including exactly the > validated name in the SNI. > >
- [Acme] Artart last call review of draft-ietf-acme… Martin Thomson via Datatracker
- Re: [Acme] Artart last call review of draft-ietf-… Roland Shoemaker