[Acme] Threat model: Evil CAs with limited or no scope?

Jann Horn <jann@thejh.net> Sun, 19 April 2015 15:40 UTC

Return-Path: <jann@thejh.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E44EA1A8993 for <acme@ietfa.amsl.com>; Sun, 19 Apr 2015 08:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.788
X-Spam-Level:
X-Spam-Status: No, score=0.788 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hk9rMU-FHtoa for <acme@ietfa.amsl.com>; Sun, 19 Apr 2015 08:40:41 -0700 (PDT)
Received: from thejh.net (thejh.net [IPv6:2a03:4000:2:1b9::1]) by ietfa.amsl.com (Postfix) with ESMTP id 59D3D1A8999 for <acme@ietf.org>; Sun, 19 Apr 2015 08:40:41 -0700 (PDT)
Received: from pc.thejh.net (thejh.net [37.221.195.125]) by thejh.net (Postfix) with ESMTPA id 56111180C9B; Sun, 19 Apr 2015 17:40:40 +0200 (CEST)
Date: Sun, 19 Apr 2015 17:40:39 +0200
From: Jann Horn <jann@thejh.net>
To: acme@ietf.org
Message-ID: <20150419154039.GA22344@pc.thejh.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/uLQxF00ZkgjkQFFPHCpKE7uRjDs>
Subject: [Acme] Threat model: Evil CAs with limited or no scope?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Apr 2015 15:40:43 -0000

After a look at the ACME spec, this seems to me like it might be a small
problem:

The owner of example.org wants to obtain a certificate for example.org from a
malicious organization that claims to be a CA, but isn't one, or that is a CA
with a scope that is limited somehow (e.g. because its certificate is not
accepted by all browsers). The malicious organization wants to obtain a
certificate for example.org for its own evil purposes that is less restricted
than certificates it could issue on its own. To archieve that, it registers at
a more privileged CA and poses as the owner of example.org. When the real
CA asks the malicious CA to confirm its identity using simpleHttps or DVSNI,
the malicious CA simply forwards the challenge to the victim ACME client.

Did I miss something in the spec, or would that work?

I'm not sure how important this is, but would it maybe be a good idea to let
the ACME client prefix or hash together the provisioned values with the
identity (domain name or so) of the CA it's talking to?