Re: [Acme] High level comments on draft-barnes-acme (the GitHub version)

Joseph Lorenzo Hall <joe@cdt.org> Wed, 25 March 2015 22:15 UTC

Return-Path: <jhall@cdt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75841A9046 for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 15:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSJsb-N-1Mfc for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 15:15:49 -0700 (PDT)
Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com [209.85.217.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3BC1A8AEA for <acme@ietf.org>; Wed, 25 Mar 2015 15:15:49 -0700 (PDT)
Received: by lbcgn8 with SMTP id gn8so28149827lbc.2 for <acme@ietf.org>; Wed, 25 Mar 2015 15:15:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=I8LExi3WDLTA8Syf7Ibw5Strbe7wYGelw9nBsw728RI=; b=jOoLxL4BvoFmwbO+rBTeENhFNuUaPxaWBEinHQa0sIK0ODUm5iVYh27gzSvJYu44MU JxvTnCXFanOHaCQGdbdg/NH0RGHv8A6fEoQqhlbj8XpGCn/tAvAJojzzfY1MaNL28i5n k7x8UL01++pCMqRt3Qr8ou74q8/UtNCe9UDEE5fNfLGRK4exTE53z2GRlBl0CQdM6hoF hfbS21Y2RR3k5vheAAYzGMx1ER5X/Y48FgonCQJWw9bEs25XBh+crwc7ISFSwz3vdM/b S07VR0cKMKFrg7M/uMjVEu+UDWeF2vPv23eI5IelSX0i+HMCmZWOvDiGytI9okgUj+cc iQhQ==
X-Gm-Message-State: ALoCoQkvgT0krfToTIIkA6qwFIl3i6ASWFE984X5aPEnzP8dCjMVc0Nx9TwzTqPOQtaQKRLFgmCU
X-Received: by 10.112.17.8 with SMTP id k8mr10569135lbd.26.1427321747856; Wed, 25 Mar 2015 15:15:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.37.4 with HTTP; Wed, 25 Mar 2015 15:15:27 -0700 (PDT)
In-Reply-To: <B4953448-093A-4DB7-B81D-B09FE31E7B3F@ericsson.com>
References: <92B826AA-48E3-454C-85A9-600F84D539DD@ericsson.com> <9F77199A-98B7-4963-8EA3-552405B5342F@titanous.com> <B4953448-093A-4DB7-B81D-B09FE31E7B3F@ericsson.com>
From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Wed, 25 Mar 2015 17:15:27 -0500
Message-ID: <CABtrr-V4++ayD4UV32maWiOSLyg=r3Gj-HNnDaizQ_WoF_4PjQ@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/vK5-PViu5F_Jhdwn9WNr71dc1lU>
Cc: Jonathan Rudenberg <jonathan@titanous.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] High level comments on draft-barnes-acme (the GitHub version)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 22:15:51 -0000

On Wed, Mar 25, 2015 at 2:42 PM, John Mattsson
<john.mattsson@ericsson.com> wrote:
>
>
> On 25 Mar 2015, at 13:24, Jonathan Rudenberg <jonathan@titanous.com> wrote:
>
>
> On Mar 25, 2015, at 9:35 AM, John Mattsson <john.mattsson@ericsson.com>
> wrote:
>
> Hi,
>
> Some high level comments on draft-barnes-acme (the GitHub version)
>
>
> - Security:
> The security of this seems to need some serious rethinking. The “Domain
> Validation with Server Name Indication” challenge seems totally nonsecure,
> allowing ANY on-path attacker to get certificates issued. I think this
> challenge is unacceptable for certificate issuance and I think it should be
> removed. Just because I let Amazon, Microsoft, Google or any other cloud
> provider run my web server does not mean I give them the right to request
> certificates for my domain.
>
>
> Thanks for pointing this out.

This seems like a big deal, no? That is, since SNI is one of the few
things not protected in the TLS handshake, it does seem spoofable. If
there's not something I'm missing, it seems like the proposal should
just drop DVSNI altogether.

-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871