IETF Logo Mail Archive

Re: [Acme] ALPN based TLS challenge

Doug Beattie <doug.beattie@globalsign.com> Fri, 23 February 2018 13:18 UTC

Return-Path: <doug.beattie@globalsign.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18A1126CF9 for <acme@ietfa.amsl.com>; Fri, 23 Feb 2018 05:18:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=globalsign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gv4fSHVIA7qI for <acme@ietfa.amsl.com>; Fri, 23 Feb 2018 05:17:58 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0137.outbound.protection.outlook.com [104.47.126.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A49124239 for <acme@ietf.org>; Fri, 23 Feb 2018 05:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7Nr1kFi53HZx39drgkmrbGfkXodaZibJuPPZ6t94XwY=; b=eRvc/V8Mxi+etL5IB6KpongxPYjvym+V04qOroYrioltllHLYL1SBVqShyAx7QQBgEWQOteWa6V/a+lBmTpYKEX/IrQGJmXjgAVr8uN2EsgnixBInWlsZTO9liADxWmUNaiHuODJ0o4cxoJoWeXYqxrWIlofe1j2o/fK/njuKlA=
Received: from SG2PR0301MB1190.apcprd03.prod.outlook.com (10.162.202.30) by SG2PR0301MB1030.apcprd03.prod.outlook.com (10.162.200.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.527.6; Fri, 23 Feb 2018 13:17:53 +0000
Received: from SG2PR0301MB1190.apcprd03.prod.outlook.com ([fe80::21be:d88f:5ffb:e61d]) by SG2PR0301MB1190.apcprd03.prod.outlook.com ([fe80::21be:d88f:5ffb:e61d%3]) with mapi id 15.20.0527.017; Fri, 23 Feb 2018 13:17:53 +0000
From: Doug Beattie <doug.beattie@globalsign.com>
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>, Rich Salz <rsalz@akamai.com>
CC: IETF ACME <acme@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [Acme] ALPN based TLS challenge
Thread-Index: AQHTrEhu7Fq2UrviiEiLiNipGF+SQqOxZeUAgAABtoCAADiBgIAAVyRw
Date: Fri, 23 Feb 2018 13:17:53 +0000
Message-ID: <SG2PR0301MB1190E57D534C66731C1E9019F0CC0@SG2PR0301MB1190.apcprd03.prod.outlook.com>
References: <0639F8AA-9E14-4FD4-A9A4-C03EB4D95962@letsencrypt.org> <CABkgnnVgFN57OeuN61rHa9i7teo_TGyA1CNXiQz0n4KcQ=O78Q@mail.gmail.com> <3B21694B-E5D0-4D39-83CE-A7EBD8BF2F48@akamai.com> <01E6B12D-69EE-4104-8E1B-BE1512A1DDCB@letsencrypt.org>
In-Reply-To: <01E6B12D-69EE-4104-8E1B-BE1512A1DDCB@letsencrypt.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=doug.beattie@globalsign.com;
x-originating-ip: [69.168.5.182]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SG2PR0301MB1030; 6:Q2nuA10ncmGyGk2aq752lNbFcj42qz3q2PmdtL9nbWCLaP0YSlgNDaH3XR/6XGrtH6CxTwY5UXOtmo5hDG2OStEJ0BoCdjgNpFts6kze2g2lMMQa755wnXtUOR08FEW5vvODhovw1FerepfU4TonXy6RTwaPj60U6r35ZSpqM2T2eVtEYt1hmY9t0oLP47s17pTQlI/w2EdAh6IbvkRKhpTD+GNPjsgw3Sh7V82ARHUxxG9rwrnGo7Hqo9w8KNReX8/oFt8AjAJmya3kf0os7qiG6JtzDnIHamuGa+UTtBVms/L8esNQOKH203iWNuHbMAC7gSYIoZf7iqX2Hn5g6m1e0t+QT0d4x/qL9NGlI5Ld83vyhrqBT9iRUjApSfgq; 5:1ItAYAnALh1+kZAtfPW/VKwF06M27amyVgM+q1FK5B4DZ3LcvC5HXl7qq6dSnMuZUT+MeWmQnqDdDWGz1JHR/1sZ/D/RxwTOyaQQYzbOiHxieYpp8ur6A4Cnn3l81xVULKTfi9U/XPJthkRJBWBpvKq6QODOCVkC4A2ZgGBHyEI=; 24:yv59LsByzvkzZILQv1p4B19LNZUW9grgi33DkBDeLyO3dO2QvrIsgaOn2mkMSpnNj4j8mdhavmjqJ83EwXZYdvhq6YMdB7S+KWe/CA99bCg=; 7:yGMyv5DLtB4PbJSRofJ2+bVM4Qj/jF/Q7AKg54DJnHmRw04TM2dJaleCGSYMGMOBm911p/axqqytaNQtjTn7jwuKnzuFzkY8heercLNbevm0KpCGc/luQWhDMojehPftTSV2cjinP9YoUE0pl0zyk6CgBP/qmyoB9TRcElWgHu1ElBKFZ8g5CDoOIa3GNx+LLrhmNtMcO+6AelMgJWLv2NJlyj989RiPmt/uhp26N9azsPYirmXMaUnfVKWAjDK/
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 4acd1683-b0d0-4b78-f3cd-08d57abfd8ab
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:SG2PR0301MB1030;
x-ms-traffictypediagnostic: SG2PR0301MB1030:
x-microsoft-antispam-prvs: <SG2PR0301MB1030C1BF455531D1196563A5F0CC0@SG2PR0301MB1030.apcprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3231101)(944501161)(3002001)(10201501046)(93006095)(93001095)(6041288)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201703011903075)(201702281528075)(20161123555045)(201703061421075)(20161123558120)(6072148)(201708071742011); SRVR:SG2PR0301MB1030; BCL:0; PCL:0; RULEID:; SRVR:SG2PR0301MB1030;
x-forefront-prvs: 0592A9FDE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7966004)(39380400002)(396003)(346002)(376002)(366004)(39850400004)(13464003)(189003)(199004)(105586002)(59450400001)(186003)(6306002)(53546011)(5250100002)(3846002)(97736004)(55016002)(54906003)(6506007)(966005)(2900100001)(5660300001)(6116002)(7736002)(26005)(33656002)(305945005)(14454004)(316002)(2906002)(106356001)(74316002)(4326008)(102836004)(68736007)(3660700001)(93886005)(3280700002)(110136005)(7696005)(229853002)(9686003)(76176011)(508600001)(6436002)(66066001)(53936002)(99286004)(25786009)(39060400002)(81166006)(8676002)(8936002)(2950100002)(81156014)(86362001)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:SG2PR0301MB1030; H:SG2PR0301MB1190.apcprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: globalsign.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: /LVTtyTq2F3nLwd9Ru79sV/yv/gfE77lX6W0kfZbC1OWiCUCaM7SdjFoiD72sguFC8mCyd+lHdMeswubGskvu4Z2KNyW4WJXkN+yzzxr4/ii9s6825XmXMc7QCTTTU/m2PzEUxnUzbdr2Xgw2dRaPt3sBJqnY29SFZLKg4BuNzY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: globalsign.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4acd1683-b0d0-4b78-f3cd-08d57abfd8ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2018 13:17:53.4642 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8fff67c1-8281-4635-b62f-93106cb7a9a8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR0301MB1030
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/veapJObVU6S6n3ZAuvbiOGdcMCE>
Subject: Re: [Acme] ALPN based TLS challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2018 13:18:01 -0000

I'm probably not understanding a key piece of technical info about the protocol, but when I see this statement it makes me think it has similar issues to tls-sni-01.  If we're relying on the hosting provider enforcing certain constraints like this, then we're delegating a critical piece of domain control back to the hosting provider which would be a no-go.

4.  Security Considerations

   The design of this challenges relies on some assumptions centered
   around how a server behaves during validation.

   The first assumption is that when a server is being used to serve
   content for multiple DNS names from a single IP address that it
   properly segregates control of those names to the users on the server
   that own them.  This means that if User A registers Host A and User B
   registers Host B the server should not allow a TLS request using a
   SNI value for Host A that only User A should be able to serve that
   request.  If the server allows User B to serve this request it allows
   them to illegitimately validate control of Host A to the ACME server.

Please let me know what I'm missing.

Doug

> -----Original Message-----
> From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Roland Bracewell
> Shoemaker
> Sent: Friday, February 23, 2018 3:00 AM
> To: Rich Salz <rsalz@akamai.com>
> Cc: IETF ACME <acme@ietf.org>; Martin Thomson
> <martin.thomson@gmail.com>
> Subject: Re: [Acme] ALPN based TLS challenge
> 
> Here is the ID: https://datatracker.ietf.org/doc/draft-shoemaker-acme-tls-
> alpn/
> 
> > On Feb 22, 2018, at 8:38 PM, Salz, Rich <rsalz@akamai.com> wrote:
> >
> > Yes, like Martin said, submit the individual draft and we can call for adoption.
> >
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email