IETF Logo Mail Archive

[Acme] should acme-subdomains support http-01 challenges?

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 13 December 2020 20:47 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC123A0936 for <acme@ietfa.amsl.com>; Sun, 13 Dec 2020 12:47:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irl3TCfwyQoE for <acme@ietfa.amsl.com>; Sun, 13 Dec 2020 12:47:19 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 748D63A03F1 for <acme@ietf.org>; Sun, 13 Dec 2020 12:47:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id BCFD03898C for <acme@ietf.org>; Sun, 13 Dec 2020 15:49:48 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bXyUjM4PThSv for <acme@ietf.org>; Sun, 13 Dec 2020 15:49:48 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 4248A3898B for <acme@ietf.org>; Sun, 13 Dec 2020 15:49:48 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 123EA5D1 for <acme@ietf.org>; Sun, 13 Dec 2020 15:47:17 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "acme@ietf.org" <acme@ietf.org>
In-Reply-To: <CY4PR11MB16851C0F7BA56FA3A6E74945DBC90@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com> <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HHxbhbZQAdf2SRjFVUezmkGcg+OdeZL_ey0AwubxkSVSA@mail.gmail.com> <16962.1607347826@localhost> <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com> <2310.1607463183@localhost> <CAErg=HHOjdYAzCvx4vKkPAAMyEzJYqR_E-Ns=_a9pqeD8ny4eA@mail.gmail.com> <29885.1607476438@localhost> <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com> <CY4PR11MB16851C0F7BA56FA3A6E74945DBC90@CY4PR11MB1685.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 13 Dec 2020 15:47:17 -0500
Message-ID: <12668.1607892437@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/xwuX7MvjKK_SfiXepxsVRZ_I1TU>
Subject: [Acme] should acme-subdomains support http-01 challenges?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 20:47:21 -0000

Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > The draft as is does not preclude http-01 challenges, but I agree that
    > the dns-01 challenge is more applicable.

I think that the draft should apply to dns-01 only.

I don't think that http-01 challenges are meaningful in this context, and may
in fact be risk having one tenant of a multi-tenant domain (e.g. domains like
"wix.com"),  wind up with authorization for many things they shouldn't have.
(yes, for wix.com, this would probably require a second bug somewhere)

    > If a client is advertising multiple ADNs it can authorize, should the
    > supported challenge type be per ADN? e.g. dns-01 and http-01 for
    > foo1.foo2.bar.example.com but only dns-01 for example.com? Is this
    > flexibility in any way useful, or just likely to lead to confusion and
    > implementation bugs?

    > For sure, the way the draft is currently written, if a client places an
    > order for a subdomain, and the server issues a single challenge for a
    > parent ADN (which could be the BDN/Base Domain Name), then this will
    > result in frequent failures as the client is not authorized to control
    > the parent ADN/BDN.

I guess I'm also confused by why a client would issue an order for a
sub-domain for a domain it has not received authorization.
Obviously, an attacker might do that, but why wouldn't the order just be rejected?

It seems like the client and server are expected to somehow guess where the
zone cuts are, rather than the client starting with that information in it's
configuration.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email