Re: [Acme] tls-alpn-01 spec: TLS-SNI history
Tim Hollebeek <tim.hollebeek@digicert.com> Thu, 21 June 2018 17:40 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0B212F1A6 for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 10:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.795, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlRY22oaPEwx for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 10:40:51 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6667812F1A2 for <acme@ietf.org>; Thu, 21 Jun 2018 10:40:51 -0700 (PDT)
Received: from [67.219.251.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta.az-c.us-west-2.aws.symcld.net id 03/34-01613-123EB2B5; Thu, 21 Jun 2018 17:40:49 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLLsWRWlGSWpSXmKPExsVyQ2FLuK7iY+1 ogy0zpS1WPQ+0eHv6ALPF+93TWSwm3Z/L6MDi8eb0GRaPJUt+Mnk0797N4nG7ew5bAEsUa2Ze Un5FAmtG6z6+go05FfNbP7E1MC5I7WLk5GAR6GGWeH8guIuRi0NIYAKTxKHpDawgCSGBu4wSy x9HgdhsAgYS1/YeZwKxRQTUJB5OPwNWwyxQKDGvaz4ziC0sYCox89pdNogaM4kjHfvZIWw3ic uXZrNALFOV+HZhO1gNr0CMxKttU9kgFrcwScz/cx9sEKdAoMTpm0/AmhkFxCS+n1rDBLFMXOL Wk/lgtoSAiMTDi6fZIGxRiZeP/7FC1MdIzP18CCouL/H9QCMzhC0rcWl+NyPIMgmBLUwS7V97 2CESuhIfpk6FKvKV2HAMJA5SdIJRYs3EZlaIhJbE7U3voDZnS0x6tRKqIUfibNNZFghbTmJV7 0MWiOa9zBLT3pyBapaRaJ68HWrqNDaJFdMuMEMCOEViyqpDbBMYtWcheW8WUB2zwAJGiafz17 LPAgeUoMTJmU9YZjFyACWiJHrOREDUa0ksafrPDmFrSyxb+JoZwtaU+DLhNguqODuQbSOxJQU iqigxpfshVKeZRNu5j2wLGLlXMVokFWWmZ5TkJmbm6BoaGOgaGhrpGhqb6RpaGuglVukm65UW 65anFpfoGukllhfrFVfmJuek6OWllmxiBCZPBiDYwfj5UMohRkkOJiVR3j3ntaOF+JLyUyozE osz4otKc1KLDzHKcHAoSfBqPALKCRalpqdWpGXmANM4TFqCg0dJhNcWJM1bXJCYW5yZDpE6xW jJ8WfLpB5mjkPvpwDJcyBSiCUvPy9VSpz390OgBgGQhozSPLhxsFxziVFWSpiXEehAIZ6C1KL czBJU+VeM4hyMSsK8Z0Gm8GTmlcBtfQV0EBPQQdXNWiAHlSQipKQaGOcan7GYmvtOtTD508+b 5zYZvW4p9/wu9dDh0z6uN6oLJMqP2R6QV/YW+/Bbmj1M58G3x2nbSm72JnJfj9tpcUFrknx+/ pKvvcJdk6dvmmBdzNk94/epGgWH67HHZ6/Iyn+gtrH2s/NB9XXsc9+cvqBeEqLrHJ02RbK8Xl uT504Jm6JoBf+LfUosxRmJhlrMRcWJAJQkFUgwBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-17.tower-364.messagelabs.com!1529602848!264033!1
X-Originating-IP: [216.32.180.87]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32584 invoked from network); 21 Jun 2018 17:40:49 -0000
Received: from mail-sn1nam04lp0087.outbound.protection.outlook.com (HELO NAM04-SN1-obe.outbound.protection.outlook.com) (216.32.180.87) by server-17.tower-364.messagelabs.com with AES256-SHA256 encrypted SMTP; 21 Jun 2018 17:40:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MkqSq17da1KJzrM2Qe/om6WHveL5cJMPG+w/9Hg2TsA=; b=GopX88MLptunEbiFfEdYx/iUSmJzGw/ymHa4of2mHr3L4I/igsJ/tgjBiuyFRv99zC/JL8tQvRyZKJjEtud1Zg+9BalJaYHvq3n8sIhlRz45DhIkCCy+4jg2JCiTdEt6mY3G+IqNSwRaATsEAKXT0L/qq2r1Nb1CGA5nL2nEmVc=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1730.namprd14.prod.outlook.com (10.171.176.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.16; Thu, 21 Jun 2018 17:40:47 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb%7]) with mapi id 15.20.0884.010; Thu, 21 Jun 2018 17:40:47 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Ilari Liusvaara <ilariliusvaara@welho.com>, Felipe Gasper <felipe@felipegasper.com>, ACME WG <acme@ietf.org>
Thread-Topic: [Acme] tls-alpn-01 spec: TLS-SNI history
Thread-Index: AQHUCC3wJJU0aPTfVUuvVtQ7dbuS2aRo43yAgAHDa7CAACjXAIAAKU9Q
Date: Thu, 21 Jun 2018 17:40:46 +0000
Message-ID: <BN6PR14MB1106291A3DA763776CADBE7783760@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <4A77AEB5-0982-47C2-86AC-BD99D8D9E6F3@felipegasper.com> <20180620093445.GA23561@LK-Perkele-VII> <BN6PR14MB11060497CCB0337F3B8CEC4983760@BN6PR14MB1106.namprd14.prod.outlook.com> <CAErg=HHRx6e-4Y_7NQSN9KOtTL0iUuJ-K6Tz3BjDGEgyUoSR7A@mail.gmail.com>
In-Reply-To: <CAErg=HHRx6e-4Y_7NQSN9KOtTL0iUuJ-K6Tz3BjDGEgyUoSR7A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [67.137.52.7]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1730; 7:WBBokzdkAbriutqf2KFXpreRkPOTuMv7lJTYNQ8grLXNZdEkl3oo0JQtGBKtAbQlhgbH7oGfRsEsg6vTEK+shItQ4OE6s3AeVRJkcu4zqj4YkFGili60PIOD7HbqtXts6MK3ffHKp31juX2iwtH/p1HhnZDSMcG0eremhJKsNm8Ydgsxr1AmKkGWsWcjDxc/pujuXK/ZjzC04cn3QCVHKqp2NMFyGbRnnO97xMAwcM8X5qRtECSvB6/205vG3HCE
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 2bc1bc05-c221-48bf-3b09-08d5d79e1f2e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1730;
x-ms-traffictypediagnostic: BN6PR14MB1730:
x-microsoft-antispam-prvs: <BN6PR14MB1730EA9064AAECA76D91437383760@BN6PR14MB1730.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231254)(944501410)(52105095)(3002001)(10201501046)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1730; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1730;
x-forefront-prvs: 07106EF9B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39860400002)(396003)(346002)(39380400002)(189003)(199004)(53936002)(99286004)(3660700001)(7736002)(14454004)(68736007)(476003)(486006)(229853002)(44832011)(316002)(236005)(6436002)(446003)(2900100001)(9686003)(93886005)(74316002)(54906003)(33656002)(11346002)(6246003)(7696005)(8676002)(81156014)(4326008)(102836004)(81166006)(8936002)(106356001)(2906002)(6506007)(3280700002)(55016002)(66066001)(5660300001)(6116002)(53546011)(6306002)(59450400001)(54896002)(99936001)(186003)(105586002)(86362001)(97736004)(25786009)(26005)(478600001)(3846002)(6916009)(76176011)(790700001)(5250100002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1730; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: mZPIWMjl6HY8kCaBM0zteOJXCGVY4ckHfJ3LPKaFIzHW2UUGex23IHsfZ9RlTiO1TMxLXDImINZml5yIUWKQlX0BdiSoDuryv1RKPKWa4U79CITvBTfOocRjAVeb8M7iDcZ8lVxLdw46rimn9BnmhLJsUCHM492vi/xVgKPE5UUzDQ602NMGLOhlVaBBG0F2x7RBmKeD9aHpTwLc3SR0t3lW8D4zpnDMTgSoRjq9Ei6hGaz1g2MLuQTCptvg0R6TSBmeEVMdG0jz+lSgdjhrtlX3q/jPiKVee4f9NgHLw/JA9HV6d9nB285f/e0rbUWHTrEnnyXqmeOAMpDFm1Nxcg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_08F5_01D40954.AF9A39D0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2bc1bc05-c221-48bf-3b09-08d5d79e1f2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 17:40:46.9158 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1730
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zITxszDlDFbnjIa-M_yvG_OGb6c>
Subject: Re: [Acme] tls-alpn-01 spec: TLS-SNI history
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 17:40:55 -0000
So the disagreement is whether the it is sufficient to merely use the name for the DNS lookup, and then accept whatever happens afterwards, or whether the intent was that the web page should be retrieved in much the same way as it is retrieved by browsers. Matching them as closely as possible makes the validation more reliable. Unfortunately, historically, the requirements are underspecified, and there is freedom to implement the validation mechanism badly. There are improvements that were discussed in the excellent discussion in Virginia, but even today, we aren’t there yet. So yes, it is possible by using a very strict, technical reading, an argument can be made that TLS-SNI is compliant. I’m just not a fan of that argument. When the BRs say “retrieve a […] web page”, I believe that includes a responsibility to interpret that provision in a way that meets the intent of the validation method, and doesn’t introduce security risks. -Tim On Thu, Jun 21, 2018 at 8:40 AM, Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote: > TLS-ALPN addresses the latter problem by requiring the server_name to match > the validation target (which is AFACIT also required by the Baseline > Requirements). This stops claiming arbitary names from allowing > misvalidations. This was certainly the intent. Never in over two years of some pretty detailed discussions about the mechanics of validation did anyone ever propose it was reasonable to validate domain name A by contacting the web server for a name that is not A (except for the approved the _prefix stuff). That's not what is done under TLS-SNI.
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Ryan Sleevi
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Tim Hollebeek
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Felipe Gasper
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Ryan Sleevi
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Tim Hollebeek
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Ryan Sleevi
- Re: [Acme] tls-alpn-01 spec: TLS-SNI history Ilari Liusvaara
- [Acme] tls-alpn-01 spec: TLS-SNI history Felipe Gasper