IETF Logo Mail Archive

[Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV

Richard Barnes <rlb@ipv.sx> Wed, 16 April 2025 14:40 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9A5B01D09F28 for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 07:40:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MRDUbPGm-tw for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 07:40:37 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EA4291D09F05 for <acme@ietf.org>; Wed, 16 Apr 2025 07:40:36 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id e9e14a558f8ab-3d589ed2b47so21387785ab.2 for <acme@ietf.org>; Wed, 16 Apr 2025 07:40:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1744814436; x=1745419236; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4jSdYupiI2jlTTzvE2KPoluLEXe3WU68M5VVYYei5pU=; b=CQF7nl0JYrebpbisB6iWZMBt5UZxRLj3jDurcM1ZsqGWgbmr8J5f3t7sw2fQJZuJaV wqrJNWgyDNiU72tQddX0MlKetmMrqrUzD/jBtxHgWD/N8WqRShRKc8OAm0tj7SpJGcIo Hbbqlv3edN23oRKtg0mhySESSllVbXMMXQ9mjR673Nw+8pPIwkpM0hag3wE2IZbWvM0T hlaWwCKT7ykvkwsbh99PPd4zo0+xmQQAbZcNaPHAycrc92fZyFQATbjVds+SeyyovW5I 3Y3YAYwMRB4fGxamiIqNbO0DIeIOkFmLxUFLzj7fcebvMSwa7ZPKTJXlAfmNTimythk5 cSXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744814436; x=1745419236; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4jSdYupiI2jlTTzvE2KPoluLEXe3WU68M5VVYYei5pU=; b=k6QIrm6TkzmSzjALNVcR6AU4oOLIBHP35N6Ys0jliQcucjUH1nfdgdckzmDnUOmVTh wISzWMRQGRhMF3k0gapEwIyStzYR2L94/SC60hQxvGMGQZcbSXvXbB8XsawWiQnzht4h V/lPeaFX0eQ2zEU2zFy0Uz3hmEsk17gAtF6rLfSoDy7qKwdwEMhlDTyOl5iPBoMRfwCA BzMDD+cikAifKmL2qdNr+L2ddDbHofs2yVkNpYokWKXQc1K26hbJb5mqpt/A63qp8YbK 7/HbRyQGGQBvCy/OgNJ2qHw089R4g7L/M4lUpxhW5KaRKVZFg/67i/fsbJU1GEB3W4LX po/g==
X-Forwarded-Encrypted: i=1; AJvYcCWhimXjntCnL5K0clUjP3PdS+x4CzR473U0eH4NnNv2ZQMptdd5FIXoZgHJ/cYIOWyUSAtQ@ietf.org
X-Gm-Message-State: AOJu0YwaX2eu7vG0s9u1Iae2nAUKO2+PNg0OI8BLh0pn57Ao0dn6OaLG HwjLlk1dwnxltoiHEyeqkFzj6n/+4niHg7Xa5s3FO8K5coH87ADuO2Jae3qEPizA7It+WXMZAFp 1XnMsiW9g6lnJjbejza4tT9Z6XG/YpW76skbsqwzc5qYof4V9tuk=
X-Gm-Gg: ASbGnctS/6OInVPDfCQfP5BJf2yV7zZm2Y54Sb7+RjYLfqKoBMSn/6G8J0A7Bv90/h9 cvjzaKm6wj1yfIYmdpd0h+dX01WRVxQuJA7uXatud1Wy07RSRwwPoFSTu/rMWfJc3Jg/k5AKs68 D5XzAy6j57eF/HhNKSYxK27Mg=
X-Google-Smtp-Source: AGHT+IEA1mnJ8U5qDxu046/re1UGWl8kinGdyj2CEo3kGoNzG1BHSR3E3BwvOzuPEct3/hWcPQm08NnHQfhOxR/HbMw=
X-Received: by 2002:a05:6e02:1aa5:b0:3d4:36da:19a9 with SMTP id e9e14a558f8ab-3d815b5e489mr18962355ab.15.1744814435962; Wed, 16 Apr 2025 07:40:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJiDx7onEahH7KcYHykzf7iqGbOgjKD45BNHcE+AmHgoWg@mail.gmail.com> <22779.1744755025@obiwan.sandelman.ca> <CAKC-DJhaAiepBjTyANko7v5cq0WxtUYVBnOAoFnQnwx-_sZYCw@mail.gmail.com> <1dfc3e86-2f99-4f47-9f5e-e18dd58eb746@cs.tcd.ie> <CAKC-DJgNYOrj5ULiTrwZV0K8OummJ8opRfyJ=DVCYgMdiSoxEg@mail.gmail.com>
In-Reply-To: <CAKC-DJgNYOrj5ULiTrwZV0K8OummJ8opRfyJ=DVCYgMdiSoxEg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 16 Apr 2025 10:40:25 -0400
X-Gm-Features: ATxdqUFTGs6nIoq2qF9Cxy48ImdR3hchKewTRYzExGEYv61uCi84yUcnOd3s7es
Message-ID: <CAL02cgS5VAP1kiLgKKwKs4PzFg0_H6kFUxpSoqQ4uOV5+uejMA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Content-Type: multipart/alternative; boundary="000000000000a7b5cf0632e644a3"
Message-ID-Hash: 5KZM7HZM4CM5UZTQCBQAZTUG5L5WHFDW
X-Message-ID-Hash: 5KZM7HZM4CM5UZTQCBQAZTUG5L5WHFDW
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Michael Richardson <mcr+ietf@sandelman.ca>, IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

On Tue, Apr 15, 2025 at 7:22 PM Erik Nygren <erik+ietf@nygren.org> wrote:

> On Tue, Apr 15, 2025 at 7:08 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>> Hiya,
>>
>> On 15/04/2025 23:50, Erik Nygren wrote:
>> > Thanks.  I went ahead and filed an errata for this.
>>
>> That adds: "(The HTTP client must not resolve and/or must ignore
>> any HTTPS DNS RRs [RFC 9460].)"
>>
>> Is that correct? What about aliasMode or different ports? Are we
>> insisting that ACME servers ignore all HTTPS RR content or just
>> some? (Note: I don't claim to know the right answer just now.)
>
>
> Thanks for pasting here.  I should have done that but the text disappeared
> after I clicked submit.
> Ignoring all HTTPS RR content seems much safer without thinking through
> the ramifications and interactions.
> It should be ignoring the port change there as well (especially as that
> would take you to a secure port
> and rfc8555 section 8.3 is quite clear on the use of Port 80.
> Since HTTPS RRs are all about how to connect to a secure transport
> endpoint and
> the HTTP-01 is all about starting with insecure HTTP on port 80 (at least
> unless redirected via a 301 redirect)
> it's unclear how to make them play well together without carefully
> thinking through how that should work.
> This could be a problem for anything that wanted to only use HTTPS RRs
> (eg, with AliasMode with no A/AAAA records)
> but that's not practical today.  There's nothing preventing those from
> using DNS-01 however.
>

I agree with this assessment.  If you need to do something fancier than
answering on port 80 on the host indicated in the A/AAAA record, use a
different validation method.

On the erratum itself:
1. I would change "must not" to "MUST NOT" since this is important for
interoperability.
2. It does seem like it would be useful to also address the HSTS risk that
Erik's initial email points out.

--Richard

v2.30.2 | Report a Bug | By Email | System Status