Re: [Acme] kinds of proof

Christian Huitema <huitema@microsoft.com> Tue, 02 December 2014 01:18 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03381AC43A for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 17:18:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrIhSR8iGClA for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 17:18:44 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0761.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::761]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9792A1AC42A for <acme@ietf.org>; Mon, 1 Dec 2014 17:18:44 -0800 (PST)
Received: from DM2PR0301MB0656.namprd03.prod.outlook.com (25.160.96.18) by DM2PR0301MB0607.namprd03.prod.outlook.com (25.160.95.23) with Microsoft SMTP Server (TLS) id 15.1.26.15; Tue, 2 Dec 2014 01:18:21 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (25.160.96.17) by DM2PR0301MB0656.namprd03.prod.outlook.com (25.160.96.18) with Microsoft SMTP Server (TLS) id 15.1.26.15; Tue, 2 Dec 2014 01:18:21 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([25.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([25.160.96.17]) with mapi id 15.01.0026.003; Tue, 2 Dec 2014 01:18:21 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Peter Bowen <pzbowen@gmail.com>, Randy Bush <randy@psg.com>
Thread-Topic: [Acme] kinds of proof
Thread-Index: AQHQCzpQ0gc5ZtwH40O9AzCFhy8+6Zx2kIoAgAAFu4CAAUCrAIADmfIAgAASxACAAAB08A==
Date: Tue, 2 Dec 2014 01:18:20 +0000
Message-ID: <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com> <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com>
In-Reply-To: <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0656;UriScan:;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0656;
x-forefront-prvs: 0413C9F1ED
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(51704005)(189002)(551934003)(101416001)(46102003)(74316001)(19580395003)(54356999)(15975445006)(77156002)(62966003)(21056001)(54606007)(33656002)(54206007)(106356001)(31966008)(77096004)(68736005)(20776003)(64706001)(120916001)(92566001)(92726001)(93886004)(95666004)(106116001)(99286002)(575784001)(99396003)(86362001)(122556002)(107046002)(40100003)(86612001)(76576001)(2656002)(4396001)(76176999)(97736003)(87936001)(50986999)(105586002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0656; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0607;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/zTmfnyI7P_UaoK_sWfi6do2V_aM
Cc: "acme@ietf.org" <acme@ietf.org>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 01:18:46 -0000

>> or dns
>
> Yes, several CAs allow DNS based validation of control.
> https://gist.github.com/pzb/3b57ddac91ccf0e4c814 lists several of the schemes I've seen used.  There is clearly no > standard or even quasi-standard for DNS based validation.

To belabor the obvious: if someone somehow controls the DNS entry for the domain, they can put up a MITM attack and "insert" whatever content is suitable for validation.

Consider the following attack: attacker engages an automated transaction with the CA, simultaneously manages to spoof the DNS entry, gets certificate. That should definitely be part of the threat model.

-- Christian Huitema