IETF Logo Mail Archive

[DNSOP] Re: [Ext] Fwd: I-D Action: draft-ietf-dnsop-domain-verification-techniques-10.txt

Erik Nygren <erik+ietf@nygren.org> Sun, 02 November 2025 18:34 UTC

Return-Path: <erik+ietf@nygren.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9E4B480C1E7A for <dnsop@mail2.ietf.org>; Sun, 2 Nov 2025 10:34:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=nygren.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFzdXxYVpDll for <dnsop@mail2.ietf.org>; Sun, 2 Nov 2025 10:34:18 -0800 (PST)
Received: from eos.nygren.org (eos.nygren.org [IPv6:2620:131:f008::e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 84D8980C1E6A for <dnsop@ietf.org>; Sun, 2 Nov 2025 10:34:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nygren.org; s=eos-4; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DNJBn2ZX2DtxXDRlq5s4lde8s2uXO3/TCzd6fEA0qTM=; b=ftDZumfrc4dW5KqCZE3HJ5Vgvo DbAVziEQ/0ZuK6I95LAAOpl8P2mEF4d428F7RHQAvYr2NKiN7PqbvbS2AvqWaYcEe8+kM5Xu877ll grTuJAxON8D4kSYUgi6XWOuKhElS9yAaBisQXQc/PRtjV0tbSP8swrl1jPAdg5IAz7LSZ1yX6aPVN k9uXhKt3wG6dcfLlw5073i/pfdbcZGdxxV1iPaW+CbAkDAkXWVwXJnMHyWXNFiCJpgB1hT5LAHygm PWLES1254g1U9d3v8q1CCFpN6pOvNrPXIC9QMicSFxKEy4XcRKxgi43BFlfjS7eTvWVz102gYdgxA 4TKnDJ2g==;
Received: from mail-lf1-f52.google.com ([209.85.167.52]) by eos.nygren.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from <erik+ietf@nygren.org>) id 1vFcu7-00H3kl-NP for dnsop@ietf.org; Sun, 02 Nov 2025 13:34:15 -0500
Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-59303607a3aso4256090e87.0 for <dnsop@ietf.org>; Sun, 02 Nov 2025 10:34:15 -0800 (PST)
X-Gm-Message-State: AOJu0Yxmw+0w5Twu2Q0/9Ac7HDAbNITb5e7cZGChkPmsnkysI0hysatJ KCqm0anC4VyoTKmjvKVYe8Ie2Cdu32XDnlFoGHqbHwUozMKj0Fyr+RMCL5cnNyVVKq6aQNfYCMH 7/ooXkRO4OSsYxhO7gw6rO/bFYEWZ/O8=
X-Google-Smtp-Source: AGHT+IHNgP1uZss28sZVstx10iOd77Yq3uvW10LIM1O1OT1fwcr82SSJGeJ3LpytvEvRSrE1tehcTBKA+zrVvJtIpC4=
X-Received: by 2002:a05:6512:3699:b0:594:253c:209e with SMTP id 2adb3069b0e04-594253c22f4mr922090e87.35.1762108454575; Sun, 02 Nov 2025 10:34:14 -0800 (PST)
MIME-Version: 1.0
References: <176038720443.679481.2264804011039418307@dt-datatracker-84f8f646b-tg6mn> <CADyWQ+FNdZ+Pn7LcHXNX4bh-OLweOHqfKztGxktPYAF5SCrxHA@mail.gmail.com> <233941C5-1C95-472C-9FC1-19821BE47376@icann.org> <CAKC-DJh0EuvDzoWyGT7SPVHqEFOeRE1Bm+pbjQjkCD23pt+Buw@mail.gmail.com> <C8CB845F-4A6F-423B-9891-A1F491522B5F@icann.org>
In-Reply-To: <C8CB845F-4A6F-423B-9891-A1F491522B5F@icann.org>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Sun, 02 Nov 2025 13:34:00 -0500
X-Gmail-Original-Message-ID: <CAKC-DJjnLFk7xopMUXAWssnX-kLA-UfcyWZpw+9pOp1ECaX6eg@mail.gmail.com>
X-Gm-Features: AWmQ_bkoTWDOyU1JgySx7fvwsbj-t60DJZ_ZUDvJHM0-tPShC2RS2DZiuxdYrUU
Message-ID: <CAKC-DJjnLFk7xopMUXAWssnX-kLA-UfcyWZpw+9pOp1ECaX6eg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/alternative; boundary="0000000000007da2730642a0d8e2"
Message-ID-Hash: VDU2AWMFFJ4RDJ6VANF44THZKLIK6J5H
X-Message-ID-Hash: VDU2AWMFFJ4RDJ6VANF44THZKLIK6J5H
X-MailFrom: erik+ietf@nygren.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Fwd: I-D Action: draft-ietf-dnsop-domain-verification-techniques-10.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wXd9_KNifwNISzs_CuytzS8lfv8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Paul Wouters proposed that we drop the 4086 reference and instead say:

"When Random Tokens are used, they MUST be constructed in a way that
provides sufficient unpredictability to avoid collisions and brute force
attacks."

This is in addition to the text "Application Service Providers MUST
evaluate the threat model for their particular application to determine a
token construction mechanism that guarantees uniqueness and meets their
security requirements."

Does that cover your concerns?

It's not just CAs who have security requirements around DCV.  As an
example, SaaS providers using it to link the enrollment of domains to
customer accounts may care heavily around security, but the details of
their threat model will be specific to their application.

    Erik



On Sun, Nov 2, 2025 at 7:54 AM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Nov 1, 2025, at 18:18, Erik Nygren <erik+ietf@nygren.org> wrote:
> >
> > I've created a pull request with alternate text:
> >
> >
> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/202/files
> [github.com]
> >
> > It replaces the guidance on "MUST be 128 bits" with:
> >
> > One way of constructing Unique Tokens is to use random values which:
> > 1. have adequate entropy to guarantee uniqueness and ensure that an
> attacker is unable to create a situation where a collision occurs.
> > [...]
> >
> > To the Token Collisions security considerations it adds the second two
> paragraphs to:
> >
> > ## Token Collisions If token values aren't long enough, lack adequate
> entropy, or are not unique there's a risk that a malicious actor could
> obtain a token that collides with one already present in a domain through
> repeated attempts.
> > Application Service Providers MUST evaluate the threat model for their
> particular application to determine a token construction mechanism that
> guarantees uniqueness and meets their security requirements.
> > When Random Tokens are used, they MUST be constructed in a way that does
> not have collisions and is not predictable (see {{RFC4086}}).
> > Does this seem better?  Would we want to provide any guidance on minimum
> size?
> > As you point out this varies widely based on the application and its
> threat model.
> >
> > I did not introduce a formal threat model section --- that seems like a
> much larger addition
> > if people feel that it is needed.
>
> Either you have to describe the attack before you describe how to mitigate
> the attack with cryptographically strong keys, or you need to remove the
> un-supported mitigation. I propose you do the latter because the rest of
> the draft works just fine with on-path attackers for everyone other than
> those who need cryptographically strong keys (namely certificate
> authorities).
>
> Said another way, if this draft is really about domain control validation
> for everyone, and only CAs care about that attack, don't even list it. It
> is safe to assume that any CA doing ACME understands the issue.
>
> --Paul Hoffman
>
>

v2.37.1 | Report a Bug | By Email | System Status