Automated Certificate Management Environment (ACME) TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension
draft-ietf-acme-tls-alpn-07
Yes
Roman Danyliw
(Alexey Melnikov)
No Objection
(Alissa Cooper)
(Alvaro Retana)
(Deborah Brungard)
(Magnus Westerlund)
(Martin Vigoureux)
Note: This ballot was opened for revision 06 and is now closed.
Roman Danyliw
Yes
Warren Kumari
No Objection
Comment
(2019-10-01 for -06)
Sent
Thank you for this clear, easy to understand and useful document.
Éric Vyncke
No Objection
Comment
(2019-10-02)
Sent
Thank you for this well-written and easy to read document. I have only one COMMENT: Would it be useful to specify the use of "IPv4 or IPv6 address" rather than simply the implicit "address" that I read as indeed IPv4/IPv6 but being explicit will not hurt. -éric
Adam Roach Former IESG member
Yes
Yes
(2019-09-30 for -06)
Sent
Thanks for all the work that has gone into creating a viable TLS-based mechanism for ACME validation. I have one fairly important (yet trivial to fix) comment, and a small number of editorial suggestions. I also have read through the ARTART review, and endorse Martin's comments. Please respond to that review, and incorporate his suggestions as you feel appropriate. --------------------------------------------------------------------------- §1: > The Automatic Certificate Management Environment (ACME) [RFC8555] > standard specifies methods for validating control of domain names via > HTTP and DNS. As a fairly major comment, RFC 8555 is not a standard. See RFCs 2026 and 6410 for details. Please rephrase this text along the lines of: The Automatic Certificate Management Environment (ACME) [RFC8555] specification describes methods for validating control of domain names via HTTP and DNS. --------------------------------------------------------------------------- §3: > The TLS with Application Layer Protocol Negotiation (TLS ALPN) > validation method proves control over a domain name by requiring the > client to configure a TLS server to respond to specific connection > attempts utilizing the ALPN extension with identifying information. This took a couple of readings before I understood what it meant. It might make things clearer if the role of the client were clearer; e.g., "...by requiring the ACME client to configure a TLS server..." This is also true throughout much of this section, where "client" and "server" are used without qualification to talk about ACME clients and ACME servers. Consider qualifying such instances. --------------------------------------------------------------------------- §3: > The client prepares for validation by constructing a self-signed > certificate which MUST contain a acmeIdentifier extension Nit: "...contain an acmeIdentifier..." --------------------------------------------------------------------------- §3: > 3. The AMCE server initiates a TLS connection to the chosen IP > address, this connection MUST use TCP port 443. The ACME server > MUST provide a ALPN extension with the single protocol name > "acme-tls/1" and a SNI extension containing only the domain name > being validated during the TLS handshake. Nit: "...chosen IP address. This connection..." Nit: "...an ALPN..." Nit: "...an SNI..." --------------------------------------------------------------------------- §5: Unlike section 3, this section appears to use unqualified "server" to mean "HTTPS server" or somesuch, rather than "ACME server". These *definitely* need to be qualified.
Alexey Melnikov Former IESG member
Yes
Yes
(for -06)
Not sent
Benjamin Kaduk Former IESG member
Yes
Yes
(2019-09-30 for -06)
Sent
Please respond to the ARTART review; there's some good comments in there about constraining the permitted TLS versions/algorithms, the specifics of the acme-tls/1 (non-)protocol, the use of a different certificate model than RFC 5280, and the (non-)need to complete the TLS handshake. Section 1 "Because no existing software implements this protocol" is not going to age well; perhaps an approach more like "Because this protocol does not build on a preexisting deployment base" would do better. Section 7 the provider. When the TLS SNI challenge was designed it was assumed that a user would only be able to respond to TLS traffic via SNI for domain names they controlled (i.e. if User A registered Host A and User B registered Host B with a service provider that User A wouldn't be able to respond to SNI traffic for Host B). This turns out not to be a security property provided by a number of large service providers. [...] Perhaps I'm misremembering, but I don't think this characterizes exactly the situation that led to the TLS SNI challenge being deemed irredeemable: the issues arise when User B *has not yet* registered Host B, and either the registration validation at the provider was lax or User A could connive to get into the default-SNI handler. The *attack* was possible even when User B has registered Host B, because the validation used a subdomain, as we discuss below, but here we are talking about the SNI routing, which needed to be for an unregistered (or not-validly-registered) name.
Alissa Cooper Former IESG member
No Objection
No Objection
()
Not sent
Alvaro Retana Former IESG member
No Objection
No Objection
(for -06)
Not sent
Barry Leiba Former IESG member
No Objection
No Objection
(2019-09-26 for -06)
Sent
I have only editorial comments below. No response is needed — please just consider incorporating these, as I think they’ll help make the document clearer. — Abstract — This document specifies a new challenge for the Automated Certificate Management Environment (ACME) protocol which allows for domain control validation using TLS. This needs “that” insted of “which”, making the clause restrictive. — Section 3 — Trailing'=' padding characters MUST be stripped. There’s a space missing after “trailing”. The client prepares for validation by constructing a self-signed certificate which MUST contain a acmeIdentifier extension and a “That”, not “which”. The ACME server MUST provide a ALPN extension with the single protocol name "acme-tls/1" and a SNI extension containing only the domain name Change “a” to “an” in both places (unless you realy say “snee” instead of “ess en eye”). — Section 5 — The first assumption is that when a server is being used to serve content for multiple DNS names from a single IP address that it properly segregates control of those names to the users that own The second “that” needs to go; the first one covers it. a TLS request using a SNI value for Host A Again, “an”, unless… — Section 7 — The TLS ALPN challenge exists to replace the TLS SNI challenge defined in the early ACME drafts. This challenge was convenient for service providers who were either operating large TLS layer load What is the antecedent to “this”? Is it th ALPN challenge, or the SNI challenge? I have no idea; please clarify. A security issue was discovered in the TLS SNI challenge by Frans Rosen which allowed users of various service providers to The phrasing would be better this way, to avoid separation of the connected parts (the TLS SNI challenge was not by Frans Rosen): NEW A security issue in the TLS SNI challenge was discovered by Frans Rosen, which allowed users of various service providers to END (i.e. if User A registered Host A and User B registered Host B with a service provider that User A wouldn't be able to respond to SNI traffic for Host B). First, “i.e.” needs a comma after it. Second, I can’t parse this at all. Can you please rephrase it so it makes sense? This turns out not to be a security property provided by a number of large service providers. NEW It turns out that a number of large service providers do not honor this property. END Because of this users were able to respond to SNI traffic I’ve ignored a lot of missing commas, but this one really needs one after “this”. This meant that if User A and User B had registered Host A and Host B respectively User A would be able to claim the SNI name for Host B and when the validation connection was made that User A would be able to answer, proving 'control' of Host B. Comma needed both before and after “respectively”, and another after “made”. — Section 8 — and especially Frans Rosen who discovered the vulnerability in the TLS SNI method which necessitated the writing of this specification. Add a comma after “Rosen”, and change “which” to “that”.
Deborah Brungard Former IESG member
No Objection
No Objection
()
Not sent
Magnus Westerlund Former IESG member
No Objection
No Objection
(for -06)
Not sent
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -06)
Not sent