On Wed, Oct 3, 2018 at 11:54 AM Benjamin Kaduk <ka...@mit.edu> wrote:
> On Sat, Sep 15, 2018 at 08:51:55PM -0500, Benjamin Kaduk wrote: > > On Fri, Sep 14, 2018 at 03:59:07PM -0400, Daniel McCarney wrote: > > > > My co-author Daniel McCarney is working on the COMMENT comments. > > > > > > > IMPORTANT: I don't think I understand why "nonce" MUST NOT be > present in > > > > the external-binding JWS object, though I think I understand why one > is > > > not > > > > needed in order to bind the MAC to the current transaction. (That > is, > > > this > > > > is in effect a "triply nested" construct, where a standalone MAC that > > > > certifies an ACME account (public) key as being authorized by the > > > > external-account holder to act on behal of that external account. > But > > > this > > > > standalone MAC will only be accepted by the ACME server in the > context of > > > > the outer JWS POST, that must be signed by the ACME account key, > which is > > > > assumed to be kept secure by the ACME client, ensuring that both > > > > key-holding entities agree to the account linkage.) Proof of > freshness of > > > > the commitment from the external account holder to authorize the ACME > > > > account key would only be needed if there was a scenario where the > > > external > > > > account holder would revoke that association, which does not seem to > be a > > > > workflow supported by this document. Any need to effectuate such a > > > > revocation seems like it would involve issuing a new MAC key for the > > > > external account (and invalidating the old one), and > revoking/deactivating > > > > the ACME account, which is a somewhat heavy hammer but perhaps > reasonable > > > > for such a scenario. > > > > Account key rollover just says that the nonce is NOT REQUIRED, and > also > > > > uses some nicer (to me) language about "outer JWS" and "inner JWS". > It > > > > might be nice to synchronize these two sections. > > > > > > I defer on this to the other authors/people that want > > > externalAccountBinding to > > > be a thing. > > > > Okay. I would like to avoid having needless normative requirements if > > there is in fact no reason for this requirement. > > My apologies if I missed it when it went by, but did we ever hear more > about this requirement from the proponents of externalAccountBinding? > Picking this up... I actually have the opposite inclination to you here -- if a field is not used by the protocol, then it should be forbidden, in the spirit of [1]. By that logic, we should also forbid the use of the "nonce" field in roll-over. I think it was just an oversight that we didn't. The security analysis that Bhargavan et al. did long ago did not presume any use of it. I've made a PR making it a MUST NOT: https://github.com/ietf-wg-acme/acme/pull/464 [1] https://tools.ietf.org/html/draft-iab-protocol-maintenance-00 > > Thanks, > > Benjamin > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
