Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

At 13:04 21/01/2020 Tuesday, Ryan Sleevi wrote: >On Tue, Jan 21, 2020 at 7:14 AM Owen Friel (ofriel) ><ofr...@cisco.com> wrote: >> Also, the linked document states: >> >>Â Â The call flow illustrates the DNS-based proof of ownership mechanism, >>Â Â but the subdoma

Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)

At 16:25 01/10/2019 Tuesday, Warren Kumari via Datatracker wrote: trimmed >This is either a huge issue, or a complete non-event -- I'm not sure which - >please help me understand / convince me I'm missing something. imho non event >Contrived, but simple example scenario: My local coffeeshop ru

Re: [Acme] http-01 and jws thumbnail

i have all the sites 301 redirect .well-known/acme-challenge/ to http://the-one-name-running-acme-client/.well-known/acme-challenge/ thus sites distributed across many physical servers and ones like https://blah.com that normally 301 to https://www.blah.com all validate At 11:55 16/07/2019 Tue

Re: [Acme] Please consider adding server authentication

and i really don't want to discuss attacks because it is >useless and endless discussion, so please Alan first forgive my English (may >be i wasn't clear) and pretty please don't steer the this thread/subject away >from its topic. > > >Best reagrds, > >K. Obai

Re: [Acme] Please consider adding server authentication

issue by issuing valid certs issuing invalid certs is the same as refusing service but more costly effort wise for the mitm thus pointless i have a private key, i have a public key, i the acme-client-owner created both a cert is just ((my public key)+a cryptographic signature vouching f

Re: [Acme] Please consider adding server authentication

and never transmitted) can be 'compromised' by design only public information is transmitted between the acme-client and acme-server At 15:56 23/10/2018 Tuesday, Kas wrote: >On 10/23/2018 4:52 PM, Alan Doherty wrote: >>again your talking about stuff unrelated to acme >>(and unlik

Re: [Acme] Please consider adding server authentication

again your talking about stuff unrelated to acme (and unlikely to potentially effect acme) your talking about inherent problems with https (or all public key cryptography) (thus only addressable/fixable by https related ietf groups) acme cannot (and should not) expect its users to develop/run/use

Re: [Acme] Please consider adding server authentication

>Acme server is CA server and shouldn't need a root store to be validated or >trusted, that root store can be easily manipulated even by a software, even >without locally manipulation the MitM can issue a certificate to the client by >simply hijacking the connection and having certificate issu

Re: [Acme] example.com is used all over the draft

or both From section 2 : "The CA verifies that the client controls the requested domain name(s) by having the ACME client perform some action(s) that can only be done with control of the domain name(s). For example, the CA might require a client requesting example.org to provision DNS record u

Re: [Acme] Feature Request: dns-02

i think its because acme is designed to be interactive/interrogative proof of control as opposed to proof the acme client had control at some point in the past (but no guarantee its still the case) At 09:55 12/09/2018 Wednesday, Tobias Erichsen wrote: >Content-Language: de-DE >Content-Type:

Re: [Acme] ACME breaking change: Most GETs become POSTs

At 16:03 10/09/2018 Monday, Erica Portnoy wrote: >> I think you must have >> as all this discussion relates to traffic from acme-client to acme-server >> thus both https >> and obviously 1 known api/name >> >> you seem to be discussing traffic to an acme-customer's webserver > >Yes, because

Re: [Acme] ACME breaking change: Most GETs become POSTs

At 00:48 08/09/2018 Saturday, Erica Portnoy wrote: >Hello all, > >Just read through the discussion, hope I've misunderstood something here! Here >goes: I think you must have as all this discussion relates to traffic from acme-client to acme-server thus both https and obviously 1 known api/name

Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

At 17:07 29/08/2018 Wednesday, Daniel McCarney wrote: >>Â I think SHOULD basically makes redirects non interoperable. I think a bit >>more text explaining why SHOULD or change this to MUST. Also, if there are >>some security issues related to redirects, adding a pointer here would be >>good. >

Re: [Acme] acme-ip reverse-dns discussion

At 16:04 29/03/2018 Thursday, James Cloos wrote: >>>>>> "AD" == Alan Doherty writes: > >AD> with all our sub-24 ranges we just have the owner setup > >AD> uuu.xx.yy.zz.in-addr.arpa cname uuu.xx.yy.zz.r-ptrs.orionnetworks.ie. > >AD> then w

Re: [Acme] acme-ip reverse-dns discussion

i did mail the author with the textual changes needed to explicitly handle multiple ptrs but no response - apologies for direct contact as im not aware of protocol but wanted to suggest amendments to https://datatracker.ietf.org/doc/dra

Re: [Acme] acme-ip reverse-dns discussion

At 18:46 28/03/2018 Wednesday, Matthew D. Hardeman wrote: >>There's actually a larger problem here that's been overlooked as far as I can >>tell. Specifically, an operator of a site may not have authoritative control >>of the reverse DNS zone unless they are the owner of of the internet routab

Re: [Acme] acme-ip reverse-dns discussion

At 14:54 28/03/2018 Wednesday, Michael Casadevall wrote: >Content-Type: multipart/alternative; > boundary="834EF402DF7BD9A4D3D7E1FB" >Content-Language: en-US > > > >On 3/27/2018 9:15 PM, Eric Rescorla wrote: >> >> >>On Wed, Mar 21, 2018 at 1:55 PM, Roland Bracewell Shoemaker >><

Re: [Acme] acme-ip reverse-dns discussion

how about a dual/combined solution ie ptr lookup (returns list of names) validation lookup of txt record (as per current spec) for one of those names, proves longevity of control + http-get for http://ip-address/.well-known/acme-challenge/etc to prove current control of the ip (same challenge t

Re: [Acme] acme-ip reverse-dns discussion

I'm pro moving forward (i personally want my SANs to include the machines ips so anyone connecting via ip doesn't have to click through a security warning before being redirected to the correct name, yes 0 - minimal legitimate users would try the ip, but same for many of the names in my SAN id j

Re: [Acme] Discovery of directory URL

I wouldn't be a fan At 19:02 12/03/2018 Monday, Azoff, Justin S wrote: >I've been investigating the possibility of offering an ACME compatible >endpoint for local users >to use to obtain certificates through our normal CA process. One of the >issues I have identified >is that if I were to run

Re: [Acme] Assisted-DNS challenge type

but then if example.com sets up such a record pointed at letsencrypt (or other) how does my client (or theirs) ever prove which is actually a legitimate applicant for certs for example.com?? the idea of a challenge is its only known to the client that requested the cert thus has to be returned t

Re: [Acme] Wildcard certificate via http-01

I would second this proposal but as for all my domains where we need wildcard certs do not have wildcards in dns like I instruct users to pop from username.pop3a.example.org smtp to username.smtps.example.org or https api to api-key.api.example.com for other stuff specifically so when username/

Re: [Acme] Issuing a cert with a superset of requested identifiers

surely public loadbalancer with acme SAN loadbalancer process with its own internal cert thus 2 separate connections same as would be used if internal process was http without ssl (aka 3) or if as you imply internal ssl is unvalidated (process names are not known to callers thus CA trusted

Re: [Acme] Automated procedure for DNS challenge records?

s client developers can decide to support/neglect as many (or few) auth types and http/dns/other providers as they like >Am 05.07.2017 um 03:08 schrieb Alan Doherty: >>+1 >> >>agreed the acme client design (plugins/modules/supported server architectures >>etc)

Re: [Acme] Automated procedure for DNS challenge records?

+1 agreed the acme client design (plugins/modules/supported server architectures etc) should really be down to the implementors/designers as some smaller ones will only talk acme + http-01 + 1 specific server (say acme client built into server/device) others may offer many/all auth mechanisms

Re: [Acme] Fwd: New Version Notification for draft-shoemaker-acme-ip-00.txt

all i know is if i browse to http://the-ip-of-my-site i hit the vhost that matches the name the-ip-of-my-site not the default vhost for 'empty hostname' so i know that no http1.1 browser seen yet sends empty host header when browsing to an ip (as the empty/unmatched host header vhost responds wi

Re: [Acme] Generating nonces probabilistically in 6.4.1. Replay-Nonce

At 11:46 28/03/2017 Tuesday, Martin Thomson wrote: >I agree with Jacob here. MUST seems appropriate, but requiring >uniqueness absolutely imposes a constraint on server design that is so >onerous that I would see it as impractical. (Also, the document >doesn't really identify a scope for this un

Re: [Acme] Fwd: New Version Notification for draft-shoemaker-acme-ip-00.txt

At 00:28 28/03/2017 Tuesday, Richard Barnes wrote: >Thanks, Roland. Interesting draft. > >Couple of first reactions: > >- Why use the target of the PTR instead of just provisioning the TXT record >directly in the reverse DNS.  (Is there some restriction in the spec for >reverse DNS that says

Re: [Acme] Possible IETF meeting agenda item: reducing effects of key-compromise

At 21:08 22/03/2017 Wednesday, Roland Shoemaker wrote: >Internally at LE we have been having discussions around how the spec can >most effectively reduce the harm of account key compromise and it seems >like it could be a good topic to bring up at the upcoming IETF meeting. > >We've come up with t

Re: [Acme] Challenge names in final RFC

+1 At 04:28 14/03/2017 Tuesday, Roland Shoemaker wrote: >I'd argue that removing the challenge version numbers adds unnecessary >complexity to the specification and any existing implementations going >forward. > >Existing servers and clients will need to have some kind of mapping from >the draft

Re: [Acme] Final thoughts on draft-ietf-acme-acme-05

i think to issue wildcards (with minimal issues for validation, but direct owner allow/dissalow) some well-known-subdomain could be used example acme-wildcard-auth.parent.tld must exist for *.parent.tld to be applied for or acme-wildcard-CAuniquestring-auth.parent.tld if you want to make it

Re: [Acme] HPKP in ACME

I would concur that clients should endeavour to support (and thusly CAs can consider using in future, when support is available in wider librarys) but because of the risks they should only consider doing so if/when all their processes are in place to ensure failures can't occur but how best to

Re: [Acme] Host Selection during Challenge

i think its unlikely to be needed as there are much simpler options example i have a san for a cluster of mirror servers (same private key on all imported once during setup) then 1 name in dns pointed only at the 'master' (one running the letsencrypt cron job) acme.domain.tld all other names (th

Re: [Acme] RFC draft-ietf-acme-acme-02 - tls SNI name

At 16:31 14/10/2016 Friday, Ben Irving wrote: >On Thu, Oct 13, 2016 at 1:10 PM Alan Doherty ><<mailto:i...@alandoherty.net>i...@alandoherty.net> wrote: >At 17:39 13/10/2016Â Thursday, Ben Irving wrote: >>Hello, >> >>I have ran into a very similar us

Re: [Acme] RFC draft-ietf-acme-acme-02 - tls SNI name

At 17:39 13/10/2016 Thursday, Ben Irving wrote: >Hello, > >I have ran into a very similar use case. In my case I'm using Haproxy to route >tcp requests based on the server name indication to upstream web servers where >the TLS request is terminated. The ACME client is also running on these >ups

Re: [Acme] Combine "requirements" and "authorizations."

if this is being done surely ToS status could be just another required-authorisation (whichever term becomes the new one) eg if the account has previously agreed the tos-required-auth is still valid if the account has not agreed since new ToS (despite oob mail etc)(that CA requires updated ag

Re: [Acme] Simplifying ToS agreement

sorry to drop in on thread (i have no horse in this race but i think people may be speaking at crossed purposes here) i think one is saying a ToS agreement phase after first setup of client (ie once human is gone and system is expected to autorenew every xx days all by itself) cannot be done by

Re: [Acme] Support issuing certificates to subdomains when top level domain-ownership can be verified

currently they can in the acme client one method is dns auth (the client is run on the machine with access to dns records and authenticates each at same time) another used by many is as the client follows redirections on primary domain and each sub-domain server redirect /acme-url/ to acme.pri

Re: [Acme] cache poisoning

btw cache poisoning is however an idea acme should consider so it could mandate the verification by CA backends of all dns verification lookups via unrelated sources aka i submit a http-01 auth of www.my.com it looks up www.my.com on local dns and performs the verification it also looks up www.m

Re: [Acme] Short term certificates - two options

talking MITM attacks here, not regular >operation. The attacker can spoof DNS, e.g. by colluding with a local ISP. > >Thanks, >Yaron > >On 25/07/16 20:36, Alan Doherty wrote: >>i have to ask how/why would you be sending the user to said cdn supplier (via >>dns) >&

Re: [Acme] Short term certificates - two options

i have to ask how/why would you be sending the user to said cdn supplier (via dns) in the first place for them to see said expired cert (plus warnings if client gives them) i agree, user/owner sudden distrust of a previously trusted cdn is the worst possible reason to demand CAs provide a metho

Re: [Acme] ACME and CDNs

in short if you hand control of your website content (cdn or not) hosting or dns hosting or mail hosting to a 3rd party they can obtain unauthorized certificates for the domains they control (including yours) with or without ACME (all other year or more CAs have options requiring just a dns recor

Re: [Acme] HTTP and DNS Challenge string

im fairly certain the interactive nature of the acme protocol is a designed security feature, not flaw as ground up its entirely directed at automated use, thus the short ttl on certs (and the ephemeral nature of authenticator tokens) if pre-setup of authentication credentials was possible it in

Re: [Acme] wildcard validation

At 08:02 21/03/2016 Monday, Niklas Keller wrote: >i would propose for either http or dns verification requiring at least a >temporary wilcard in dns >then for the verification server to either lookup >http://random-ge

[Acme] wildcard validation

off topic and possibly inappropriate introduction but i can see a potential issue in our (and others) future when it comes to using acme/letsencrypt SAN certs in a CDN environment as before we get to actual subdomains running separate sites we tend to ave a minimum of (on our current cdn/reverse