Re: [Acme] Automated procedure for DNS challenge records?

2017-07-06 Thread Rene 'Renne' Bartsch, B.Sc. Informatics 



Am 07.07.2017 um 07:10 schrieb Eliot Lear:

Just a caution that configuration for 2138 is not always straight
forward and in implementation and deployment sometimes has interactions
with other functions.  I suggest that someone who really wants to do the
standardization here install a version of opendnssec and get things
working with that code running.  Documenting those steps would prove
useful (he says having chosen another form of auth, having been down
this road).


After the information of my DNS server provider not having any interface 
for automated operations I have given up the RFC 2136 approach. In my 
opinion a solution with dynamic records is way to complicated. The 
easier solution is if every ACME-client creates a static asymmetric key 
pair. The operator can add the public key manually to the DNS records 
and the ACME-client uses the private key for authorization with the CA.


___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Automated procedure for DNS challenge records?

2017-07-06 Thread Rene 'Renne' Bartsch, B.Sc. Informatics 



Am 07.07.2017 um 03:56 schrieb Alan Doherty:

At 09:40 06/07/2017  Thursday, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:

You think there should be a proprietary plug-in for any combination of DNS-provider 
<-> ACME-client?

not at all
(only mentioned plugin as many acme clients use separately maintained plugins 
for each/every challenge type (as thats how they roll)
obviously monolithic ones such as the LE clients add support for whatever 
dns-providers they wish themselves
but as with all challenge types having an optional (call user provided script X 
to update dns/http/etc is worthwhile so people can roll their own)



Creating DNS challenges on the fly makes things quite complicated. Another way 
to circumvent the whole challenge protocol for DNS would be to let the 
ACME-client create a static RSA-key-pair an publish the public key in die 
ACME-TXT-record. The ACME-client connects to the CA-server via TLS with it's 
private key and the CA-server just checks if the public key in the 
_acme-challenge.xxx.xxx TXT-record matches the private key of the TLS 
connection.

I disagree its no more/less easy http challenge on-the-fly
I suspect Im not the only one running my own private and acl'd off from 
internet, api on my dns master that receives updates, edits the zone and 
responds when complete (to avoid exposing a public api that may be brute forced)
and I run a (3rd party) acme(letsencrypt) client that calls my 
client-side-script for each challenge (these talk to my private api on the 
master dns server)


all im saying is there are 3 sides to the conversation

client <1> acme-server <2> dns/http/other-auth-system <3> client

I think acme should only codify the communication on the two sides that the 
acme-server converses on
as client developers can decide to support/neglect as many (or few) auth types 
and http/dns/other providers as they like


A lot of DNS server providers do not allow to modify the zones on the 
fly. My DNS server provider e.g. uses a hidden primary DNS for security 
reasons. Changing zones is only possible manually via the web-interface. 
A lot of other DNS server providers limit the update rate or use 
timeouts. DNS was explicitly planned as a non-real-time system. In that 
cases e.g. CertBot runs always in timeouts and cannot work 
automatically. A static key in the DNS zone would solve that problem.


___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Automated procedure for DNS challenge records?

2017-07-06 Thread Alan Doherty 
At 09:40 06/07/2017  Thursday, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
>You think there should be a proprietary plug-in for any combination of 
>DNS-provider <-> ACME-client?

not at all
(only mentioned plugin as many acme clients use separately maintained plugins 
for each/every challenge type (as thats how they roll)
obviously monolithic ones such as the LE clients add support for whatever 
dns-providers they wish themselves
but as with all challenge types having an optional (call user provided script X 
to update dns/http/etc is worthwhile so people can roll their own)


>Creating DNS challenges on the fly makes things quite complicated. Another way 
>to circumvent the whole challenge protocol for DNS would be to let the 
>ACME-client create a static RSA-key-pair an publish the public key in die 
>ACME-TXT-record. The ACME-client connects to the CA-server via TLS with it's 
>private key and the CA-server just checks if the public key in the 
>_acme-challenge.xxx.xxx TXT-record matches the private key of the TLS 
>connection.

I disagree its no more/less easy http challenge on-the-fly
I suspect Im not the only one running my own private and acl'd off from 
internet, api on my dns master that receives updates, edits the zone and 
responds when complete (to avoid exposing a public api that may be brute forced)
and I run a (3rd party) acme(letsencrypt) client that calls my 
client-side-script for each challenge (these talk to my private api on the 
master dns server)


all im saying is there are 3 sides to the conversation

client <1> acme-server <2> dns/http/other-auth-system <3> client

I think acme should only codify the communication on the two sides that the 
acme-server converses on
as client developers can decide to support/neglect as many (or few) auth types 
and http/dns/other providers as they like 







>Am 05.07.2017 um 03:08 schrieb Alan Doherty:
>>+1
>>
>>agreed the acme client design (plugins/modules/supported server architectures 
>>etc) should really be down to the implementors/designers
>>
>>as some smaller ones will only talk acme + http-01 + 1 specific server (say 
>>acme client built into server/device)
>>
>>others may offer many/all auth mechanisms and server architectures (and dns 
>>apis)
>>
>>the WG is realy concerned with the api (and CA server reactions (and 
>>expectation of responses)
>>the myriad clients should handle the third side or the triangle
>>
>>client <--> acme-ca  <> client selected 3rd party
>>client <-out of scope-> client selected 3rd party
>>
>>(3rd party as the webserver or dns provider can be entirely separate)
>>
>>At 15:28 04/07/2017  Tuesday, Daniel McCarney wrote:
>>>I agree with the others that have shared the opinion that this is outside of 
>>>the scope of ACME and this WG.
>>>
>>>In my opinion we shouldn't reinvent the wheel. With RFC 2138 (DynDNS) there 
>>>is already a protocol for clients to add/update/delete resource records on 
>>>DNS servers. Most DNS server softwares support RFC 2136 out of the box. We 
>>>just have to define a protocol to use (-> RFC 2136) in the ACME client.
>>>
>>>
>>>That's exactly right. At least one ACME client (Certbot) has been working on 
>>>support for RFC 2136 
>>>(https://github.com/certbot/certbot/pull/4701)
>>> in addition to one-off provider specific DNS APIs.
>>>
>>>If you need a generic way to update DNS dynamically RFC 2138 is it. If your 
>>>DNS provider doesn't support RFC 2136 it seems hard to imagine you could 
>>>convince them to adopt a newly invented ACME DNS update scheme.
>>>
>>>- cpu
>>>
>>>On Mon, Jul 3, 2017 at 12:46 PM, Rene 'Renne' Bartsch, B.Sc. Informatics 
>>><i...@bartschnet.de> wrote:
>>>
>>>
>>>Am 03.07.2017 um 18:28 schrieb Salz, Rich:
>>>For a fully automated validation process the ACME-client needs some kind of
>>>protocol/interface to add/update/remove the DNS challenge records on the
>>>primare DNS server.
>>>
>>>This is out of scope for our WG, but since we are looking at rechartering, 
>>>it could be brought within scope.
>>>
>>>But I think programmatic maintenance of DNS records should probably be done 
>>>within the DNS groups.
>>>
>>>
>>>In my opinion we shouldn't reinvent the wheel. With RFC 2138 (DynDNS) there 
>>>is already a protocol for clients to add/update/delete resource records on 
>>>DNS servers. Most DNS server softwares support RFC 2136 out of the box. We 
>>>just have to define a protocol to use (-> RFC 2136) in the ACME client.
>>>
>>>
>>>___
>>>Acme mailing list
>>>Acme@ietf.org
>>>https://www.ietf.org/mailman/listinfo/acme
>>>
>>>
>>>___
>>>Acme mailing list
>>>Acme@ietf.org
>>>https://www.ietf.org/mailman/listinfo/acme
>>___
>>Acme mailing list
>>Acme@ietf.org
>>https://www.ietf.org/mailman/listinfo/acme
>

Re: [Acme] Consensus -- CAA draft to WGLC?

2017-07-06 Thread Salz, Rich 
So let's see.  Can we live with this?

Create a spec-required registry for validation method names.

Do not reference CABF docs.

Change the CA sample names from A B to X Y or foo bar or this that or whatever.

___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Automated procedure for DNS challenge records?

2017-07-06 Thread Patrick Figel 
On 7/6/17 10:40 AM, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> You think there should be a proprietary plug-in for any combination of
> DNS-provider <-> ACME-client?

The best case would be RFC 2138, but that's not something that can be
enforced.

> Creating DNS challenges on the fly makes things quite complicated.
> Another way to circumvent the whole challenge protocol for DNS would be
> to let the ACME-client create a static RSA-key-pair an publish the
> public key in die ACME-TXT-record. The ACME-client connects to the
> CA-server via TLS with it's private key and the CA-server just checks if
> the public key in the _acme-challenge.xxx.xxx TXT-record matches the
> private key of the TLS connection.

I don't think this option is viable in the Web PKI today, given current
CA/B Forum policies. The Baseline Requirements state that either a
Random Value or a (single-use) Request Token must be part of the DNS
record used for validation.

I'm inclined to agree that some sort of key-based validation would be
beneficial both from a UX perspective and in order to avoid situations
where API keys for DNS servers are stored on web servers for no reason
other than challenge validation. Naturally, demonstrating ownership of a
key that's published in the DNS is not quite the same thing as
demonstrating the ability to change records on demand, given that keys
can leak, but the same can be said for API keys. I would say that a
situation where the attacker has the ability to issue a certificate is
preferable to one where they have both the ability to issue a
certificate *and* change DNS records at will, saving them the trouble of
finding some other way to intercept traffic.

Do other WG members feel similar to this, and should this be brought up
on the CA/B Forum mailing list?

Patrick


> Am 05.07.2017 um 03:08 schrieb Alan Doherty:
>> +1
>>
>> agreed the acme client design (plugins/modules/supported server
>> architectures etc) should really be down to the implementors/designers
>>
>> as some smaller ones will only talk acme + http-01 + 1 specific server
>> (say acme client built into server/device)
>>
>> others may offer many/all auth mechanisms and server architectures
>> (and dns apis)
>>
>> the WG is realy concerned with the api (and CA server reactions (and
>> expectation of responses)
>> the myriad clients should handle the third side or the triangle
>>
>> client <--> acme-ca  <> client selected 3rd party
>> client <-out of scope-> client selected 3rd party
>>
>> (3rd party as the webserver or dns provider can be entirely separate)
>>
>> At 15:28 04/07/2017  Tuesday, Daniel McCarney wrote:
>>> I agree with the others that have shared the opinion that this is
>>> outside of the scope of ACME and this WG.
>>>
>>> In my opinion we shouldn't reinvent the wheel. With RFC 2138 (DynDNS)
>>> there is already a protocol for clients to add/update/delete resource
>>> records on DNS servers. Most DNS server softwares support RFC 2136
>>> out of the box. We just have to define a protocol to use (-> RFC
>>> 2136) in the ACME client.
>>>
>>>
>>> That's exactly right. At least one ACME client (Certbot) has been
>>> working on support for RFC 2136
>>> (https://github.com/certbot/certbot/pull/4701)
>>> in addition to one-off provider specific DNS APIs.
>>>
>>> If you need a generic way to update DNS dynamically RFC 2138 is it.
>>> If your DNS provider doesn't support RFC 2136 it seems hard to
>>> imagine you could convince them to adopt a newly invented ACME DNS
>>> update scheme.
>>>
>>> - cpu
>>>
>>> On Mon, Jul 3, 2017 at 12:46 PM, Rene 'Renne' Bartsch, B.Sc.
>>> Informatics <i...@bartschnet.de> wrote:
>>>
>>>
>>> Am 03.07.2017 um 18:28 schrieb Salz, Rich:
>>> For a fully automated validation process the ACME-client needs some
>>> kind of
>>> protocol/interface to add/update/remove the DNS challenge records on the
>>> primare DNS server.
>>>
>>> This is out of scope for our WG, but since we are looking at
>>> rechartering, it could be brought within scope.
>>>
>>> But I think programmatic maintenance of DNS records should probably
>>> be done within the DNS groups.
>>>
>>>
>>> In my opinion we shouldn't reinvent the wheel. With RFC 2138 (DynDNS)
>>> there is already a protocol for clients to add/update/delete resource
>>> records on DNS servers. Most DNS server softwares support RFC 2136
>>> out of the box. We just have to define a protocol to use (-> RFC
>>> 2136) in the ACME client.
>>>
>>>
>>> ___
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>>
>>> ___
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>> ___
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
> 
>

Re: [Acme] Automated procedure for DNS challenge records?

2017-07-06 Thread Salz, Rich 
> You think there should be a proprietary plug-in for any combination of DNS-
> provider <-> ACME-client?

The question is backwards.

Does there have to be an open standard for any DNS provider/ACME client?

There is an important distinction.

___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Consensus -- CAA draft to WGLC?

2017-07-06 Thread Martin Thomson 
On 6 July 2017 at 20:07, Hugo Landau  wrote:
> Vendor-assigned identifiers could be supported as such:
>   vnd:example.com/custom-method

RFC 6648 explains why vendor-prefixes can be a bad idea.  I think that
you should do as Yaron suggested and establish a registry.  Set the
bar low (specification required would be my choice) and then CABF can
make a new entry as they see fit.  In particular, do away with
attaching some sort of semantic to prefixes.

> 2. Adding a reference to CABF is weird

This I agree with.

___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme