-
-
Notifications
You must be signed in to change notification settings - Fork 601
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SRV-ID #1309
Comments
This should probably be retitled "Support SRV-ID". Which would indeed be nice. I suppose certificates for any SRV-ID should be offered if hostname control is proven. You can still control the dissemination of certificates to different daemons, giving SRV-ID a small amount of meaning. |
If boulder has an authorization for DNS-name XXX, I believe should allow X509v3 Subject Alternative Names in the following form:
For XMPP, this is:
|
SRV-ID support is a major requirement for allowing XMPP-server-as-a-service implementations. If I am the owner of If the owner of |
@ge0rg This is interesting. This suggests that rather than granting SRV-ID when hostname control is proven, as I suggested above, the ACME protocol should be extended so that authorization for a SRV-ID can be obtained explicitly. There is one hiccup with challenges; a SRV-ID does not specify a transport layer protocol but SRV does, so this change to the spec would need to specify some mapping for the purposes of name resolution for the purposes of challenge verification. A simple solution would be to always use TCP, which makes sense since all challenge methods which connect to the host use it anyway. |
@hlandau I consciously left out ACME from my prior comment to reduce confusion. The alternative approach would be indeed to extend ACME in a way that allows limiting domain authorization to a certain service type, using that type of service for challenge verificattion in the first place, i.e. make the ACME server contact the XMPP server via XMPP to obtain an XMPP-only certificate. But this looks like a much bigger implementation burden to me, compared to letting the domain owner do the hard work. On the other hand, it would make certificate automation feasible. I haven't looked deeply into DNS-based verification yet, but I could also imagine something along the lines of:
Indeed, SRV-ID is protocol agnostic, but I think you are right that it makes sense to use TCP for challenge verification, as it is less susceptible to address manipulation attacks. |
I understand that this issue was not filed against the ACME protocol spec, but despite the risk of confusion I think it's worth discussing how the protocol would interact with this feature. Obviously the CA shouldn't blindly trust SRVName subject alternative names in CSRs, so the protocol must be involved somehow.
I'm assuming that in your example the ACME server chose If so, this would require Fortunately, it is not necessary to involve Validating a request for a SRVName SAN of How about this procedure:
ExampleSuppose a company owns
The entire ACME process could look like this:
|
@rhanden I'm not really sure where you are heading to. The issue I want to solve is delegation of (XMPP) service operations without exposing a full DNS-ID certificate to third parties. I see two alternative approaches to solve this problem: Domain Owner obtains CertificateThe domain owner of The domain owner already has proven ownership (by means that are out of scope for the discussion). Therefore they are eligible to a certificate containing any valid SRV-IDs for their domain, as the SRV-ID is a weaker ownership assertion than the DNS-ID they can get under the currrent rules. This approach does not require touching the ACME protocol, but it can not be as easily automated, as the domain owner and service operator need to collaborate for each new certificate. It also precludes the service operator from getting a single certificate containing SRV-IDs for multiple customers. Still, this can be probably achieved with a bunch of cronjobs at both parties, and I would consider this a reasonable short-term solution to the problem. The only possible restriction I can see here is a whitelist of allowed service names that can be prepended to the domain part. Service Operator obtains CertificateOf course it would be much easier (to automate) if the service operator ( Therefore I sketched a proposal to allow the service operator to prove "service ownership" to the CA, i.e. "I am operating the XMPP service(s) for Such a feature is obvioulsy much more complex to pull off, as it requires multiple changes in the design:
@rhansen Your proposal sounds like it implements another way for a client to prove domain ownership, by using a new DNS SRV record to tell the ACME server where the ACME client is located. It looks off-topic for issuing SRV-IDs and for the service delegation problem, so I'd suggest to put it into a separate ticket against ACME or boulder. |
I believe the proposal I made (the enumerated list above the "Example" section in my comment) addresses this on the server (boulder) side. It assumes the "domain owner obtains the certificate" approach. (The client would be responsible for ensuring that the CSR it sends to the server does not include any dNSName SANs, but that's out of scope for this issue.)
Ahh, now I understand why your earlier comment has the server checking
The part of my comment in the "Example" section is not intended to be a proposal, just an example of how the "domain owner obtains certificate" approach could work for XMPP. The existing HTTP-01 and TLS-SNI-01 identifier validation challenges don't really work well for XMPP, so I made up a new one to have a better story.
Thinking about it more, the identifier validation challenge I made up in my example could work for the "service operator obtains certificate" approach. Whether it would work depends on how the hypothetical "acme-verify" protocol implied by the example would operate. That protocol could be designed so that the host named by the
Looks like someone has already proposed something similar but not as potentially expressive: ietf-wg-acme/acme/pull/83 |
Ah, indeed. I don't know enough about boulder's internal processing when CN or SANs from the CSR are considered "incomplete", so the clarifications in 4.-6. do make sense. [service operator obtains certificate]
That means adding delegation of ownership validation into the ACME protocol? I'd rather keep it "simple" by using the expressiveness of already deployed protocols. My first idea was for the ACME server to follow SRV records during TXT-based ownership validation (#1309 (comment)). Another possibility would be to "restrict" the delegation by inserting protocol tokens into the proposed SRV validation (ietf-wg-acme/acme#83) record: Let the SRV record be constructed as Both variants should work without changing the ACME protocol (provided that |
Yes, but the concept of delegation only needs to exist in the identifier validation challenge protocol. (HTTP-01 and DNS-01 already support delegation. For HTTP-01, just do a 301 or 302 redirect to the 3rd party, or if ietf-wg-acme/acme#83 is accepted then use that SRV record to delegate. For DNS-01, create a CNAME pointed at the 3rd party.)
It may be possible to use the existing DNS identifier type to handle SRV, but care would have to be taken to ensure that the specific mechanism for handling SRV is safe, reliable, and does not get in the way of anything else. I'm worried that reusing the existing DNS name identifier type for SRVName SANs would result in a problematic or complex protocol, but maybe there's a way to do it that's simple and robust. I'm guessing that in the long run it would be better to introduce a new identifier type specifically for SRV (where the type is a tuple consisting of a service name and a DNS name, like {"xmpp-client", "company.example"}) and use that type to get SRVName SANs.
Following SRV records means the owner can't prevent cheapxmpp.example from obtaining a certificate in company.example's name. I think the validation protocol should require the name owner to explicitly delegate if delegation is desired. CNAME records can solve that problem.
Yes, that would work. That record could even be a CNAME to some cheapxmpp.example name, and they can resolve the record to whatever ACME client they want. There should still be some way to communicate to the CA that the resulting cert should have
It does require a change: The CA needs to know that these are requests for SRVName SANs. It could assume this from the leading Regardless of the approach, the specific behavior would need to be documented in the protocol spec.
That's should be true for any delegation mechanism. There's no need to remember anything extra when following a redirection. |
The following is a proposal described in the form of an example scenario. In this scenario, I assume:
These are the steps taken to set up the XMPP service with a certificate:
|
This is not on the immediate roadmap, so closing the Boulder issue, but we may consider in the future. |
@jsha Would a concrete proposal (protocol spec and boulder patches) be considered for merging, or does “not in the immediate roadmap” mean “patches aren't welcome”? |
@nbraud The CAB Fourm Baseline regulations disallow There has been some recent movement on changing the rules so SRV-IDs can be used, but until that actually happens I don't think we'll accept any patches that add this feature. |
@rolandshoemaker Oh, thanks. I had a look at the CA/B Baseline Requirements, but missed 7.1.4.2.1 I might have a stab at it (assuming the requirements are changed per proposal in the ballot), but obviously this cannot land in production without the CA/B rule change being effective. |
Don't the CA//B Fourm Baseline regulations apply primarily to the web, not other TLS using protocols and services? |
@Zash the regulations apply to CAs that want to issue certificates for the web. This leads to the unfortunate situation that if LE wants to be accepted by browsers, it must comply with the Baseline regulations and thus must not issue certificates with SRVNames for anybody. |
It's the future, any chance you may reconsider? |
The CABForum Baseline Requirements still prohibit issuance of certificates whose |
Relevant CAB forum issue: cabforum/servercert#268 |
Certificates for certain purposes should contain additional attributes, e.g. for XMPP, cf. this and that. It would be nice if the CA supported issuing certificates containing such attributes from CSRs without stripping the recommended attributes.
This is a follow up issue of certbot/certbot#2032
The text was updated successfully, but these errors were encountered: