Hello,
Google Trust Services is considering issuing IP address certificates for its subscribers via ACME.
Although the BRs permit the issuance of IP certificates, a number of concerns have been raised in the past highlighting that IP address validation can be less secure than domain validation. There are some conversations on this topic here https://lists.cabforum.org/pipermail/validation/2018-January/000712.html. Given this is not a common practice at this time we thought it would be useful to seek the communities feedback topic.
We believe the primary risk is that IP addresses can be assigned dynamically, a practice that is very common. This can lead to BygoneSSL (https://insecure.design/) type problems, and these are even more likely to occur in the context of IP address certificates because a change in the control of an IP address can be much more frequent than a change in the control of a domain name.
We have considered a number of mitigation strategies. One would be to limit the re-use of IP address validation information to a very short period, for example 8 hours. This would mitigate the risk of issuance for an IP that is not under the control of the subscriber during a renewal.
An accompanying control would be to limit the validity period of such certificates to a short period, for example, 7 days. Those two controls combined limit the maximum period that a certificate may be valid for an IP that is not under the control of the subscriber to a little bit less than 7 days and 8 hours.
Another control that we have considered is limiting issuance of IP certificates to specific subscribers. This way we can define allow lists of IP addresses that each subscriber can issue IP address certificates for, after they have provided proof of assignment by the IANA or a Regional Internet Registry. This has challenges due to the quality of those registries though.
Any thoughts from the community and root programs on this topic would be greatly appreciated.
Ryan Hurst
Google Trust Services
On Tue, Jul 13, 2021 at 12:34 PM Matthew Hardeman <mhar...@gmail.com> wrote:
> At least in as far as the two largest RIRs are concerned, there's a mechanism for the proper "owners" of the IP space to control the DNS delegation for the zones that are authoritatively the "reverse" zones for the IP space.
Could you be more explicit here about which two you're thinking of? I
think most network engineers would agree that the reverse zone lookups
are highly unreliable to reflect the actual deployed reality. That is,
I can understand and appreciate your focus on RIRs, but when
considering LIRs and other stakeholders, the reverse zones do not, in
practice, reflect the operational deployment.
> The entirety of proof-of-control/proof-of-ownership in the WebPKI is otherwise aligned to ground-truth from DNS. Why would a TXT record & CAA record check of the appropriate "reverse" zone not convey similar assurance?
There is past discussion in the CA/B Forum about this. Before
rehashing all this, it may be more useful if you can provide more
supporting details why you believe it _would_ be acceptable (as
remarked above).
That said, I'm not sure I understand the purpose of your question. You
seem to be speaking to the method of validation, which 3.2.2.5 of the
BRs addresses, but that seems orthogonal to Ryan Hurst's original
question.
> Another (though more convoluted) way to align to IP address rights of use would be to come up with a challenge based on some sort of contrived ROA signed by a certificate chaining to one of the RIR RPKI anchors, but this would be unwieldy even for the majority of those networks who have deployed RPKI because by a LARGE margin, most network operators have allowed the RIRs signing & issuing infrastructure to manage their RPKI certificates and signing function. It seems unlikely that a lot of network operators would want to stand up an in-house RPKI CA in order to gain the ability to sign a challenge of this sort.
I'm not sure why you say "more convoluted" here (compared to... what?
And what are your priorities that you're optimizing for).
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHECxket0DOObX3PL0YvJQ2%3D%2BTrupDzWUZuZ7Qw2GsbNww%40mail.gmail.com.
4. As Matthew pointed out, RPKI should really be a last resort option as it is unlikely to work for most as pretty much everyone (except maybe the tech/network giants) will be using hosted RPKI* and can't issue anything except normal ROAs. (* = PKI hosted and managed by the RIR/NIR)
In my opinion, RPKI is the most secure option as it secures far more critical things but will be an infeasible option for pretty much anyone as even the people using delegated RPKI are not using inhouse custom software for it.I would consider abuse contact information to be an easy (but manual) method of validation.I think combining abuse contact email and reverse DNS TXT validation is far more secure than many current practices for domain issuance and for both to be invalidly directed at a malicious party in this way seems unlikely and would probably often violate RIR policy.
1. I think you have to trust some piece of information given by the RIR and you should look at what that piece of information is rather than trying to remove RIRs from this equation.
5. While Reverse DNS is not normally used for very critical data and the data could sometimes be stale, I would imagine that being quite rare for NS delegations and is mostly just the PTR records themselves.
Thanks for chiming in! I do think we might be narrowly focusing on a small point of the overall discussion, and while I do believe it's important and worth resolving at some point, I don't know that it's critical we resolve it now.
I think this reply may be making some assumptions about my concerns that I've not at all stated on this thread, and thus perhaps leading to an incorrect conclusion.The reply here seems to assume my concern is "You can't trust ARIN", but that couldn't be further from the truth. Rather, the deployed reality is that multiple parties are frequently involved in the IP routing - this is why, for example, RPKI isn't simply "flat" at one level - and the issue is that in order for a reverse DNS solution to be acceptable, every party in the chain needs to perfectly execute, and the incentives are simply not there. For example, ARIN assigns a block of IPs to Entity Foo, who is a provider for Entity Bar, who then further delegates to customers Baz, Bat, and Quux. For Quux to be secure, you need Foo and Bar to perfectly execute. And if those IPs are later reassigned from Quux to Baz, if Bar doesn't maintain that information/disclosure, things fall apart.To reiterate: I'm not trying to remove RIRs from the equation; if anything, I'm trying to highlight that RIRs are the only entities you can trust (even if not all RIRs are equal here, such is life), but the moment you introduce the complex relationships and subordination, naive solutions that make execution security critical fall apart.
On Tue, Jul 13, 2021 at 3:58 PM Ryan Hurst <r...@google.com> wrote:
> As for why customers have told us they use IP address WebPKI certificates, so far I would say the use cases fall into one of two categories. The first being cases where the server is being accessed by a browser for cases where latency is very important, for example in streaming. The second being cases like DoH were the identity of the server IS the IP address. These are both legitimate concerns from our perspective and we do believe all certificate lifecycle should be automated so we would like to support them if it is reasonable to do so.I'm hoping you can expand with more detail here. You are correct that automation is a very positive goal, but as you've also highlighted, there's concerns about potentially needing to restrict who can obtain such certificates. For example, if it was "just" for DoH, we're talking a number of certs that I could (at present) count with my digits, and likely for the next ten years, count based on the number of bottles of beer on the wall.
So the former case is perhaps more interesting, and non-obvious why an IP address certificate is at all desirable from a security/risk perspective. It's unclear, for example, if the suggestion of latency is saying "DNS latency is too slow for this use case" - which certainly seems like it deserves some empirical data and detail. Further, the description of spun-up/spun-down VMs does seem to fit the very risk model that folks have been concerned with allowing IP certificates to exist at all: the fact that the same IP address can refer to the same operating entity (e.g. Google Cloud's ARIN-assigned network block), but different logical entities (different customer tenants), potentially in ways that allow for confused deputy attacks (noting that some have been in the news recently regarding GCP and private-use IP addresses).
In particular, I'm hoping we can save the discussion about TXT in the reverse zone for a separate discussion, both noting it's been discussed in the past and it's a broader topic, because I don't think that's strictly germane to the questions at play here.
Also do note that you have the same thing with the same parties in RPKI.
This process is almost never properly supported. Getting a reverse
classless delegation as per RFC 2317 is really difficult.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/YO80VxgyuNoubXh3%40snel.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKw1M3MiNbC9cA__WwCFbeEsZo8u0HZs2jiiA5m1MwXk%3DL7WoA%40mail.gmail.com.