> I explicitly stated why fixing #2 would be simpler than fixing #1, you
> are making no factual argument.
It would not be, because you do not understand the constraints of the
servers that exist that are affected or the issue, it would seem.
It would appear you are guessing as to how they work, but they do not work
that way, thus this proposal would not in any way be better.
>
> Which specific "nature of authorization domains" are you referring to?
Read the Baseline Requirements for Authorization Domain Name and how label
pruning work. Your design assumes a single account is associates with a
registerable domain and all its subdomains, but if you read about who the
issue affects, you would see that it precisely affects those who do not
have such a notion of authorized domains to accounts.
I was referring to strict subdomains. So User B would have to give
> permission to User C (e.g. in a control panel or via an admin procedure,
> that's up to the host).
Correct. And these are not the folks affected and thus not why this is
worth discussing further.
>
> User B would also have to give permission (in the same way) for user A
> (or vice versa if user A requested before user B). Again the details
> can be left to the discretion of the host, as long as user C would need
> permission from user B, issue 2 goes away as far as a hypothetical
> improved TLS-SNI-0next using a subdomain of the requested domain is
> concerned.
If and only if Authorization is done by accounts, which it is not, which
means this solves nothing.
> Finally, the assumption there will be fewer of X so it’s easier to fix is,
> > also, counterintuitively false - the fewer there are and the more baroque
> > and complex the solution is, the harder it is to make any assumption
> about
> > adoption uptake.
> >
>
> I am trying to make solutions simpler and less baroque than what Let's
> encrypt is apparently (according to 3rd party posts here) proposing
> namely to introduce a special rule that hosting providers must follow to
> protect their users against the newly discovered vulnerability).
“According to third party posts” - they’ve already made first party
updates. I fail to see what you hope to attain from that comment, but it is
also clear that you don’t understand the constraints - at best, you are
guessing, but speaking as if it’s correct (rather than soliciting feedback
or displaying uncertainty) and ignoring criticism, which is completely
unproductive. Your solution is not a simpler way to mitigate the issue for
providers, and thus provides no value for those affected, while being more
complex and fundamentally a protocol change that no one would be able to
use until they changed clients - which is a design concern that should be
patently obvious that any proposal must address first and foremost.
I am also trying to avoid a solution likely to suffer from a "long tail"
> problem of hosts that won't implement needed fixes anytime soon.
Except it doesn’t do that, and it’s not clear why that isn’t immediately
obvious.
How is it mitigated today in a way that would not stop users from
> uploading a cert for somenumber._
acme.www.example.com on the same host
> where some other user is hosting
www.example.com?
That is the point.
First, that is allowed, today, by a number of providers.
Second, Authorization domain names means you also need to worry about hash._
acme.example.com (note the stripped www). This is further exemplified if
the existing domain is
mail.corp.example.com, and that’s what the attacker
wants. It is legal for CAs to validate at the “
mail.corp.example.com” or
the parents - thus hash._
acme.mail.corp.example.com, hash._
acme.corp.example.com, and hash._
acme.example.com are all valid
authorization domain names in your scheme. To mitigate this, the cloud
provider would need to know to scope authorizations to the BR’s notion of
Authorization Domain Name (namely, the account that uploaded
www.example.com
is valid for all of Example.com).
Third, this is not how the real world works - a number of providers
intentionally allow multiple users to upload certs for
www.example.com (as
DNS will sort it out if these customers are assigned to different IPs, and
first come first served if only one IP). Even without that, they allow the
accounts for
www.example.com and
Corp.example.com to be different, meaning
both have legitimate claim for
example.com above.
Fourth, a underscore for the domain label first character is not valid to
use with A/AAAA (i.e. you propose something not technically valid)
Fifth, this is a new protocol, thus requires new client and server support,
and thus is not at all a relevant or applicable solution that address the
key problem that CAs face with existing customers. This should be
immediately and blatantly obvious.
That said, please do not reply to this criticism - I’ve shown you why it
doesn’t work, but if you want to continue to try to explore ideas that you
believe do work, the proper venue is the ACME mailing list, for the obvious
and previously stated reason of the IP policy.
To be more explicit: Every idea or suggestion you propose on m.d.s.p., for
this issue or others, related or not, is immediately biased against it for
IP reasons. This is not a good venue to discuss your technical ideas, full
stop.
> >
> > The problem in your thinking, which I wasn’t clear enough about I
> suppose,
> > is that those use cases are already met by other validation means and
> > there’s no assumption nor need for TLS-SNI, and while you pose your
> > solution as an improvement, in no way makes it easier or more widespread,
> > and simply limits what it can do and overlaps with other methods.
>
> You are claiming no need for TLS-SNI, without data. Someone obviously
> saw a need to create it, and Let's encrypt said there is sufficient need
> that they are looking for a way to restore that particular service as
> soon as practical.
No. You again misunderstand.
Your proposal is only workable for environments which have existing
alternatives to TLS-SNI, and does not address the set of environments that
TLS-SNI is trying to serve. As mentioned above, it fails to understand what
“restore that particular service” means, or the constraints therein, thus
only serves those that aren’t necessarily affected by this.
It’s a bad proposal, as it tries to sketch an outline for a problem that
isn’t the problem people are looking for a solution for. And it’s presented
with such length and detail, while being wrong in the fundamental
assumptions, that it is not a productive use of folks time.
In short, the “guessing” is the fundamental problem, and it would be better
to ask questions and wait and listen to answers, then it would be to
attempt to sketch out full solutions (in addition to or in lieu of asking
questions)
> In any event, I think if you want to continue to explore that line of
> > thinking, you’re more than free to within the IETF, where you can learn
> > more directly about the requirements rather than construct hypothetical
> > environments.
> >
>
> You always want to send discussions elsewhere.
Because you “always” want to make technical solutions on how you believe
things work. Beyond being more productive to simply ask if things work that
way (without offering solutions), for IP reasons, as previously stated, any
solution you offer is inherently tainted and biased again, and this group
is intentionally not the place for them. Please internalize this, is
anything - this is not a good place for technical discussions about what
you think CAs should do or other people should implement, when talking at
the ecosystem layer. While Mozilla forums are generally excellent places to
discuss changes to Mozilla products (because then only Mozilla assumes the
risk), when you try to design for others, this is not that venue. Hopefully
that is clear now.
>
> > Just reread RFC7301. While it does say that servers SHALL reject such
> >> connections (or at least not send back an ALPN indicating a selected
> >> value, as if not implementing the extension), I find it likely that some
> >> combinations of TLS implementation and application implementation will
> >> blindly accept whatever unknown protocol identifier a client lists as
> >> the only option.
> >
> >
> > That is completely unproductive speculative strawmanning that doesn’t
> allow
> > for productive dialog. More specifically, I do not think it all useful
> for
> > this Forum for the “if I was king, and we assume it works like x, here’s
> > what I would do” is actually at all productive or appropriate. The right
> > venue would be ACME if you wanted to discuss designs, and what is
> relevant
> > here and appropriate is merely a critical evaluation of comparative risk
> to
> > _what the Baselines permit_.
>
> I am talking about which real-world issues (not rules and regulations)
Not a real world issue - a hypothetical issue until shown otherwise, and
thus a straw man.
> might make your (not mine) suggestion of using ALPN insecure.
> Specifically I am /guessing/ at the likelihood of a specific
> implementation bug/detail causing servers affected by the current issue
> to remain equally affected with an ALPN of "acme" added to the probing
> for TLS-SNI-01.
Yes, you are guessing, which is an unproductive reason to reject or
redesign, or to offer a radically different, incomplete, inadequate, and
incompatible solution.
>
> > “I think we shouldn’t allow X, because it introduces condition Y, where
> if
> > met would result in Z, and that is new and unique to this method” is
> useful.
> >
> >>
> >>
>
> I was simply suggesting that your suggested new method X (ALPN "acme")
> would remain affected by the /existing issues/ under discussion if a
> specific issue Y (ALPN ignored or checking deferred beyond duration of
> probe) exists, thus indicating that, subject to checking if Y is
> widespread, your novel suggestion X /might/ be useless. There's no new
> Z.
The problems with this straw man is that it’s no different than saying “If
someone doesn’t implement TCP/IP correctly, this wouldn’t be able to
connect to them.” It’s not new information or useful contributions to
imagine folks that don’t implement the spec correctly, because their issue
is not with this, it’s that they don’t implement the ALPN spec correctly.
If you can’t talk to someone because they didn’t implement TCP/IP
correctly, the “issue” is not that you need to connect to someone, the
issue is they didn’t implement properly.
It’s an unnecessary speculation without effort for evidence and a violation
of the spec’d behavior. One of the many purposes of specs is to give us a
shared vocabulary for discussing and building solutions, so speculation
without evidence of spec violating behavior only serves to derail the very
conversation specs are trying to enable.
In the part of my post that you conveniently snipped, I explained why
> your suggestion of using an ALPN to prevent old web servers from
> accepting a hypothetical TLS-SNI-future would be detrimental to real
> world non-vulnerable implementations of ACME clients (Specifically all
> those using a standalone program such as Certbot). That part contained
> to hypotheticals at all.
The problem is that your solution doesn’t actually allow for clients to
continue to work as before. They would need to change (to change the SNI
they configure that the server will expect). As such, only servers that
update can use your method - the same as only servers that update can use
what I was proposing. You don’t get free backwards compat (among the many
other technical flaws).
The problem with your solution is that even if servers update, it doesn’t
address the vulnerability. I agree that the solution offered also wouldn’t
address the vulnerability if servers implement specs incorrectly. However,
at that point, the issue isn’t the proposal - it’s that a server didn’t
implement s spec correctly. And this is only relevant to actual evidence of
that, since no one knows what hypothetical spec violating servers might
have done incorrectly, while evidence of spec violation actually provides
concrete data that can then be discussed, evaluated, and worked around.
Absent that, it merely derails conversation.