I think SPF / DKIM is more of a suitable method of verifying authenticity for mails, since these can be verifyed automatically by most email server software without any plugins. Ergo, a CA **MUST** support SPF as validation method, both for sending and receiving, and a ~ MUST be treated same as -, ergo hardfail. (Unknown should however be treated same as non-existant record and then it should fallback on DKIM and then SMIME) And a CA **MAY** also support DKIM and/or SMIME as validation method both for sending and receiving.
This solves both 3.2 and challenge emails. If the CA validate SPF/DKIM/SMIME, you can't forge the From: adress. You could also have that the CA sends a challenge email to the email in question, but this requires rate limiting both on user @ domain.tld part, and also per domain (* @ domain.tld) to prevent becoming a spam problem. For gateway filtering, I suggest that a couple of static adresses is reserved for this purpose: acme @ [ca_domain_name].[tld] abuse @ [ca_domain_name].[tld] postmaster @ [ca_domain_name].[tld] This allows gateway filters to automatically support any CA without any extra configuration required on the administrator's end. -----Ursprungligt meddelande----- Från: Acme <[email protected]> För Gerd v. Egidy Skickat: den 4 september 2018 14:46 Till: [email protected]; Alexey Melnikov <[email protected]> Ämne: Re: [Acme] I-D Action: draft-ietf-acme-email-smime-03.txt Hi Alexey, thanks for working on the "email-reply-00" challenge. I would very much welcome a good mechanism to automatically distribute certificates for use with S/MIME. I have two questions / suggestions to your proposal: 3.2. ACME response email ------------------------- You suggest to send the challenge response via email. What is the reason for choosing email as medium for this? SMTP does allow choosing an arbitrary "From:" address, so just being able to send an email with a specific "From:" address alone doesn't prove anything. But sending an email does require specific setup on the client side (like smtp relay server, port, login,...) which makes it harder to use an ACME client program that is not fully integrated into an email program. Couldn't the token just be transmitted back to the CA via HTTPS like the rest of the ACME protocol? Challenge email and mail filtering ------------------------- If "email-reply-00" becomes popular (I'm hoping it will), it will most probably attract scammers which will try to trick users into giving away passwords and so on. As the challenge email mostly contains a random token, it is not easy for mail filtering gateways to filter out scam emails and let legitimate challenge emails through. I think we should design the protocol in a way that makes it easy for mail filtering gateways to do the right thing: 1. Every CA should publish (on their webpage or in a specification document) a static "From:" address they use when sending their challenges. This could be used by gateways for whitelisting purposes. 2. As simple whitelisting without further checks isn't a good idea, the authenticity of the challenge email should be verifiable by the filtering gateway. I propose that the CA should sign all challenge emails with S/MIME to do this. As most email programs already automatically check S/MIME signatures, this would also allow users of manual acme client programs to verify the authenticity of the challenge email. What do you think? Kind regards, Gerd _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
