Hi Gerd,
Thank you for your comments!
On 04/09/2018 13:36, Gerd v. Egidy wrote:
Hi Alexey,
thanks for working on the "email-reply-00" challenge. I would very much
welcome a good mechanism to automatically distribute certificates for use with
S/MIME.
I have two questions / suggestions to your proposal:
3.2. ACME response email
-------------------------
You suggest to send the challenge response via email. What is the reason for
choosing email as medium for this?
Because we need some way to prove control over the email address. This
means both being able to read emails addressed to it and also being able
to send on behalf of the email address.
SMTP does allow choosing an arbitrary "From:" address, so just being able to
send an email with a specific "From:" address alone doesn't prove anything.
This is true, the document needs to add some text about some form of
validation. Possibly DKIM/DMARC. I am still thinking about this, so
maybe better mechanisms are available.
But sending an email does require specific setup on the client side (like smtp
relay server, port, login,...) which makes it harder to use an ACME client
program that is not fully integrated into an email program.
Couldn't the token just be transmitted back to the CA via HTTPS like the rest
of the ACME protocol?
As per above, I think this is not good enough.
Challenge email and mail filtering
-------------------------
If "email-reply-00" becomes popular (I'm hoping it will), it will most
probably attract scammers which will try to trick users into giving away
passwords and so on. As the challenge email mostly contains a random token, it
is not easy for mail filtering gateways to filter out scam emails and let
legitimate challenge emails through. I think we should design the protocol in
a way that makes it easy for mail filtering gateways to do the right
thing:
1. Every CA should publish (on their webpage or in a specification document) a
static "From:" address they use when sending their challenges. This could be
used by gateways for whitelisting purposes.
2. As simple whitelisting without further checks isn't a good idea, the
authenticity of the challenge email should be verifiable by the filtering
gateway.
I propose that the CA should sign all challenge emails with S/MIME to do this.
As most email programs already automatically check S/MIME signatures, this
would also allow users of manual acme client programs to verify the
authenticity of the challenge email.
DKIM/DMARC already deal with some of this, so I think they should be
encouraged in this context. (They are easy to handle in MTAs, as more
support is available).
Supporting S/MIME might be a reasonable alternative as well.
What do you think?
I am a bit torn between requiring one, the other or even allowing both.
More feedback from the WG would be useful.
Best Regards,
Alexey
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
