draft-ietf-acme-tls-alpn-07.txt   rfc8737.txt 
ACME Working Group R. Shoemaker Internet Engineering Task Force (IETF) R.B. Shoemaker
Internet-Draft ISRG Request for Comments: 8737 ISRG
Intended status: Standards Track October 01, 2019 Category: Standards Track February 2020
Expires: April 3, 2020 ISSN: 2070-1721
ACME TLS ALPN Challenge Extension Automated Certificate Management Environment (ACME) TLS
draft-ietf-acme-tls-alpn-07 Application-Layer Protocol Negotiation (ALPN) Challenge Extension
Abstract Abstract
This document specifies a new challenge for the Automated Certificate This document specifies a new challenge for the Automated Certificate
Management Environment (ACME) protocol that allows for domain control Management Environment (ACME) protocol that allows for domain control
validation using TLS. validation using TLS.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on April 3, 2020. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8737.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology
3. TLS with Application Layer Protocol Negotiation (TLS ALPN) 3. TLS with Application-Layer Protocol Negotiation (TLS ALPN)
Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Challenge
4. acme-tls/1 Protocol Definition . . . . . . . . . . . . . . . 5 4. acme-tls/1 Protocol Definition
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations
6.1. SMI Security for PKIX Certificate Extension OID . . . . . 6 6.1. SMI Security for PKIX Certificate Extension OID
6.2. ALPN Protocol ID . . . . . . . . . . . . . . . . . . . . 6 6.2. ALPN Protocol ID
6.3. ACME Validation Method . . . . . . . . . . . . . . . . . 7 6.3. ACME Validation Method
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 7. Normative References
8. Normative References . . . . . . . . . . . . . . . . . . . . 7 Appendix A. Design Rationale
Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 9 Acknowledgments
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 Author's Address
1. Introduction 1. Introduction
The Automatic Certificate Management Environment (ACME) [RFC8555] The Automatic Certificate Management Environment (ACME) [RFC8555]
specification describes methods for validating control of domain specification describes methods for validating control of domain
names via HTTP and DNS. Deployment experience has shown it is also names via HTTP and DNS. Deployment experience has shown it is also
useful to be able to validate domain control using the TLS layer useful to be able to validate domain control using the TLS layer
alone. In particular, this allows hosting providers, CDNs, and TLS- alone. In particular, this allows hosting providers, Content
terminating load balancers to validate domain control without Distribution Networks (CDNs), and TLS-terminating load balancers to
modifying the HTTP handling behavior of their backends. validate domain control without modifying the HTTP handling behavior
of their backends.
This document specifies a new TLS-based challenge type, tls-alpn-01. This document specifies a new TLS-based challenge type, tls-alpn-01.
This challenge requires negotiating a new application-layer protocol This challenge requires negotiating a new application-layer protocol
using the TLS Application-Layer Protocol Negotiation (ALPN) Extension using the TLS Application-Layer Protocol Negotiation (ALPN) Extension
[RFC7301]. Because this protocol does not build on a preexisting [RFC7301]. Because this protocol does not build on a pre-existing
deployment base, the ability to fulfill tls-alpn-01 challenges is deployment base, the ability to complete tls-alpn-01 challenges
effectively opt-in. A service provider must proactively deploy new requires changes by service providers, making it explicitly an opt-in
code in order to implement tls-alpn-01, so we can specify stronger process. Because service providers must proactively deploy new code
controls in that code, resulting in a stronger validation method. in order to implement tls-alpn-01, we can specify stronger controls
in that code, resulting in a stronger validation method.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. TLS with Application Layer Protocol Negotiation (TLS ALPN) Challenge 3. TLS with Application-Layer Protocol Negotiation (TLS ALPN) Challenge
The TLS with Application Layer Protocol Negotiation (TLS ALPN) The TLS with Application-Layer Protocol Negotiation (TLS ALPN)
validation method proves control over a domain name by requiring the validation method proves control over a domain name by requiring the
ACME client to configure a TLS server to respond to specific ACME client to configure a TLS server to respond to specific
connection attempts using the ALPN extension with identifying connection attempts using the ALPN extension with identifying
information. The ACME server validates control of the domain name by information. The ACME server validates control of the domain name by
connecting to a TLS server at one of the addresses resolved for the connecting to a TLS server at one of the addresses resolved for the
domain name and verifying that a certificate with specific content is domain name and verifying that a certificate with specific content is
presented. presented.
The tls-alpn-01 ACME challenge object has the following format: The tls-alpn-01 ACME challenge object has the following format:
type (required, string): The string "tls-alpn-01" type (required, string): The string "tls-alpn-01"
token (required, string): A random value that uniquely identifies token (required, string): A random value that uniquely identifies
the challenge. This value MUST have at least 128 bits of entropy. the challenge. This value MUST have at least 128 bits of entropy.
It MUST NOT contain any characters outside the base64url alphabet It MUST NOT contain any characters outside the base64url alphabet
as described in [RFC4648] Section 5. Trailing '=' padding as described in Section 5 of [RFC4648]. Trailing '=' padding
characters MUST be stripped. See [RFC4086] for additional characters MUST be stripped. See [RFC4086] for additional
information on randomness requirements. information on randomness requirements.
The client prepares for validation by constructing a self-signed The client prepares for validation by constructing a self-signed
certificate that MUST contain an acmeIdentifier extension and a certificate that MUST contain an acmeIdentifier extension and a
subjectAlternativeName extension [RFC5280]. The subjectAlternativeName extension [RFC5280]. The
subjectAlternativeName extension MUST contain a single dNSName entry subjectAlternativeName extension MUST contain a single dNSName entry
where the value is the domain name being validated. The where the value is the domain name being validated. The
acmeIdentifier extension MUST contain the SHA-256 digest [FIPS180-4] acmeIdentifier extension MUST contain the SHA-256 digest [FIPS180-4]
of the key authorization [RFC8555] for the challenge. The of the key authorization [RFC8555] for the challenge. The
skipping to change at page 3, line 50 skipping to change at line 136
id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 } id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 }
The extension has the following ASN.1 [X.680] format : The extension has the following ASN.1 [X.680] format :
Authorization ::= OCTET STRING (SIZE (32)) Authorization ::= OCTET STRING (SIZE (32))
The extnValue of the id-pe-acmeIdentifier extension is the ASN.1 DER The extnValue of the id-pe-acmeIdentifier extension is the ASN.1 DER
encoding [X.690] of the Authorization structure, which contains the encoding [X.690] of the Authorization structure, which contains the
SHA-256 digest of the key authorization for the challenge. SHA-256 digest of the key authorization for the challenge.
Once this certificate has been created it MUST be provisioned such Once this certificate has been created, it MUST be provisioned such
that it is returned during a TLS handshake where the "acme-tls/1" that it is returned during a TLS handshake where the "acme-tls/1"
application-layer protocol has been negotiated and a Server Name application-layer protocol has been negotiated and a Server Name
Indication (SNI) extension [RFC6066] has been provided containing the Indication (SNI) extension [RFC6066] has been provided containing the
domain name being validated. domain name being validated.
A client responds by POSTing an empty JSON object ({}) to the A client responds by POSTing an empty JSON object ({}) to the
challenge URL to acknowledge that the challenge is ready to be challenge URL to acknowledge that the challenge is ready to be
validated by the server. The base64url encoding of the protected validated by the server. The base64url encoding of the protected
headers and payload is described in [RFC8555] Section 6.1. headers and payload is described in Section 6.1 of [RFC8555].
POST /acme/authz/1234/1 POST /acme/authz/1234/1
Host: example.com Host: example.com
Content-Type: application/jose+json Content-Type: application/jose+json
{ {
"protected": base64url({ "protected": base64url({
"alg": "ES256", "alg": "ES256",
"kid": "https://example.com/acme/acct/1", "kid": "https://example.com/acme/acct/1",
"nonce": "JHb54aT_KTXBWQOzGYkt9A", "nonce": "JHb54aT_KTXBWQOzGYkt9A",
"url": "https://example.com/acme/authz/1234/1" "url": "https://example.com/acme/authz/1234/1"
}), }),
"payload": base64url({}), "payload": base64url({}),
"signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4"
} }
On receiving this request from a client the server constructs and On receiving this request from a client, the server constructs and
stores the key authorization from the challenge "token" value and the stores the key authorization from the challenge "token" value and the
current client account key. current client account key.
The server then verifies the client's control over the domain by The server then verifies the client's control over the domain by
verifying that the TLS server was configured as expected using the verifying that the TLS server was configured as expected using the
following steps: following steps:
1. The ACME server computes the expected SHA-256 digest of the key 1. The ACME server computes the expected SHA-256 digest of the key
authorization. authorization.
skipping to change at page 5, line 14 skipping to change at line 196
negotiated (and that the ALPN extension contained only the value negotiated (and that the ALPN extension contained only the value
"acme-tls/1") and that the certificate returned contains: "acme-tls/1") and that the certificate returned contains:
* a subjectAltName extension containing the dNSName being * a subjectAltName extension containing the dNSName being
validated and no other entries validated and no other entries
* a critical acmeIdentifier extension containing the expected * a critical acmeIdentifier extension containing the expected
SHA-256 digest computed in step 1 SHA-256 digest computed in step 1
The comparison of dNSNames MUST be case insensitive [RFC4343]. Note The comparison of dNSNames MUST be case insensitive [RFC4343]. Note
that as ACME doesn't support Unicode identifiers all dNSNames MUST be that as ACME doesn't support Unicode identifiers, all dNSNames MUST
encoded using [RFC3492] rules. be encoded using the rules of [RFC3492].
If all of the above steps succeed then the validation is successful, If all of the above steps succeed, then the validation is successful.
otherwise it fails. Otherwise, it fails.
4. acme-tls/1 Protocol Definition 4. acme-tls/1 Protocol Definition
The "acme-tls/1" protocol MUST only be used for validating ACME tls- The "acme-tls/1" protocol MUST only be used for validating ACME tls-
alpn-01 challenges. The protocol consists of a TLS handshake in alpn-01 challenges. The protocol consists of a TLS handshake in
which the required validation information is transmitted. The "acme- which the required validation information is transmitted. The "acme-
tls/1" protocol does not carry application data, once the handshake tls/1" protocol does not carry application data. Once the handshake
is completed the client MUST NOT exchange any further data with the is completed, the client MUST NOT exchange any further data with the
server and MUST immediately close the connection. While this server and MUST immediately close the connection. While this
protocol uses X.509 certificates, it does not use the authentication protocol uses X.509 certificates, it does not use the authentication
method described in [RFC5280] and as such does not require a valid method described in [RFC5280] and, as such, does not require a valid
signature on the provided certificate nor require the TLS handshake signature on the provided certificate nor require the TLS handshake
to complete successfully. An ACME server may wish to use an off the to complete successfully. An ACME server may wish to use an off-the-
shelf TLS stack where it is not simple to allow these divergences in shelf TLS stack where it is not simple to allow these divergences in
the protocol as defined. Because of this, an ACME server MAY choose the protocol as defined. Because of this, an ACME server MAY choose
to withhold authorization if either the certificate signature is to withhold authorization if either the certificate signature is
invalid or the handshake doesn't fully complete. invalid or the handshake doesn't fully complete.
ACME servers that implement "acme-tls/1" MUST only negotiate TLS 1.2 ACME servers that implement "acme-tls/1" MUST only negotiate TLS 1.2
[RFC5246] or higher when connecting to clients for validation. [RFC5246] or higher when connecting to clients for validation.
5. Security Considerations 5. Security Considerations
The design of this challenge relies on some assumptions centered The design of this challenge relies on some assumptions centered
around how a HTTPS server behaves during validation. around how an HTTPS server behaves during validation.
The first assumption is that when a HTTPS server is being used to The first assumption is that when an HTTPS server is being used to
serve content for multiple DNS names from a single IP address it serve content for multiple DNS names from a single IP address, it
properly segregates control of those names to the users that own properly segregates control of those names to the users that own
them. This means that if User A registers Host A and User B them. This means that if User A registers Host A and User B
registers Host B the HTTPS server should not allow a TLS request registers Host B, the HTTPS server should not allow a TLS request
using an SNI value for Host A to be served by User B or a TLS using an SNI value for Host A to be served by User B or a TLS
connection with a server_name extension identifying Host B to be connection with a server_name extension identifying Host B to be
answered by User A. If the HTTPS server allows User B to serve this answered by User A. If the HTTPS server allows User B to serve this
request it allows them to illegitimately validate control of Host A request, it allows them to illegitimately validate control of Host A
to the ACME server. to the ACME server.
The second assumption is that a server will not violate [RFC7301] by The second assumption is that a server will not violate [RFC7301] by
blindly agreeing to use the "acme-tls/1" protocol without actually blindly agreeing to use the "acme-tls/1" protocol without actually
understanding it. understanding it.
To further mitigate the risk of users claiming domain names used by To further mitigate the risk of users claiming domain names used by
other users on the same infrastructure hosting providers, CDNs, and other users on the same infrastructure hosting providers, CDNs, and
other service providers SHOULD NOT allow users to provide their own other service providers SHOULD NOT allow users to provide their own
certificates for the TLS ALPN validation process. If providers wish certificates for the TLS ALPN validation process. If providers wish
to implement TLS ALPN validation they SHOULD only generate to implement TLS ALPN validation, they SHOULD only generate
certificates used for validation themselves and not expose this certificates used for validation themselves and not expose this
functionality to users. functionality to users.
The extensions to the ACME protocol described in this document build The extensions to the ACME protocol described in this document build
upon the Security Considerations and threat model defined in upon the Security Considerations and threat model defined in
[RFC8555] Section 10.1. Section 10.1 of [RFC8555].
6. IANA Considerations 6. IANA Considerations
[[RFC Editor: please replace I-D.ietf-acme-tls-alpn below by the RFC
number.]]
6.1. SMI Security for PKIX Certificate Extension OID 6.1. SMI Security for PKIX Certificate Extension OID
Within the SMI-numbers registry, the "SMI Security for PKIX Within the "Structure of Management Information (SMI) Numbers (MIB
Certificate Extension (1.3.6.1.5.5.7.1)" table is to be updated to Module Registrations)" registry, the following entry has been added
add the following entry: to the "SMI Security for PKIX Certificate Extension"
(1.3.6.1.5.5.7.1) table.
+---------+----------------------+------------------------+ +---------+----------------------+------------+
| Decimal | Description | References | | Decimal | Description | References |
+---------+----------------------+------------------------+ +=========+======================+============+
| 31 | id-pe-acmeIdentifier | I-D.ietf-acme-tls-alpn | | 31 | id-pe-acmeIdentifier | RFC 8737 |
+---------+----------------------+------------------------+ +---------+----------------------+------------+
Table 1
6.2. ALPN Protocol ID 6.2. ALPN Protocol ID
Within the Transport Layer Security (TLS) Extensions registry, the Within the "Transport Layer Security (TLS) Extensions" registry, the
"Application-Layer Protocol Negotiation (ALPN) Protocol IDs" table is following entry has been added to the "TLS Application-Layer Protocol
to be updated to add the following entry: Negotiation (ALPN) Protocol IDs" table.
+------------+-----------------------------+------------------------+ +------------+------------------------------------+-----------+
| Protocol | Identification Sequence | Reference | | Protocol | Identification Sequence | Reference |
+------------+-----------------------------+------------------------+ +============+====================================+===========+
| acme-tls/1 | 0x61 0x63 0x6d 0x65 0x2d | I-D.ietf-acme-tls-alpn | | acme-tls/1 | 0x61 0x63 0x6d 0x65 0x2d 0x74 0x6c | RFC 8737 |
| | 0x74 0x6c 0x73 0x2f 0x31 | | | | 0x73 0x2f 0x31 ("acme-tls/1") | |
| | ("acme-tls/1") | | +------------+------------------------------------+-----------+
+------------+-----------------------------+------------------------+
6.3. ACME Validation Method Table 2
The "ACME Validation Methods" registry is to be updated to include 6.3. ACME Validation Method
the following entry:
+-------------+-----------------+------+------------------------+ Within the "Automated Certificate Management Environment (ACME)
| Label | Identifier Type | ACME | Reference | Protocol" registry, the following entry has been added to the "ACME
+-------------+-----------------+------+------------------------+ Validation Methods" registry.
| tls-alpn-01 | dns | Y | I-D.ietf-acme-tls-alpn |
+-------------+-----------------+------+------------------------+
7. Acknowledgements +-------------+-----------------+------+-----------+
| Label | Identifier Type | ACME | Reference |
+=============+=================+======+===========+
| tls-alpn-01 | dns | Y | RFC 8737 |
+-------------+-----------------+------+-----------+
The author would like to thank all those whom have provided design Table 3
insights and editorial review of this document, including Richard
Barnes, Ryan Hurst, Adam Langley, Ryan Sleevi, Jacob Hoffman-Andrews,
Daniel McCarney, Marcin Walas, Martin Thomson and especially Frans
Rosen, who discovered the vulnerability in the TLS SNI method that
necessitated the writing of this specification.
8. Normative References 7. Normative References
[FIPS180-4] [FIPS180-4]
Department of Commerce, National., "NIST FIPS 180-4, National Institute of Standards and Technology (NIST),
Secure Hash Standard", March 2012, "Secure Hash Standard (SHS)", FIPS PUB 180-4,
<http://csrc.nist.gov/publications/fips/fips180-4/ DOI 10.6028/NIST.FIPS.180-4, August 2015,
fips-180-4.pdf>. <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in Applications for Internationalized Domain Names in Applications
(IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003, (IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003,
<https://www.rfc-editor.org/info/rfc3492>. <https://www.rfc-editor.org/info/rfc3492>.
skipping to change at page 9, line 5 skipping to change at line 363
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. [RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment Kasten, "Automatic Certificate Management Environment
(ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019, (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
<https://www.rfc-editor.org/info/rfc8555>. <https://www.rfc-editor.org/info/rfc8555>.
[X.680] International Telecommunication Union, ., "Information [X.680] ITU-T, "Information technology -- Abstract Syntax Notation
technology -- Abstract Syntax Notation One (ASN.1): One (ASN.1): Specification of basic notation", ITU-T
Specification of basic notation", 2015, Recommendation X.680, ISO/IEC 8824-1:2015, August 2015,
<https://www.itu.int/ITU-T/studygroups/com17/languages/ <https://www.itu.int/rec/T-REC-X.680-201508-I/en>.
X.680-0207.pdf>.
[X.690] International Telecommunication Union, ., "Information [X.690] ITU-T, "Information Technology -- ASN.1 encoding rules:
Technology -- ASN.1 encoding rules: Specification of Basic Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (BER), Canonical Encoding Rules (CER) and Encoding Rules (CER) and Distinguished Encoding Rules
Distinguished Encoding Rules (DER)", 2015, (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2015,
<https://www.itu.int/ITU-T/studygroups/com17/languages/ August 2015,
X.690-0207.pdf>. <https://www.itu.int/rec/T-REC-X.690-201508-I/en>.
Appendix A. Design Rationale Appendix A. Design Rationale
The TLS ALPN challenge exists to iterate on the TLS SNI challenge The TLS ALPN challenge exists to iterate on the TLS SNI challenge
defined in the early ACME drafts. The TLS SNI challenge was defined in the early ACME drafts. The TLS SNI challenge was
convenient for service providers who were either operating large TLS convenient for service providers who were either operating large TLS-
layer load balancing systems at which they wanted to perform layer load balancing systems at which they wanted to perform
validation or running servers fronting large numbers of DNS names validation or running servers fronting large numbers of DNS names
from a single host as it allowed validation purely within the TLS from a single host as it allowed validation purely within the TLS
layer. The value provided by the TLS SNI challenge was considered layer. The value provided by the TLS SNI challenge was considered
large enough that this document was written in order to provide a new large enough that this document was written in order to provide a new
challenge type that addressed the existing security concerns. challenge type that addressed the existing security concerns.
A security issue in the TLS SNI challenge was discovered by Frans A security issue in the TLS SNI challenge was discovered by Frans
Rosen, which allowed users of various service providers to Rosen, which allowed users of various service providers to
illegitimately validate control of the DNS names of other users of illegitimately validate control of the DNS names of other users of
the provider. When the TLS SNI challenge was designed it was assumed the provider. When the TLS SNI challenge was designed, it was
that a user would only be able to respond to TLS traffic via SNI for assumed that a user would only be able to respond to TLS traffic via
domain names they had registered with a service provider (i.e., if a SNI for domain names they had registered with a service provider
user registered 'a.example' they would only be able to respond to SNI (i.e., if a user registered 'a.example', they would only be able to
requests for 'a.example' and not for SNI requests for 'b.example'). respond to SNI requests for 'a.example' and not for SNI requests for
It turns out that a number of large service providers do not honor 'b.example'). It turns out that a number of large service providers
this property. Because of this, users were able to respond to SNI do not honor this property. Because of this, users were able to
requests for the names used by the TLS SNI challenge validation respond to SNI requests for the names used by the TLS SNI challenge
process. This meant that if User A and User B had registered Host A validation process. This meant that (1) if User A and User B had
and Host B, respectively, User A would be able to claim the registered Host A and Host B, respectively, User A would be able to
constructed SNI challenge name for Host B and when the validation claim the constructed SNI challenge name for Host B, and (2) when the
connection was made that User A would be able to answer, proving validation connection was made, User A would be able to answer,
'control' of Host B. As the SNI name used was a subdomain of the thereby proving 'control' of Host B. As the SNI name used was a
domain name being validated, rather than the domain name itself, it subdomain of the domain name being validated, rather than the domain
was likely to not already be registered with the service provider for name itself, it was likely to not already be registered with the
traffic routing, making it much easier for a hijack to occur. service provider for traffic routing, making it much easier for a
hijack to occur.
Acknowledgments
The author would like to thank all those that provided design
insights and editorial review of this document, including Richard
Barnes, Ryan Hurst, Adam Langley, Ryan Sleevi, Jacob Hoffman-Andrews,
Daniel McCarney, Marcin Walas, Martin Thomson, and especially Frans
Rosen, who discovered the vulnerability in the TLS SNI method that
necessitated the writing of this specification.
Author's Address Author's Address
Roland Bracewell Shoemaker Roland Bracewell Shoemaker
Internet Security Research Group Internet Security Research Group
Email: roland@letsencrypt.org Email: roland@letsencrypt.org
 End of changes. 43 change blocks. 
133 lines changed or deleted 137 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/