Automated Certificate Management Environment (ACME) TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension
RFC 8737

Note: This ballot was opened for revision 06 and is now closed.

Roman Danyliw Yes

Benjamin Kaduk Yes

Comment (2019-09-30 for -06)
Please respond to the ARTART review; there's some good comments in there
about constraining the permitted TLS versions/algorithms, the specifics
of the acme-tls/1 (non-)protocol, the use of a different certificate
model than RFC 5280, and the (non-)need to complete the TLS handshake.

Section 1

"Because no existing software implements this protocol" is not going to
age well; perhaps an approach more like "Because this protocol does not
build on a preexisting deployment base" would do better.

Section 7

   the provider.  When the TLS SNI challenge was designed it was assumed
   that a user would only be able to respond to TLS traffic via SNI for
   domain names they controlled (i.e. if User A registered Host A and
   User B registered Host B with a service provider that User A wouldn't
   be able to respond to SNI traffic for Host B).  This turns out not to
   be a security property provided by a number of large service
   providers.  [...]

Perhaps I'm misremembering, but I don't think this characterizes exactly
the situation that led to the TLS SNI challenge being deemed
irredeemable: the issues arise when User B *has not yet* registered Host
B, and either the registration validation at the provider was lax or
User A could connive to get into the default-SNI handler.  The *attack*
was possible even when User B has registered Host B, because the
validation used a subdomain, as we discuss below, but here we are
talking about the SNI routing, which needed to be for an unregistered
(or not-validly-registered) name.

(Alexey Melnikov) Yes

(Adam Roach) Yes

Comment (2019-09-30 for -06)
Thanks for all the work that has gone into creating a viable
TLS-based mechanism for ACME validation. I have one fairly
important (yet trivial to fix) comment, and a small number
of editorial suggestions.

I also have read through the ARTART review, and endorse Martin's
comments. Please respond to that review, and incorporate his
suggestions as you feel appropriate.

---------------------------------------------------------------------------

§1:

>  The Automatic Certificate Management Environment (ACME) [RFC8555]
>  standard specifies methods for validating control of domain names via
>  HTTP and DNS.

As a fairly major comment, RFC 8555 is not a standard. See RFCs 2026 and
6410 for details.  Please rephrase this text along the lines of:

   The Automatic Certificate Management Environment (ACME) [RFC8555]
   specification describes methods for validating control of domain names
   via HTTP and DNS.

---------------------------------------------------------------------------

§3:

>  The TLS with Application Layer Protocol Negotiation (TLS ALPN)
>  validation method proves control over a domain name by requiring the
>  client to configure a TLS server to respond to specific connection
>  attempts utilizing the ALPN extension with identifying information.

This took a couple of readings before I understood what it meant.
It might make things clearer if the role of the client were clearer;
e.g., "...by requiring the ACME client to configure a TLS server..."

This is also true throughout much of this section, where "client"
and "server" are used without qualification to talk about ACME
clients and ACME servers. Consider qualifying such instances.

---------------------------------------------------------------------------

§3:

>  The client prepares for validation by constructing a self-signed
>  certificate which MUST contain a acmeIdentifier extension

Nit: "...contain an acmeIdentifier..."

---------------------------------------------------------------------------

§3:

>  3.  The AMCE server initiates a TLS connection to the chosen IP
>      address, this connection MUST use TCP port 443.  The ACME server
>      MUST provide a ALPN extension with the single protocol name
>      "acme-tls/1" and a SNI extension containing only the domain name
>      being validated during the TLS handshake.

Nit: "...chosen IP address. This connection..."

Nit: "...an ALPN..."

Nit: "...an SNI..."

---------------------------------------------------------------------------

§5:

Unlike section 3, this section appears to use unqualified "server"
to mean "HTTPS server" or somesuch, rather than "ACME server".
These *definitely* need to be qualified.

Deborah Brungard No Objection

Alissa Cooper No Objection

Warren Kumari No Objection

Comment (2019-10-01 for -06)
Thank you for this clear, easy to understand and useful document.

Barry Leiba No Objection

Comment (2019-09-26 for -06)
I have only editorial comments below.  No response is needed — please just consider incorporating these, as I think they’ll help make the document clearer.

— Abstract —

   This document specifies a new challenge for the Automated Certificate
   Management Environment (ACME) protocol which allows for domain
   control validation using TLS.

This needs “that” insted of “which”, making the clause restrictive.

— Section 3 —

      Trailing'=' padding
      characters MUST be stripped.

There’s a space missing after “trailing”.

   The client prepares for validation by constructing a self-signed
   certificate which MUST contain a acmeIdentifier extension and a

“That”, not “which”.

       The ACME server
       MUST provide a ALPN extension with the single protocol name
       "acme-tls/1" and a SNI extension containing only the domain name

Change “a” to “an” in both places (unless you realy say “snee” instead of “ess en eye”).

— Section 5 —

   The first assumption is that when a server is being used to serve
   content for multiple DNS names from a single IP address that it
   properly segregates control of those names to the users that own

The second “that” needs to go; the first one covers it.

   a TLS request using a
   SNI value for Host A

Again, “an”, unless…

— Section 7 —

   The TLS ALPN challenge exists to replace the TLS SNI challenge
   defined in the early ACME drafts.  This challenge was convenient for
   service providers who were either operating large TLS layer load

What is the antecedent to “this”?  Is it th ALPN challenge, or the SNI challenge?  I have no idea; please clarify.

   A security issue was discovered in the TLS SNI challenge by Frans
   Rosen which allowed users of various service providers to

The phrasing would be better this way, to avoid separation of the connected parts (the TLS SNI challenge was not by Frans Rosen):

NEW
   A security issue in the TLS SNI challenge was discovered by Frans
   Rosen, which allowed users of various service providers to
END

   (i.e. if User A registered Host A and
   User B registered Host B with a service provider that User A wouldn't
   be able to respond to SNI traffic for Host B).

First, “i.e.” needs a comma after it.  Second, I can’t parse this at all.  Can you please rephrase it so it makes sense?

   This turns out not to
   be a security property provided by a number of large service
   providers.

NEW
   It turns out that a number of large service providers do not
   honor this property.
END

   Because of this users were able to respond to SNI traffic

I’ve ignored a lot of missing commas, but this one really needs one after “this”.

   This meant that if User A and User B had registered Host A and Host B
   respectively User A would be able to claim the SNI name for Host B
   and when the validation connection was made that User A would be able
   to answer, proving 'control' of Host B.

Comma needed both before and after “respectively”, and another after “made”.

— Section 8 —

   and especially Frans
   Rosen who discovered the vulnerability in the TLS SNI method which
   necessitated the writing of this specification.

Add a comma after “Rosen”, and change “which” to “that”.

Alvaro Retana No Objection

Martin Vigoureux No Objection

Éric Vyncke No Objection

Comment (2019-10-02)
Thank you for this well-written and easy to read document. I have only one COMMENT:

Would it be useful to specify the use of "IPv4 or IPv6 address" rather than simply the implicit "address" that I read as  indeed IPv4/IPv6 but being explicit will not hurt.

-éric

Magnus Westerlund No Objection