Internet DRAFT - draft-pepanbur-acme-proxy
draft-pepanbur-acme-proxy
Network Working Group P. Panburana
Internet-Draft M. Pritikin
Intended status: Standards Track P. Beal
Expires: April 21, 2016 Cisco
October 19, 2015
ACME Proxy Mode of Operation
draft-pepanbur-acme-proxy-00
Abstract
This document proposes an addition to the Automatic Certificate
Management Environment (ACME) draft describing the ability for a
publicly facing ACME client to operate as an enrollment proxy for
hosts on its private network as defined by [RFC1918] and [RFC4193].
ACME clients acting as a proxy are identified using the cmcRA flag
[RFC6402].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Panburana, et al. Expires April 21, 2016 [Page 1]
Internet-Draft ACME Proxy October 2015
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Proposed Operation . . . . . . . . . . . . . . . . . . . . . 2
2.1. Automated ACME Proxy Registration . . . . . . . . . . . . 2
2.2. Client Enrollment via ACME Proxy . . . . . . . . . . . . 5
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
5. Normative References . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Currently, there is no clear path for hosts behind a private network
[RFC1918][RFC4193] to enroll for a certificate with a public ACME CA
(namely Let's Encrypt) [ACME]. Also, hosts behind a private network
do not possess the ability or information to be able to respond to
ACME proofs issued by a public ACME CA. This document describes the
proposed operation of an ACME proxy placed at the border of a network
to enroll for certificates with a public ACME CA on behalf of hosts
on its private network. Through the use of the cmcRA extended key
usage bit defined in [RFC6402] and an additional authorization
identifier to be recognized by an ACME CA, an ACME client will have
the ability to automatically request rights to act as a proxy, prove
ownership of a domain, and enroll for certificates on behalf of hosts
in its private network.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
2. Proposed Operation
The interactions between entities in the ACME proxy mode of operation
is described in this section. The process can be broken down into
two parts: proxy registration with the ACME CA and client enrollment
via the ACME proxy.
2.1. Automated ACME Proxy Registration
Panburana, et al. Expires April 21, 2016 [Page 2]
Internet-Draft ACME Proxy October 2015
The process beings with the host that wishes to act as an ACME proxy
initiating the account key registration process with a public ACME
CA. It is RECOMMENDED that the registration process follows the
registration procedure defined in [ACME].
+---------+ +------------+
| ACME | | ACME |
| Proxy | | CA |
| | | (Internet) |
+---------+ +------------+
| |
| |
|---Registration Request---->|
|<--Recovery Information-----|
| |
| |
|-----Proxy Authz Request--->|
|<----Challenges-------------|
|-----Challenge Response---->|
| |
| [does requester]
| [control the domain?]
| |
|-Polling for Authz Status-->|
| |
| [approve authorization]
| |
|-Polling for Authz Status-->|
| |
|----CSR submission--------->|
| |
|<---Certificate Issuance----|
| |
Figure 1
The registration process MAY be done manually for stricter control of
certificates issued with the cmcRA extension.
During automated proxy registration, the proxy device creates a
partial authorization object per section 6.5 of [ACME] to begin the
ACME key authorization process. In this partial authorization
object, the "identifier" object SHOULD be declared as type "domain
proxy" with the "value" set to the domain it desires to prove
ownership of as shown below:
POST /acme/new-authorization HTTP/1.1
Host: example.com
Panburana, et al. Expires April 21, 2016 [Page 3]
Internet-Draft ACME Proxy October 2015
{
"resource": "new-authz",
"identifier": {
"type": "domain proxy",
"value": "example.org"
}
}
/* Signed as JWS */
The ACME CA SHALL recognize the "domain proxy" identifier as an
additional authorization object per section 5.3 in [ACME]. The
public ACME CA SHOULD then determine if it is willing to issue a
certificate that would identify the requesting host as a proxy,
granting it the ability to submit CSRs on behalf of clients behind
it. If the ACME CA is willing to continue, it SHALL issue challenges
for the ACME proxy to complete to establish proof of domain
ownership. These challenges MAY be the ones specified in section 7
of [ACME].
If a host can demonstrate control over a given domain then that host
has the ability to individually enroll for other certificates for its
subdomains since the host has control over the same resources that
would be used by each subdomain to prove ownership to the ACME
server. Allowing a host to proxy enrollment requests for a given
domain does not challenge the integrity of authorizations from the
ACME server's perspective since the proxy uses the same set of
resources that would be used by an ACME CA to validate each subdomain
in a given domain. By granting the ability to allow an ACME proxy to
field enrollment requests on behalf of hosts in a domain, hosts on a
private network can have certificates issued by a public ACME CA.
Panburana, et al. Expires April 21, 2016 [Page 4]
Internet-Draft ACME Proxy October 2015
Once the host wishing to act as an ACME proxy completes the
challenges, it SHOULD poll the public ACME CA for its authorization
status as described in section 6.5 of [ACME]. When the proxy
determines that it has been authorized, it can then submit a CSR for
it's own certificate that MUST contain the key usage extension cmcRA
bit defined in [RFC6402] by POSTing the CSR as described in section
6.6 of [ACME]. The presence of this bit in subsequent mutually
authenticated TLS connections will allow the public ACME CA to
determine that it has previously granted proxy authority to a host.
The public ACME CA SHOULD then issue a certificate with the cmcRA key
usage bit enabled to the requesting proxy. Upon issuing a
certificate with the cmcRA bit to the ACME proxy, the ACME CA MUST
make an association between the newly issued certificate and all
identifiers for the proxy's account on the ACME server and the
account key for the proxy. The association between the proxy's cmcRA
certificate and the information in its account on the ACME server
MUST be used to link the proxy's JWS signature account key on JWS
objects containing new certificate request from the proxy's clients.
2.2. Client Enrollment via ACME Proxy
Figure 2 illustrates client enrollment via the ACME proxy:
+---------+ +----------+ +-----------+
| Client | | ACME | | ACME |
| Entity | | Proxy | | CA |
| | | | | (Internet)|
+---------+ +----------+ +-----------+
|----CSR submission-------->| |
| | |
| [client authorized to get a certificate?] |
| | |
| |---Client CSR submission--->|
| | |
| | [name constraint]
| | [check/cmcRA check]
| | |
| |<----Client certificate-----|
| | |
|<----Client certificate----| |
| | |
| | |
Figure 2
After a certificate with the cmcRA bit has been issued to the ACME
proxy, it can now take CSR submissions on of behalf clients behind
it. These clients are free to use any mechanism to submit their CSRs
Panburana, et al. Expires April 21, 2016 [Page 5]
Internet-Draft ACME Proxy October 2015
to the ACME proxy. The ACME proxy SHOULD perform all authentication
and authorization on clients prior to submitting their CSRs to the
public ACME CA.
The ACME proxy MUST submit a client's CSR to a public ACME CA by
first creating a JWS object as described in section 6.6 of [ACME].
It SHALL contain the CSR it received from the client and the ACME
proxy MUST sign it with the account key associated with the cmcRA
certificate issued by the public ACME CA. When establishing the TLS
connection [RFC5246] to POST the JWS object containing a client's
CSR, the ACME proxy MUST present its cmcRA certificate to the ACME CA
in the TLS connection. The ACME CA SHOULD now accept and validate
peer certificates on TLS connections used to request new
certificates. However, the ACME CA MUST accept and validate TLS peer
certificates if the account key used to sign the POSTed JWS object is
associated with a "domain proxy" identifier and it also MUST check
for the presence of the cmcRA bit in the presented certificate.
A check on the subject name contained in the POSTed client CSR MUST
be done by the ACME CA to ensure that the request is for a
certificate within the domain of the ACME proxy. This name
constraint check SHOULD be done as described in [RFC5280] section
4.2.1.10. To determine if a subject name in a CSR received from an
ACME proxy for one of its clients is a valid subdomain of the proxy's
domain, the ACME CA SHOULD refer to the value associated with the
authorized "domain proxy" identifier it keeps for the ACME proxy's
account. For example, if an ACME proxy obtains an authorization as a
"domain proxy" for the "example.com" domain the ACME CA MUST ensure
that all CSRs submitted on behalf of the ACME proxy's clients have
subject names and subject alt names that satisfy the expression
"*.example.com".
After the ACME CA validates the information contained within a CSR
submitted by the proxy, it MAY issue a certificate for the requesting
client. If the ACME CA decides to issue the certificate, the ACME
proxy can then retrieve the issued certificate from the URI specified
in the JWS message returned from the ACME CA or from the JWS object
itself as described in section 6.6 of [ACME]. It is then up to the
ACME proxy to deliver the certificate issued by the ACME CA to the
client it enrolled on behalf of.
3. Security Considerations
Consider an organization with control over the domain "example.com".
This organization has configured its local DNS infrastructure to
grant the DNS binding of a public IP address with "sales.example.com"
to a server on its network and DNS binding of a public IP address
with "test.sales.example.com" to another server on its network.
Panburana, et al. Expires April 21, 2016 [Page 6]
Internet-Draft ACME Proxy October 2015
Suppose the server in control of "sales.example.com" goes through the
process to become an ACME proxy for the "sales.example.com" domain.
It is now possible for the "sales.example.com" server to request a
certificate as a proxy for "test.sales.example.com" despite not
having been granted the domain name from the local DNS
infrastructure. This situation presents a problem for the true owner
of the "test.sales.example.com" domain as a certificate for that
domain can now be requested by an another entity that was not
assigned ownership of the domain by the local DNS infrastructure. It
is because of the local policy in the organization's authoritative
name server [RFC1035] for the domain "example.com" that the
hierarchical domain names indicated by the "." [RFC1034]
"test.sales.example.com" and "sales.example.com" were assigned to
internal name servers that are not actually hierarchically related.
However, in the same vein as section 9.2 of [ACME], from an outside
world perspective the integrity of "test.sales.example.com" is not
compromised since the subdomain is under the control of the owner of
the top level "example.com" domain. Even without an ACME proxy
providing the ability to automatically enroll for certificates within
a subdomain, the possibility still exists for a certificate to be
issued to an incorrect entity in a given domain if the local DNS
authority performs no validation on the hierarchical relationship
between entities in its network. The resulting domain validation
confusion from this scenario is beyond the scope of the ACME
protocol.
4. Acknowledgements
I would like to extend a thank you to John Foley for reviewing this
document.
5. Normative References
[ACME] Barnes, , Eckersley, , Schoen, , Halderman, , and Kasten,
"Automatic Certificate Management Environment (ACME)",
December 2009, <https://github.com/letsencrypt/acme-spec/
blob/master/draft-barnes-acme.md>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets",
Panburana, et al. Expires April 21, 2016 [Page 7]
Internet-Draft ACME Proxy October 2015
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<http://www.rfc-editor.org/info/rfc4193>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/
RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC6402] Schaad, J., "Certificate Management over CMS (CMC)
Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011,
<http://www.rfc-editor.org/info/rfc6402>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <http://www.rfc-editor.org/info/rfc7515>.
Authors' Addresses
Peter Panburana
Cisco
Email: pepanbur@cisco.com
Max Pritikin
Cisco
Email: pritikin@cisco.com
Panburana, et al. Expires April 21, 2016 [Page 8]
Internet-Draft ACME Proxy October 2015
Pete Beal
Cisco
Email: pbeal@cisco.com
Panburana, et al. Expires April 21, 2016 [Page 9]