RFC 8823 | ACME for S/MIME | April 2021 |
Melnikov | Informational | [Page] |
This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for use by email users that want to use S/MIME.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8823.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
ACME [RFC8555] is a mechanism for automating certificate management on the Internet. It enables administrative entities to prove effective control over resources like domain names, and it automates the process of generating and issuing certificates.¶
This document describes an extension to ACME for use by S/MIME. Section 3 defines extensions for issuing end-user S/MIME [RFC8550] certificates.¶
This document aims to support both:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
ACME [RFC8555] defines a "dns" identifier type that is used to verify that a particular entity has control over a domain or specific service associated with the domain. In order to be able to issue end-user S/MIME certificates, ACME needs a new identifier type that proves ownership of an email address.¶
This document defines a new identifier type, "email", which corresponds to an email address. The address can be all ASCII [RFC5321] or internationalized [RFC6531]; when an internationalized email address is used, the domain part can contain both U-labels and A-labels [RFC5890]. This can be used with S/MIME or another similar service that requires possession of a certificate tied to an email address.¶
Any identifier of type "email" in a newOrder request MUST NOT have a wildcard ("*") character in its value.¶
A new challenge type, "email-reply-00", is used with the "email" identifier type, which provides proof that an ACME client has control over an email address.¶
The process of issuing an S/MIME certificate works as follows. Note that the ACME client can be a standalone application (if the MUA is not ACME-email-aware) or can be a component of the MUA.¶
The ACME server responds to the POST request, including an "authorizations" URL for the requested email address. The ACME client then retrieves information about the corresponding "email-reply-00" challenge, as specified in Section 7.5 of [RFC8555]. The "token" field of the corresponding challenge object (from the "challenges" array) contains token-part2. token-part2 should contain at least 128 bits of entropy. The "type" field of the challenge object is "email-reply-00". The challenge object also contains the "from" field, with the email address that would be used in the From header field of the "challenge" email message (see the next step).¶
An example challenge object might look like this:¶
{ "type": "email-reply-00", "url": "https://example.com/acme/chall/ABprV_B7yEyA4f", "from": "[email protected]", "token": "DGyRejmCefe7v4NfDGDKfA" }¶
A "challenge" email message MUST have the following structure:¶
In order to prove authenticity of a challenge message, it MUST be signed using either DomainKeys Identified Mail (DKIM) [RFC6376] or S/MIME [RFC8551].¶
An email client compliant with this specification that detects that a particular "challenge" email fails the validation described above MUST ignore the challenge and thus will not generate a "response" email. To aid in debugging, such failed validations SHOULD be logged.¶
Here is an example of an ACME "challenge" email (note that, for simplicity, DKIM-related header fields are not included).¶
A valid "response" email message MUST have the following structure:¶
The media type of the "response" email message is either text/plain or multipart/alternative [RFC2046], containing text/plain as one of the alternatives. (Note that the requirement to support multipart/alternative is to allow use of ACME-unaware MUAs, which can't always generate pure text/plain, e.g., if they reply to a text/html). The text/plain body part (whether or not it is inside multipart/alternative) MUST contain a block of lines starting with the line "-----BEGIN ACME RESPONSE-----", followed by one or more lines containing the base64url-encoded SHA-256 digest [RFC6234] of the key authorization, calculated from concatenated token-part1 (received over email) and token-part2 (received over HTTPS), as outlined in the 5th bullet in Section 3. (Note that each line of text/plain is terminated by CRLF. Bare LFs or bare CRs are not allowed.) Due to historical line-length limitations in email, line endings (CRLFs) can be freely inserted in the middle of the encoded digest, so they MUST be ignored when processing it. The final line of the encoded digest is followed by a line containing:¶
-----END ACME RESPONSE-----¶
Any text before and after this block is ignored. For example, such text might explain what to do with it for ACME-unaware clients.¶
Here is an example of an ACME "response" email (note that, for simplicity, DKIM-related header fields are not included).¶
ACME extensions specified in this document can be used to request signing-only or encryption-only S/MIME certificates.¶
In order to request signing-only S/MIME certificates, the CSR MUST include the key usage extension with digitalSignature and/or nonRepudiation bits set and no other bits set.¶
In order to request encryption-only S/MIME certificates, the CSR MUST include the key usage extension with keyEncipherment or keyAgreement bits set and no other bits set.¶
Presence of both of the above sets of key usage bits in the CSR, as well as absence of the key usage extension in the CSR, signals to the ACME server to issue an S/MIME certificate suitable for both signing and encryption.¶
[RFC8616] updated/clarified use of DKIM with internationalized email addresses [RFC6531]. Please consult [RFC8616] in regards to any changes that need to be implemented.¶
Use of non-ASCII characters in left-hand sides of internationalized email addresses requires putting internationalized email addresses in X.509 certificates [RFC8398].¶
IANA has registered a new identifier type in the "ACME Identifier Types" registry defined in Section 9.7.7 of [RFC8555] with Label "email" and a Reference to this document, [RFC5321], and [RFC6531]. The new identifier type corresponds to an (all ASCII) email address [RFC5321] or internationalized email addresses [RFC6531].¶
IANA has registered a new entry in the "ACME Validation Methods" registry defined in Section 9.7.8 of [RFC8555]. This entry is as follows:¶
Label | Identifier Type | ACME | Reference |
---|---|---|---|
email-reply-00 | Y | RFC 8823 |
Please see the Security Considerations section of [RFC8555] for general security considerations related to the use of ACME. This challenge/response protocol demonstrates that an entity that controls the private key (corresponding to the public key in the certificate) also controls the named email account. The ACME server is confirming that the requested email address belongs to the entity that requested the certificate, but this makes no claim to address correctness or fitness for purpose. If such claims are needed, they must be obtained by some other mechanism.¶
The security of the "email-reply-00" challenge type depends on the security of the email system. A third party that can read and reply to user's email messages (by possessing a user's password or a secret derived from it that can give read and reply access, such as "password equivalent" information, or by being given permissions to act on a user's behalf using email delegation features common in some email systems) can request S/MIME certificates using the protocol specified in this document and is indistinguishable from the email account owner. This has several possible implications:¶
An email system in its turn depends on DNS. A third party that can manipulate DNS MX records for a domain might be able to redirect an email and can get (at least temporary) read and reply access to it. Similar considerations apply to DKIM TXT records in DNS. Use of DNSSEC by email system administrators is recommended to avoid making it easy to spoof DNS records affecting an email system. However, use of DNSSEC is not ubiquitous at the time of publishing of this document, so it is not required here. Also, many existing systems that rely on verification of ownership of an email address -- for example, 2-factor authentication systems used by banks or traditional certificate issuance systems -- send email messages to email addresses, expecting the owner to click on the link supplied in them (or to reply to a message), without requiring use of DNSSEC. So the risk of not requiring DNSSEC is presumed acceptable in this document.¶
An ACME email challenge message can be forged by an attacker. As per requirements on an ACME-email-aware MUA specified in Section 3, the MUA will not respond to requests it is not expecting. Even if the attacker causes the erroneous "response" email to go to an attacker-controlled email address, very little information is leaked -- the SHA-256 hash of the key authorization would be leaked, not the key authorization itself, so no parts of the token or the account key thumbprint are leaked.¶
An attacker that can read the "response" email has only one chance to guess the token-part2. Even if the attacker can guess it right, it still needs to know the ACME account key to be able to make use of the intercepted SHA-256 hash of the key authorization.¶
Also see the Security Considerations section of [RFC6376] for details on how DKIM depends on the DNS and the respective vulnerabilities this dependence has.¶
Thank you to Andreas Schulze, Gerd v. Egidy, James A. Baker, Ben Schwartz, Peter Yee, Hilarie Orman, Michael Jenkins, Barry Leiba, Fraser Tweedale, Daniel Kahn Gillmor, and Benjamin Kaduk for their suggestions, comments, and corrections of this document.¶