Automated Certificate Management Environment (ACME) Extensions for ".onion" Special-Use Domain Name

ACME for onions

`draft-ietf-acme-onion`

Q Misell, Glauca Digital

IETF 117, Monday 24^th of July 2023

Fedi: @q@glauca.space
Email: q@as207960.net

Since IETF 116

Adopted 🎉
Reference CA implementation
acmeforonions.org
Certbot plugin for onion-csr-01
certbot-onion
Tor Spec Proposal 343-rend-caa

Why even have X.509 certificates for Tor hidden services?

Secure cookies
Content Security Policy
HTTP/2
PCI DSS
Security-in-depth

Goals

Define extensions to ACME to automate the issuance of X.509 certificates for Tor hidden services in line with the accepted methods in the CA/BF BR.

Non-goals

Any method not accepted by the CA/BF.

Current state of things

DigiCert (EV only)
HARICA

CA/BF BR Appendix B

§ 3.2.2.4.18 - Agreed-Upon Change to Website v2
§ 3.2.2.4.19 - Agreed-Upon Change to Website - ACME
§ 3.2.2.4.20 - TLS Using ALPN
§ B.2.b - Special CSR

Identifier type


{
  "type": "dns",
  "value": "bbcweb3hytmz...rad.onion"
}

Clients can be oblivious to the fact that the identifier is a Tor hidden service with "http-01" or "tls-alpn-01" validation methods.

New `onion-csr-01` Validation Method

Implements CA/BF BR § B.2.b

Clients prove control over the .onion domain by signing a CSR with the private key of the .onion domain.

Overview of the Tor hidden service descriptor

Outer layer

Fetched with the service's blinded public key


hs-descriptor 3
descriptor-lifetime ...
descriptor-signing-key-cert
-----BEGIN ED25519 CERT-----
...
-----END ED25519 CERT-----
revision-counter ...
superencrypted
-----BEGIN MESSAGE-----
...
-----END MESSAGE-----

First layer encrypted data

Encrypted with the service's (non-blinded) public key


desc-auth-type x25519
desc-auth-ephemeral-key ...
auth-client ...
auth-client ...
auth-client ...
encrypted
-----BEGIN MESSAGE----
...
-----END MESSAGE-----

Second layer encrypted data

Encrypted with data from auth-client


create2-formats 2
introduction-point ...
onion-key ntor ...
auth-key
-----BEGIN ED25519 CERT-----
...
-----END ED25519 CERT-----
enc-key ntor ...
enc-key-cert
-----BEGIN ED25519 CERT-----
...
-----END ED25519 CERT-----
introduction-point ...

Client authentication

Tor allows hidden services to restrict which clients can connect using client authentication.

New authKey field to allow hidden service operators to allow the CA's Tor client to read their hidden service descriptor to issue certificates.

CAA records

.onion domains aren't in the DNS, so standard CAA records can't be used. Instead, CAA records are encoded in the BIND zone file format the second layer hidden service descriptor.


create2-formats 2
single-onion-service
caa 128 issue "test.acmeforonions.org;validationmethods=onion-csr-01"
caa 0 iodef "mailto:security@example.com"
introduction-point AwAGsAk5n...

CAA interaction with client authentication

New field in the first layer hiiden service descriptor to signal that there are CAA records in the second layer descriptor.


desc-auth-type x25519
caa-critical
auth-client ...

Questions?

Q Misell, Glauca Digital

Slide deck available at magicalcodewit.ch/ietf117-slides/

Fedi: @q@glauca.space
Email: q@as207960.net

ACME for onions

draft-ietf-acme-onion

Q Misell, Glauca Digital

Since IETF 116

Why even have X.509 certificates for Tor hidden services?

Goals

Non-goals

Current state of things

CA/BF BR Appendix B

Identifier type

New onion-csr-01 Validation Method

Overview of the Tor hidden service descriptor

Outer layer

First layer encrypted data

Second layer encrypted data

Client authentication

CAA records

CAA interaction with client authentication

Questions?

Q Misell, Glauca Digital

`draft-ietf-acme-onion`

New `onion-csr-01` Validation Method