IETF Logo Mail Archive

Re: [Acme] Call for adoption of draft-misell-acme-onion-02

Aaron Gable <aaron@letsencrypt.org> Fri, 09 June 2023 16:55 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2BEC1524DB for <acme@ietfa.amsl.com>; Fri, 9 Jun 2023 09:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fwabow0Hr_Hw for <acme@ietfa.amsl.com>; Fri, 9 Jun 2023 09:55:49 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 728A2C1524DC for <acme@ietf.org>; Fri, 9 Jun 2023 09:55:49 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-3f9b4a656deso17781671cf.0 for <acme@ietf.org>; Fri, 09 Jun 2023 09:55:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1686329748; x=1688921748; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YqAGEhO0bcwBX1yxCFHiTBLJnmIdo3DKJfSc3Qto/0I=; b=YoCoz2wond8qKEbn4MuZMF1D65yHIxWlBaUvMXJsP6bWp8h53ySp5ChqAZoo9nu1X9 xaMXa2Qh06JmeQaPILwLjZKQYbGYGIwv4G8VDs/uIWnXjEZZdaG5gETOdCPAkYwvzYdE I/d9Hr18PwaNLQL3XxkC+ppYTsyst/ZBQ7Lhk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686329748; x=1688921748; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YqAGEhO0bcwBX1yxCFHiTBLJnmIdo3DKJfSc3Qto/0I=; b=VXH13TE5nfmOLndTVUR4gf+7JvQ3k2A28yV6jvwl/AURh3rAFjWylMXr2jyd26q1cC v5XOQ8plufjSEU6roqRMYZxyKAbEB4xJu6pR+/6SB3+WqjoOxL/zpOevY/AeN3SqCn5/ ztdz2727ieRdKZCevIv7s9cNrR4BNLeDlWUbuuDY/CRG4dz5CzeeshG5qC2K5GtWqL1G VbbxTiE7rsevHulRE+rXwXSK5pN382fNAmoCgyCWKCZOsUYzrf+gOAAj3JxSbiLNnp1t 9FVwhY5hu+5EVwaK3i10gbIh74Ao270hrrsDoTnO/Z3OUTBoATv01ryYerc1XkGBq2xc tceQ==
X-Gm-Message-State: AC+VfDyebJZUdnW9PY5X3SpMLEGTM/tPYn7ynxp3mVeaZWTqzV+lleYp PXq5MOk+EUSGSdrFzqemY+utOd+Jjq8ane/iJz1PTMRN9bELejNm
X-Google-Smtp-Source: ACHHUZ53n8GnP8jC4Ce8AVUY0Jhz6qwIuTABSAWelip5bA0rbJBvjvydQeqKQPq08ypWbrnDINudtEhuYZTAdjRFqtQ=
X-Received: by 2002:a05:622a:1309:b0:3f8:46d:dac0 with SMTP id v9-20020a05622a130900b003f8046ddac0mr2255346qtk.46.1686329748466; Fri, 09 Jun 2023 09:55:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OdHCZg=g+2E56YyMdizNgm0_K+cOtcqJCEJD=NBrAo-6w@mail.gmail.com>
In-Reply-To: <CAGgd1OdHCZg=g+2E56YyMdizNgm0_K+cOtcqJCEJD=NBrAo-6w@mail.gmail.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Fri, 09 Jun 2023 09:55:37 -0700
Message-ID: <CAEmnErfGf_wNcCYjG6ctYy0N5-LFZdJ_1bHNzwrdvL8_9rYjcw@mail.gmail.com>
To: Deb Cooley <debcooley1@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a1c5f305fdb53d74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/-puOLP_LXNILKIfDjKt1RO-qm5I>
Subject: Re: [Acme] Call for adoption of draft-misell-acme-onion-02
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 16:55:53 -0000

Hi all,

I support the draft for adoption. Specifically, I think it's a good thing
to standardize the onion-csr-01 challenge type. I have two classes of
comments that I look forward to discussing in-depth after adoption:
1) Obviously it's valuable for this draft to standardize a method that is
already accepted by the CA/BF. But in the long term there's no need to use
a CSR as the transport mechanism for a random token, a public key, and a
signature -- moving away from x509 for this would be nice in the long term.
Probably out-of-scope for this document, but worth discussing.
2) The primary benefit of the onion-csr-01 method is that it allows the CA
to perform domain control validation without operating a Tor client.
However, this benefit is obviated entirely by the need to operate a Tor
client to check for CAA in the hidden service descriptor. It seems likely
that there are CAs which have avoided implementing HTTP-01 and TLS-ALPN-01
for .onion due to the need to operate a Tor client; these same CAs may have
been willing to implement ONION-CSR-01, but now will not due to the CAA
mechanism.

Thanks,
Aaron

On Sun, Jun 4, 2023 at 4:07 AM Deb Cooley <debcooley1@gmail.com> wrote:

> This will be a two week call for adoption ending on 16 June.   Please
> speak up either for or against adopting this draft.
>
> Thanks,
> Deb
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.37.1 | Report a Bug | By Email | System Status