Re: [Acme] Revoking certificates issued by an unknown ACME server
"Salz, Rich" <rsalz@akamai.com> Fri, 15 January 2016 16:04 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC52E1B2F87 for <acme@ietfa.amsl.com>; Fri, 15 Jan 2016 08:04:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UP1pNZZdXvCJ for <acme@ietfa.amsl.com>; Fri, 15 Jan 2016 08:04:31 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4781B2F8A for <acme@ietf.org>; Fri, 15 Jan 2016 08:04:31 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id F2B4C423772; Fri, 15 Jan 2016 16:04:29 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id CD33A42373E; Fri, 15 Jan 2016 16:04:29 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1452873869; bh=ySXsXFIuoIJMaiW7QHlJ6eV9qSE0U64JgVbisgOGlxo=; l=624; h=From:To:CC:Date:References:In-Reply-To:From; b=knvkTESKXeKcvoREBrDOC/r0R203nbV2rOT3ZLVcHQUOToeuws7QdS36VXzwELiUw hiSFg8111b94iLDa+ZaRQNQ8cJlkllkf+Tg3sJ3KAY9ph9olCBzGbZJpfxMUq1ozWy sgSmMskhSUe0+X6E0N5/UjvEnf7JMJOmZzwGiHzo=
Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.34]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id BCC81202A; Fri, 15 Jan 2016 16:04:29 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 15 Jan 2016 11:04:29 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Fri, 15 Jan 2016 11:04:29 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Hugo Landau <hlandau@devever.net>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [Acme] Revoking certificates issued by an unknown ACME server
Thread-Index: AQHRTuAktrePmpEOb0Ki6RxUbkqxGp78NoMAgAA6/ICAAEzgQA==
Date: Fri, 15 Jan 2016 16:04:28 +0000
Message-ID: <a768976b72844ea987e6bf7f2b576fd8@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <20160114152747.GA28898@andover> <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com> <20160115062649.GA21476@andover>
In-Reply-To: <20160115062649.GA21476@andover>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.91]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0NFGFHlgBMXMiGWFTSCJc71agcg>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Revoking certificates issued by an unknown ACME server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 16:04:33 -0000
> This isn't sanely automatable. > > It's unlikely that this will pose an issue if a human wants to figure out the > issuing server. But as things stand to automate things you'd need to maintain > a database of CAs to directory URLs. I don't see a problem with that. You've got a cert, you can figure out the issuer, and then you go to your table, csv, spreadsheet, appconfig, whatever and see where the ACME server is that you first contacted. On the other hand, if you want to define an authorityInfoAccess type of "acmeServer" kind of analogous crlDP, go ahead and let's see how takes it up.
- [Acme] Revoking certificates issued by an unknown… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Salz, Rich