Re: [Acme] Why "HTTP verification"
Martin Thomson <martin.thomson@gmail.com> Wed, 03 December 2014 05:36 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6A81A00B5 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 21:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5NXix2LdyLp for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 21:36:33 -0800 (PST)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE2451A009E for <acme@ietf.org>; Tue, 2 Dec 2014 21:36:32 -0800 (PST)
Received: by mail-oi0-f49.google.com with SMTP id i138so10221121oig.36 for <acme@ietf.org>; Tue, 02 Dec 2014 21:36:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gtrjxqzhR1bQsWo//eLIxXe9ngbuRxew9M02S6YTre8=; b=WTZIJfcvscMl8ubz3CZRwH3k6mgUllVtEAj/uHBDRTd+xeozprFCxVRKnY+qQJuZM0 M3UVR01TH0TENKYTDfqZkCwbh8fvhNmZDYSoGilB2WiW1alQuCmnUFRiOv8hjGX5+GCp WTuld43oLectv0nHGMl3Dil/+PaXYrdcJxiCf/uPE7H+xkjelut8ccgfpy9H0eMPru5t qhlguOdRJk2KlF5PFJd9urbNGlrHX5t5LzecxTU//g94P3O4ZhF1hYL0faXLLW8d9dT9 LqEkx39NSoPo8qN4G9uKzCpVVYrsySpdI73dPkwREYORcrz3b5C7qqPg0lx68DOyoMu3 grxw==
MIME-Version: 1.0
X-Received: by 10.60.219.7 with SMTP id pk7mr2053568oec.0.1417584992080; Tue, 02 Dec 2014 21:36:32 -0800 (PST)
Received: by 10.202.115.4 with HTTP; Tue, 2 Dec 2014 21:36:32 -0800 (PST)
In-Reply-To: <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com>
References: <B80ACB30-1A35-440E-B250-AB8C80D1FAF1@vpnc.org> <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com>
Date: Tue, 02 Dec 2014 21:36:32 -0800
Message-ID: <CABkgnnV19HdXvOa9-bTK+U4fSChXq=XV84jifOBLBDGd+bpqqQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/0__iI-divSFfliVVN8Dj4bHyGgA
Cc: "acme@ietf.org" <acme@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Acme] Why "HTTP verification"
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 05:36:44 -0000
On 2 December 2014 at 11:15, Peter Bowen <pzbowen@gmail.com> wrote: > The primary case where I see a problem is when the site already has a > trusted certificate and wants to use ACME to get a new certificate. > They are unlikely to want to replace their working certificate with a > self-signed certificate. So the proof would need to happen at the > HTTP layer, not the TLS layer. I think that we can do better than this. That's why I opened <https://github.com/letsencrypt/acme-spec/issues/26>. The protocol requires proof of possession for establishing a request for a certificate. Requiring a self-signed certificate means that you can only use the simpleHttps (I don't see an HTTP variant here), for completely new installations. Presumably renewals can be protected by periodic checks to see that the site remains valid, but it does little for a new key. I think that as long as there is some way to generate POP for the key that a certificate is being issued for, it makes little sense to require that the HTTPS connection is served with that key. I understand why the proposal has that, but it makes it impossible to renew. The SNI verification at least allows the server some information it can used to select a self-signed certificate, and this could use ALPN for the same thing, but that seems like overkill. I think that I would like to be able to have a check like this for key rollovers as well as the initial setup, so I think that a different design is appropriate.
- [Acme] Why "HTTP verification" Paul Hoffman
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Viktor Dukhovni
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Phillip Hallam-Baker
- Re: [Acme] Why "HTTP verification" Ángel González
- Re: [Acme] Why "HTTP verification" Eric Mill
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Ben Laurie
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Peter Bowen