Re: [Acme] Want client-defined callback port

Bruce Gaya <gaya@apple.com> Fri, 17 April 2015 02:50 UTC

Return-Path: <gaya@apple.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74DDB1A1B57 for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 19:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.1
X-Spam-Level:
X-Spam-Status: No, score=-4.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Grf_ibO2esRd for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 19:50:58 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 209F91A1B24 for <acme@ietf.org>; Thu, 16 Apr 2015 19:50:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1429239057; x=2293152657; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=DhKgsFqAnhm02iQdTVaYzz5KM+3vFOAQ5z2OQYtKhCI=; b=lZ7KmPqO3zztzVD7fwNqpuU+g76lWOtPxYFqD4CblwqAWh7qjmoChgs4YxKACuSo yBiU6ct6EYICV6NZaTJKf1v+NQUi77HY2zMz0tQZYlJv3GuFWIpRD6sUb3dwrKJF qDmc73G9NLxqYx+4UJhBVn/yiwFXikctIpQINuIi812kK81cW872RFIjz7VR8kgO 3rExIjqf5FzupkXM6/QWebRwPsjwb+BP5U4p0MSgx4jGFeKg2IhSXFCeVPH+F4O5 sKUC1O37gpvQ2koVZ9kSPQgKfjR69XA+g/NLTY2j0Nrkf7iVPb9CSCOG+/Q21CJe +WjdzKtWKKUrNTehCzLPAw==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 58.8C.19360.11570355; Thu, 16 Apr 2015 19:50:57 -0700 (PDT)
X-AuditID: 11973e11-f79186d000004ba0-7e-55307511adc0
Received: from aniseed.apple.com (aniseed.apple.com [17.128.115.23]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay5.apple.com (Apple SCV relay) with SMTP id BB.19.13722.41570355; Thu, 16 Apr 2015 19:51:00 -0700 (PDT)
Received: from [17.153.20.232] by aniseed.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NMX0026PJWWJA60@aniseed.apple.com> for acme@ietf.org; Thu, 16 Apr 2015 19:50:57 -0700 (PDT)
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-type: multipart/alternative; boundary="Apple-Mail=_A0EE09C9-7A45-4E41-8223-0E36871D173F"
From: Bruce Gaya <gaya@apple.com>
In-reply-to: <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com>
Date: Thu, 16 Apr 2015 19:50:56 -0700
Message-id: <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrOLMWRmVeSWpSXmKPExsUi2FAYoStYahBq8HqDnMWq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MpYuUK44JlqRVf7LpYGxlaFLkZODgkBE4n5a26yQ9hiEhfurWfr YuTiEBLYyyjx8Nxnxi5GDrCiJQ/LIOL9TBLHjzRDFX1llLj0fwELSLewgKnEoXfLGEFsXgE9 iTnXF7CB2MwCSRKfv70Ci7MJKEpMb33BBGJzCgRLLL2+A2wzi4CqxLo5J9kh6r0k/s7eyAwx x0Zi2aa3UMtOMUoseX0PLCEiIC9x+voDVojrZCW+bpUDqZEQ+MkqMWnuacYJjEKzkNwxC8kd ELa2xLKFr5lnAbUzC+hITF6IJgxhfzx/hGkBI9sqRqHcxMwc3cw8I73EgoKcVL3k/NxNjKCQ n24nuIPx+CqrQ4wCHIxKPLwH4g1ChVgTy4orcw8xSnOwKInzTlLVCxUSSE8sSc1OTS1ILYov Ks1JLT7EyMTBKdXAOOVhV87lJ7FS/5QKdes5N75zE990b6XCmiuCLlt9Fyfp1z34qrg842o4 7wWzil1/+TuUrnOuqPgp2Xl6dYJ+ySeJx8d2rPVOWFQ0N/WKlMFb3QA17ossk4/OkDjH8Puh aUjfolSL+eofvkjJPto5MUdgJo9fRZPnT5X1S2Si/8Vvie+RcnFMUmIpzkg01GIuKk4EACV6 H3NaAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrFLMWRmVeSWpSXmKPExsUi2FAsritSahBq0P5Qz2LV80AHRo8lS34y BTBGcdmkpOZklqUW6dslcGWsXCFc8Ey1oqt9F0sDY6tCFyMHh4SAicSSh2VdjJxAppjEhXvr 2boYuTiEBPqZJI4faYZyvjJKXPq/gAWkSljAVOLQu2WMIDavgJ7EnOsL2EBsZoEkic/fXoHF 2QQUJaa3vmACsTkFgiWWXt/BDmKzCKhKrJtzkh2i3kvi7+yNzBBzbCSWbXoLtewUo8SS1/fA EiIC8hKnrz9ghbhUVuLrVrkJjPyzkKyehWQ1hK0tsWzha+ZZQB3MAjoSkxeiCUPYH88fYVrA yLaKUaAoNSex0lQvsaAgJ1UvOT93EyM4RAsjdjD+X2Z1iFGAg1GJh/dAvEGoEGtiWXFl7iFG CQ5mJRFeW1egEG9KYmVValF+fFFpTmrxIUZpDhYlcd7XynqhQgLpiSWp2ampBalFMFkmDk6p BkZBi8k7JL7YCd9cfzXwR0iTFYeFvr6HmOX73G3NcqYSGaW98U6/KxqvWX7+rPjI9JeyXNu1 9gnrHd8LXv7iFyP8hL3lR3FkGmec9unnCbzTXaPcq0ufSi/WMm1/tSVc2lxfZMnC6uCEwDRf ljtfe8X//+O9GXgqyEFkmUZqkNuyr477S1gZlViKMxINtZiLihMBUJ+o2U0CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0t7f5m7TCRpcKjwWYTDPXOWmT1o>
Cc: Nico Williams <nico@cryptonector.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 02:50:59 -0000

> On 16 Apr 2015, at 18:57, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
> 
> Right.  The property that we're trying to authenticate here is that the ACME client controls something associated with the hostname.  Ideally, this would be the person with write access to the zone file (cf. DNS challenges), but to facilitate validation, modern validation accepts validation of things like controlling an HTTP or HTTPS server.  It's less clear that it would be acceptable to validate that someone can provision a service on, say, port 36707.
> 
> That said, the ability to do domain validation without service interruption seems like an important requirement.  It seems like the DNS challenge listed in the current draft meets that requirement.  We should be able to design the simpleHttps challenge so that you just have to to provision an extra file on an HTTPS server, not reconfigure it.
> 
> --Richard
> 
> On Thu, Apr 16, 2015 at 8:56 PM, Nico Williams <nico@cryptonector.com <mailto:nico@cryptonector.com>> wrote:
> You have to be able to prevent unauthorized users from using this
> alternative callback port to get certs with which to impersonate your
> service.


The server (ACME client) computer may be shared between various administrators.  It may also have multiple DNS names and host multiple services.  If I use ACME to get a certificate for a non-web service, like a CalDAV service (default https port = 8443). I do not want to touch or reconfigure the web server or (whatever happens to be using port 443) just to get a cert for CalDAV.

- Bruce