Re: [Acme] Supporting off-line (manual) validation

Richard Barnes <rlb@ipv.sx> Tue, 28 July 2015 19:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77C6E1B2ED4 for <acme@ietfa.amsl.com>; Tue, 28 Jul 2015 12:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EydvzxNjXY6U for <acme@ietfa.amsl.com>; Tue, 28 Jul 2015 12:57:40 -0700 (PDT)
Received: from mail-vn0-f50.google.com (mail-vn0-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC4971B2EC9 for <acme@ietf.org>; Tue, 28 Jul 2015 12:57:39 -0700 (PDT)
Received: by vnk197 with SMTP id 197so47046441vnk.3 for <acme@ietf.org>; Tue, 28 Jul 2015 12:57:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=0QNDCu1vd5SgZpgEIQcOnDs4xkyO7zSoX+6nDtoXz8g=; b=gQBJuOM6XTeya3hoJA9F+7gfM8mUulWZzMYd15I2MFe+2ehoSxsieL9SFG6xXD3aZz WPYRnBN6oYJ7+vl+ZqMz2Lcj2Cju/a/YLIZ/uV0LLsi3fNR1ak4OiaoUYrjEpexMBRIW Bt6PoAopnH6hVJTMDgrq8ElJMZI/x1ba7K1FEDILaGChLFbkkxPL/wDY1RaHkyTr/XpC vJWyphVmIR/0P8eJ8yTfWsGG+cOOBTW2M2IEb6GtKzsyWdgOszGKnehcvE7nok+fxOqL HiF6ZuNFh7box3Zor2LhTY/8iEomyp/LLD9kAEa4q89n90rxe6/2FpkQd/WLkFKZ0hqp A+0w==
X-Gm-Message-State: ALoCoQlR4zDrVtSuTZHTrMo/+HENYLiVKIgWiYqBgeYJsr/UuwuDPGiuvnp4OvYurTLyNnMaet5B
MIME-Version: 1.0
X-Received: by 10.52.31.10 with SMTP id w10mr47238409vdh.54.1438113459110; Tue, 28 Jul 2015 12:57:39 -0700 (PDT)
Received: by 10.31.164.207 with HTTP; Tue, 28 Jul 2015 12:57:39 -0700 (PDT)
In-Reply-To: <55B7DA0A.1020806@gmail.com>
References: <mailman.5108.1438102538.3631.acme@ietf.org> <55B7DA0A.1020806@gmail.com>
Date: Tue, 28 Jul 2015 15:57:39 -0400
Message-ID: <CAL02cgS3n70F=ToB-rD2WA_TRKrxMAwRvmNPPmg=Sx0S62vMQg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/0tnSQwrdb4n2qcML-1WeWcehQeY>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Supporting off-line (manual) validation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 19:57:41 -0000

On Tue, Jul 28, 2015 at 3:37 PM, Yaron Sheffer <yaronf.ietf@gmail.com>; wrote:
> Many clients will want to fail if the CA decides to "go offline". I think
> logic that keeps state on the CA is too complex. Better to allow the client
> to say "if offline validation is needed, please fail the whole transaction".

I disagree.  I would really like to make ACME as incrementally
deployable as possible.  It should be trivially possible to use the
issuance and revocation transactions without using anything else from
ACME, and if we have an "offline" challenge type, then that gives CAs
a way to migrate into the authorization flow.

--Richard


>
> Thanks,
>         Yaron
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme