Re: [Acme] I-D Action: draft-ietf-acme-ip-01.txt
Roland Shoemaker <roland@letsencrypt.org> Mon, 18 September 2017 19:30 UTC
Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6CA1321D8 for <acme@ietfa.amsl.com>; Mon, 18 Sep 2017 12:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTDJ8S6daBMz for <acme@ietfa.amsl.com>; Mon, 18 Sep 2017 12:30:33 -0700 (PDT)
Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com [IPv6:2607:f8b0:400e:c00::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED550132320 for <acme@ietf.org>; Mon, 18 Sep 2017 12:30:32 -0700 (PDT)
Received: by mail-pf0-x244.google.com with SMTP id q76so565095pfq.5 for <acme@ietf.org>; Mon, 18 Sep 2017 12:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=OT7ZyiGWBZFP5CYx+rf5nBgQuHre1gOcPAboGSTaLdk=; b=WYcEq1PYQ5A11gsCuqoNT0BT/6FrfWI5D3mtmqofcOmYa+SeDFFSMR6qHQ+lpi9xTa io3lesrKfZAF+51n8+0hjGqRsA+fLFVXYTFdFoQDuzSSpe9Rrfhlk9e0n2TGwyvMHEoQ uN1IqwgdAFblpjrraJoX1swMhi2SQYeS5k80s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OT7ZyiGWBZFP5CYx+rf5nBgQuHre1gOcPAboGSTaLdk=; b=MOFZkVsLDigi8Dc4Lf2c11Oa5dxRn1t2fAyBmxXnB3bpYnesarTB5w2qnLgqKRfEGD qUnD1c7hFZx/Ygear3Y4fZ7YWngTnQur6qq4t67kpbQjHfVOxx6BaQV+kLA/HyNZ43qq l9Y29sgqBjMHKUN42pvFY2EhHFtgg1SCTGLEBhAmQodtvx1bU93Es2c2s9I86iSSf93k 9UVJCVCaLQJ4a+0n01e8TlNpXuEYWghR6Zx8e1cAuRcSsVuY5CeUmE2K3h2p+101H9WS pjWbsPziFsNnRvO1pWofXuhLfLzBjtB+I56snU1jAA6ip1uEdd5on6hUVeCMsPpbdNVN 407g==
X-Gm-Message-State: AHPjjUh4zMENh72YG1LxWhvx9rBFYXAXcb//ipVGcRcD3lca1ADLiIQ9 fXp/pCAuAH2OmXpGEazBXKXu
X-Google-Smtp-Source: ADKCNb5PQ7DHiuXKCRyiRwV0+tcc9cppiIR7iy9XwbtVjOaxEAVQd/48exbSPZwjfBd6CO5GNLsCwA==
X-Received: by 10.84.235.6 with SMTP id o6mr24408625plk.295.1505763032114; Mon, 18 Sep 2017 12:30:32 -0700 (PDT)
Received: from [10.12.108.69] ([216.222.84.164]) by smtp.gmail.com with ESMTPSA id x9sm217622pfk.40.2017.09.18.12.30.29 for <acme@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Sep 2017 12:30:30 -0700 (PDT)
To: acme@ietf.org
References: <150576210331.15691.3080913852885263681@ietfa.amsl.com>
From: Roland Shoemaker <roland@letsencrypt.org>
Message-ID: <473268b2-378a-7aaa-b36e-32f6c751a778@letsencrypt.org>
Date: Mon, 18 Sep 2017 12:30:28 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <150576210331.15691.3080913852885263681@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0wv40jpMKICo_IjNnHDwbxBD9Zc>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ip-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2017 19:30:35 -0000
Little difference from the last draft, mostly small cleanups. There was some previous discussion about how to handle policy decisions for issuing certificates for IP addresses. It was suggested that this draft should contain some stronger language that would allow default denial of certificate issuance for IP addresses. I think there should definitely be some process for communicating these kinds of policy decisions but I don't think this document is the right place for it, nor do I think this document should attempt to dictate CA policy by requiring something like this. I believe doing so would be a step back for any CA implementing this document as they are all currently able to, and many do, issue certificates for any IP address as long as a user is able to prove control of it. I believe we (or the IETF more generally) should instead focus on developing standards for communicating a policy about issuance for IP addresses to CAs such as a CAA lookup mechanism that can handle them (i.e. something like https://tools.ietf.org/html/draft-shoemaker-caa-ip-01, note this lacks the tree climbing behavior which after bouncing it around a bit I've come to the decision that it does actually require). (I also totally forgot to incorporate the reference to 5952 for IPv6 textual representation, only saw my note about doing that after submitting the docs, I'll make sure to resolve this in the next version!) On 09/18/2017 12:15 PM, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Automated Certificate Management Environment WG of the IETF. > > Title : ACME IP Identifier Validation Extension > Author : Roland Bracewell Shoemaker > Filename : draft-ietf-acme-ip-01.txt > Pages : 7 > Date : 2017-09-18 > > Abstract: > This document specifies identifiers and challenges required to enable > the Automated Certificate Management Environment (ACME) to issue > certificates for IP addresses. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-acme-ip-01 > https://datatracker.ietf.org/doc/html/draft-ietf-acme-ip-01 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-ip-01 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > -- Roland Bracewell Shoemaker Software Engineer Linux Foundation / Internet Security Research Group
- [Acme] I-D Action: draft-ietf-acme-ip-01.txt internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-ip-01.txt Roland Shoemaker