Re: [Acme] kinds of proof

Viktor Dukhovni <> Sat, 29 November 2014 22:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B577C1A01BA for <>; Sat, 29 Nov 2014 14:11:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5-4IaaFgu31y for <>; Sat, 29 Nov 2014 14:11:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E87A1A016C for <>; Sat, 29 Nov 2014 14:11:40 -0800 (PST)
Received: by (Postfix, from userid 1034) id 4D9D6282FD0; Sat, 29 Nov 2014 22:11:39 +0000 (UTC)
Date: Sat, 29 Nov 2014 22:11:39 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [Acme] kinds of proof
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 29 Nov 2014 22:11:43 -0000

On Sat, Nov 29, 2014 at 09:22:08AM -0800, Paul Hoffman wrote:

> > Paul, do you have any examples of CAs that accept any port, or are
> > you in part making that up?

Sorry about that, intended to be a harmless off-the-cuff question,
a poor choice of words no doubt.

> When I got a cert for my POP server, what-used-to-be-Verisign
> required the proof of control to be on a port that was not 80.

So they did DV not by email verification, or HTTP, but rather
actually connected to a POP server or similar?

It seems to me that control over something other than ports 25, 80
or 443 is a rather risky choice, and at some point one actually
needs to verify domain control, rather than some arbitrary TCP
endpoint on the host.

> However, "does someone allow it" is completely different than "should this
> new protocol force a business model on all CAs". In the specific case I
> am thinking about, I want a server that will run DNS over TCP to be able
> to get a certificate with ACME. For that, the ability to control port 80
> on the host is completely irrelevant. The same would be true for IMAP and
> POP servers. There are plenty non-web uses of TLS where ACME could be
> useful; hobbling the protocol to be web-only seems premature.

Sure, and the domain owner can field servers on whatever port he/she
wishes after demonstrating control over the domain, which to me
means control over the DNS (be it direct, or indirect via whoever
administers the DNS).