IETF Logo Mail Archive

Re: [Acme] Looking for comments on https://github.com/ietf-wg-acme/acme/issues/215

Richard Barnes <rlb@ipv.sx> Sat, 03 December 2016 22:42 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79887129426 for <acme@ietfa.amsl.com>; Sat, 3 Dec 2016 14:42:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H89MpyWVi3SY for <acme@ietfa.amsl.com>; Sat, 3 Dec 2016 14:42:56 -0800 (PST)
Received: from mail-vk0-x236.google.com (mail-vk0-x236.google.com [IPv6:2607:f8b0:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D976129428 for <acme@ietf.org>; Sat, 3 Dec 2016 14:42:55 -0800 (PST)
Received: by mail-vk0-x236.google.com with SMTP id 137so163305558vkl.0 for <acme@ietf.org>; Sat, 03 Dec 2016 14:42:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UAewnFsrLByI29x0YmfJHIUpjvc4+BC/dYmSc4IOimQ=; b=NZS7foeGll/BEzuFDuLgRRQ+xG4fAg77qEdr8GiPtgMTFmeQFE02quECUwaC4ivkjH J9Vn/NE7pzAXAo8PGPPzvL5h6LyEsKNV95Lonb55V1TFcjOAZbE0b9ZdUp4PdLBsPYjg 4RCqsXn4yayI6q3IcVZehTFjZ9L+9jaTXnl8DiN1+bhGhiSuMbkiR9eibowPkzYY+Km3 OmL/bSIxZeKQTDVXUWsINBq+J5Odv0wh6E7r6Vv4nJDmgavv6X+b4G9x4eb3R5jmm/9U mU0+4lQxdDRcqZ6ngjpJxRzlAN0xbXhkKj27Ln+77FJFWb0tWNgGgfquuGZI6XfQpiZp UXog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UAewnFsrLByI29x0YmfJHIUpjvc4+BC/dYmSc4IOimQ=; b=C+vYqV5KbyWaPNWLHWNNCG7Sh8wWgpkr14rQrryx7CZ9kdcjbtmG+2GVo24aYmeGW/ MGXKD/WQZxjkwhqc2fhmbYXyRcqO7BoH3PC53YfS4aeWvQH3FMomsABLvADhFXlUPb35 7T8fyts9CXzazIuwkui4OILGsZYLG3fos7KwBjQFNf0yP8ts+cL6gRaLou/ci+BIFnTm qw2OqO5zYoDzjBfu5e3HSf8Rkqp51uDHklWOwPxrpvm5ydMUTKyG7fFbAzY0lhJA5p4C Unnr8tcBjC9M+sSATmDvLPQfkAqZCxvxVCh20mEafvdXO/3VQSSnre6voZp4EkZu78go QXHQ==
X-Gm-Message-State: AKaTC03IBQnjJ0Jf6jJ6P8Vz6Ad5HaedWtoDYpvHbe1zlxfqgJ4nJI3gVwGgydp+/P9lXJk9rNfsT5wQhWRWNg==
X-Received: by 10.31.185.144 with SMTP id j138mr1726786vkf.102.1480804975020; Sat, 03 Dec 2016 14:42:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.106.71 with HTTP; Sat, 3 Dec 2016 14:42:54 -0800 (PST)
In-Reply-To: <CABPsnA=gFpOKSnSd0c4FagQFBWiD8iCrxW8M22m5cO3kY0fPsQ@mail.gmail.com>
References: <0af93d402273472f9b54603f6aa73e5f@usma1ex-dag1mb1.msg.corp.akamai.com> <CABPsnA=gFpOKSnSd0c4FagQFBWiD8iCrxW8M22m5cO3kY0fPsQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Sat, 03 Dec 2016 17:42:54 -0500
Message-ID: <CAL02cgS2k57pM+EgPv3VJzJU-zfFLSmNnSjOnxYf-Pko=OA=kg@mail.gmail.com>
To: Patrick Figel <patrick@figel.email>
Content-Type: multipart/alternative; boundary="001a114397a6849f950542c8c639"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2Tqxf00PmE-yYVcxW_vXyF8Nl6E>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Looking for comments on https://github.com/ietf-wg-acme/acme/issues/215
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Dec 2016 22:42:58 -0000

I find these objections pretty persuasive.  Inclined to WONTFIX.

On Sat, Dec 3, 2016 at 7:35 AM, Patrick Figel <patrick@figel.email> wrote:

> I wrote together some thoughts on this proposal here[1]. In short, I think
> it's
> vulnerable to the default vhost attack that caused simpleHTTP to be
> dropped, and
> it's not compatible with the "Agreed-Upon Change to Website" method
> described
> in the BRs, which would prevent adoption by any publicly-trusted CA.
>
> The proposed workaround for this issue[2] would make this a variant of
> tls-sni,
> AIUI, which already has these pseudo-hostnames, so I think we're down to
> "allow
> other ports" here, and I believe there's consensus against this.
>
> Patrick
>
> [1]: https://mailarchive.ietf.org/arch/msg/acme/
> QiXu84RJtURfGVVEYfSpRdtcU5o
> [2]: https://mailarchive.ietf.org/arch/msg/acme/
> NFKJ5sqBePGlJglKRwodc5m4ZEo
>
> On Sat, Dec 3, 2016 at 3:18 AM, Salz, Rich <rsalz@akamai.com> wrote:
> > With the couple of recent pull requests, the document editors are about
> to
> > close all but on issue, #215.
> >
> >
> >
> > Does the WG have any feelings on this?  Is it something we need to
> address
> > NOW, or can we add a new type of challenge later on if there’s interest?
> >
> >
> >
> > Please reply on-list by earl next week.
> >
> >
> >
> > --
> >
> > Senior Architect, Akamai Technologies
> >
> > Member, OpenSSL Dev Team
> >
> > IM: richsalz@jabber.at Twitter: RichSalz
> >
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email