[Acme] Remove "Proof of possession" challenge?

Richard Barnes <rlb@ipv.sx> Mon, 28 December 2015 21:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3E31ACD3B for <acme@ietfa.amsl.com>; Mon, 28 Dec 2015 13:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbaWcIXwNjVw for <acme@ietfa.amsl.com>; Mon, 28 Dec 2015 13:57:58 -0800 (PST)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 969681ACD39 for <acme@ietf.org>; Mon, 28 Dec 2015 13:57:58 -0800 (PST)
Received: by mail-vk0-x231.google.com with SMTP id a188so185832412vkc.0 for <acme@ietf.org>; Mon, 28 Dec 2015 13:57:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=4hvGoO+YtZk7u4pjIaVdI4VfKkg7+A3ZS0Pmx5ZPjy4=; b=iOYs6RU2fsaZt/5l8Pew9MZdSgAaDPWpuMw7DtFZ/Nl8R+SDA7cFCCeqvIPIQwN2R0 N+5k7I99QcYvwQZmho0IEfdwJo7JZMLrO8wxXKhNibciyezPvXVQRMIeXkT4S0+QfniQ 4lKPvwTISW/hGQzXPJe9RYqsy1ucCpMD6XKr6rMdVDJvxMmPPDwiA0flfzP0DH04vN/8 Sjo+sWqyPgGwskwMxryobaUn4sakTW6Zy6E1JTq/T+ONfgOjGc4ncmWdwwA7anu3MsLF lya3ABNOXWjHjQyLYwnD7BgvVVdp6cq2W7Wmdw95tBlZZ3xxt09orScnKYWhSAMlO85o 5Imw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=4hvGoO+YtZk7u4pjIaVdI4VfKkg7+A3ZS0Pmx5ZPjy4=; b=X2FgyGB0u+cpwENCHEKqz6vtLTOHLkkRxdr8ynOHAN0YI/Jl6SAPWgOWkE+9kCHi6h J3wmenvkQQQ2lYm+eHmkdcjVgs0rzcZbOpF0ZSeZR5qra+wPK2cYTJ4RUllzpznaaDT3 IAUae9+tJikZTqYgvqTiUwNymt4W6eT1S2llvGpL2flJgSCQt8IMtYZY0XbhEqvNqyO/ csXngNr5udPW+jnJSfbej/l7C/KoD1T86csEciKmHiebKhChOavTCyjffC72KxV4BK1n fB0M6SCoLFJsXucAsvsLMhpbtbXBECKFKKKezTCHf5/NjYILcBlZBrzsA2YyI2eqIgGZ 6o8Q==
X-Gm-Message-State: ALoCoQlQoNiTTxcKGPVEl9Xy7049Gq6q82GR65Hcq8i6vTGrAa1Ma9Nq4iAmcLDyVCkt/8yLz3un1qGMJbRSgHIoXqDiPWM+ZA==
MIME-Version: 1.0
X-Received: by 10.31.107.138 with SMTP id k10mr33726884vki.27.1451339877574; Mon, 28 Dec 2015 13:57:57 -0800 (PST)
Received: by 10.31.11.81 with HTTP; Mon, 28 Dec 2015 13:57:57 -0800 (PST)
Date: Mon, 28 Dec 2015 16:57:57 -0500
Message-ID: <CAL02cgQPYG4r=mnhfacaL+vrjNS=Ug-jfiF-fOFgnWNX_RfL7g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/38_cBKvYrc1iLojqOKTRo9BTtyQ>
Subject: [Acme] Remove "Proof of possession" challenge?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 21:57:59 -0000

Hey ACME folks,

I just updated the editor's draft to change the name of the "proof of
possession of a prior key" challenge to "proof-of-possession-01" (from
"proofOfPossession-01").  But that got me thinking -- do we actually
need this challenge?

If I recall correctly, this was added to the initial version of the
spec because some folks from Let's Encrypt thought that they would use
it as an extra check for high-value domains with known, existing
certificates.  However, they don't seem to have gotten around to
implementing it.

Is anyone aware of CAs out there that would use
"proof-of-possession-01"?  That is, CAs that keep track of existing
certificates and require an applicant for a domain with an existing
cert to prove that they hold the corresponding private key?

If not, maybe we can streamline the spec by removing that challenge
type.  It can always get re-added in a future spec if there turns out
to be a need.

--Richard