Re: [Acme] kinds of proof

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 28 November 2014 22:39 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBB01A1B77 for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 14:39:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeivFy_TxUWA for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 14:39:40 -0800 (PST)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE3C51A0273 for <acme@ietf.org>; Fri, 28 Nov 2014 14:39:39 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-119.dsl.dynamic.fusionbroadband.com [142.254.17.119]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sASMdZSb051450 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Nov 2014 15:39:36 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-119.dsl.dynamic.fusionbroadband.com [142.254.17.119] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20141128223122.GF3200@localhost>
Date: Fri, 28 Nov 2014 14:39:35 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <97EF4983-0A20-4030-9958-087FC93677A1@vpnc.org>
References: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141128223122.GF3200@localhost>
To: Nico Williams <nico@cryptonector.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/4lDeudl8LMiW_FUaUSPEr_eaHWQ
Cc: acme@ietf.org
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 22:39:41 -0000

On Nov 28, 2014, at 2:31 PM, Nico Williams <nico@cryptonector.com> wrote:
> 
> On Fri, Nov 28, 2014 at 01:57:55PM -0800, Paul Hoffman wrote:
>> On Nov 28, 2014, at 1:37 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>>> It is far from clear to me that every "shell" user of a machine
>>> should be authorized to obtain certificates for the whole machine.
>> 
>> And it is clear to me that they should be, if we want to see more
>> encryption of traffic. I have no problem with some CAs saying "we'll
>> issue you a cert only if you control port X", but I absolutely want
>> that to be a policy of the CA, not of the enrollment protocol.
> 
> The user should be able to represent all services on that host just by
> having a shell on it?  

Sure. That's the way it is today for many CAs.

> If certs could be limited by port the user could
> get one for the ports he/she is allowed to listen on, but...

But... what? They have been able to be for well over a decade, and yet few if any CAs choose to restrict them that way. If you want to only accept certs that have that restriction, you are free to. You just won't find many certs from major CAs like that...

--Paul Hoffman