Re: [Acme] Issuing certificates based on Simple HTTP challenges
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 15 December 2015 21:17 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362D21ACE70 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 13:17:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3lRkgvLN1x0 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 13:17:05 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A271ACE57 for <acme@ietf.org>; Tue, 15 Dec 2015 13:17:05 -0800 (PST)
Received: by mail-lb0-x235.google.com with SMTP id kw15so13999571lbb.0 for <acme@ietf.org>; Tue, 15 Dec 2015 13:17:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9wfuzU0PxpBhMH/0I937pA+7BEWGlXy6cHQVgljsR8g=; b=m/tvTIFwl89QoZQSFAtYQUYOmZj0YCKu0QtGzYvD0e1FR5WBBR03rZIG7EacRfkNxu Gsc/JGAap8TmFbNEdpv7t+G6v6IzDV4L/BbAbI+/f1zetKcABHH1e/twqu7HI/zvEmiB HS8Au8t6fSUMFQze4lFBRgnLshdVn6Jvc6RqFkNUDD/aT8CAMioGkoAaVAQWJvYflBtf IPi1/VinWdb7V3Wll9bhJwqqDqXHnazkrYfWKY9nCA+ttyuBWZ52uJaMpUI3cgpQuFxm RFVD+nkzg9sIcLpOhzZ1csgAWZYfzi4G9tVG61cM2ObO0kCLNF+9V9D6SsktqytIfP7g Uj0A==
MIME-Version: 1.0
X-Received: by 10.112.54.193 with SMTP id l1mr16336821lbp.58.1450214223413; Tue, 15 Dec 2015 13:17:03 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Tue, 15 Dec 2015 13:17:02 -0800 (PST)
In-Reply-To: <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net>
Date: Tue, 15 Dec 2015 16:17:02 -0500
X-Google-Sender-Auth: e5XDOOiAiugTpEAgTqZ_lk2E3Tc
Message-ID: <CAMm+LwicCES0QrZmTDmBo9WX6tsR4ihyvbLG5m=Lxpm_69qY6g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Noah Kantrowitz <noah@coderanger.net>
Content-Type: multipart/alternative; boundary="001a11c3a914a288890526f64f80"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/69qQZgvsxwTL81x28tizTe23maI>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 21:17:07 -0000
On Tue, Dec 15, 2015 at 2:41 PM, Noah Kantrowitz <noah@coderanger.net> wrote: > > > On Dec 15, 2015, at 9:48 AM, Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > > > > > > > > On Tue, Dec 15, 2015 at 12:25 PM, Noah Kantrowitz <noah@coderanger.net> > wrote: > > > > > On Dec 15, 2015, at 7:17 AM, Michael Wyraz <michael@wyraz.de> wrote: > > > > > > Stephen, > > >> Yes, I understand that and didn't actually refer to LE at all in my > mail. > > > I'm sorry if I missunderstood you with that. > > > > > >> Basically, IMO only after we first get a "now" that works > > > We have a working HTTP-01 spec, implementation and CA. What's missing > > > for "a 'now' that works"? > > > > > >> Personally the optional thing in which I'm much more interested is a > > >> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC, > > >> since that's the use-case I have and that would provide some better > > >> assurance to the certs acquired via acme. I can see that there might > > >> also be value for some (other) folks in SRV if it means no need to > > >> dynamically change DNS. But, if someone is saying "we must all do > > >> these more complex things for security reasons" then they are, in this > > >> context, wrong. And my mail was reacting to just such a statement. > > > Why not just placing a static public key to DNS that is allowed to sign > > > ACME requests for this domain? Simple, no need for dynamic updates > (yes, > > > it's standardized for years but AFAIK not seen very often in real world > > > scenarios). > > > > Anything that makes deployment _harder_ than the current LE client is a > move in the wrong direction. UX matters, with security more than just about > anything else. Unless you can propose a user flow to go with this change, > no amount of hypothetical correctness is worth having a tool no one will > use. > > > > Harder for whom? > > > > The current scheme isn't going to work for any geolocation based systems > and is a terrible fit for enterprise. > > I think this is a bit of a red herring on a few fronts. You can use > http-01 or similar strategies on a widely-replicated system, it is just > annoying because you need to push the challenge response file to a bunch of > places. If the geo-distributed piece is a CDN, the system is already > designed to smash caches effectively so that is handled. Still, that is > gross and a lot of work, but fortunately there is already a DNS challenge > in the works that will help for some cases. > And is likely to be challenged by the IPR holder. Keys in the DNS has prior art. It is also rather simpler to implement.
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell