IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Niklas Keller <me@kelunik.com> Wed, 02 December 2015 16:50 UTC

Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E63D1B2BE2 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.427
X-Spam-Level:
X-Spam-Status: No, score=-0.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsx-k3IVm8rx for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:50:39 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC251B2BB1 for <acme@ietf.org>; Wed, 2 Dec 2015 08:50:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1449075037; l=5405; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:In-Reply-To:References: MIME-Version; bh=Im2hAM79uK0Uzyzb5v2tQG/3swK+ns8WmFnO+Tges/A=; b=QYJ5niawUX21/+PZllrAJw92byEBZwTk/YoThwjxQpUHlgLf/GT7ov8OPAJKrJLdC11 LBlWiAAQCa9PSj36sv4ofd1oPw9R5yZhIWmOIczCu8QtBkjJ0x4XuGOzXgzzA1fpICmff 2BEadRjRW6c9Z2gr7x86tUH9Qn+otleaXyw=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3s6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f48.google.com ([74.125.82.48]) by smtp.strato.de (RZmta 37.14 AUTH) with ESMTPSA id f073b2rB2Goa3nm (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <acme@ietf.org>; Wed, 2 Dec 2015 17:50:36 +0100 (CET)
Received: by wmvv187 with SMTP id v187so264354799wmv.1 for <acme@ietf.org>; Wed, 02 Dec 2015 08:50:36 -0800 (PST)
X-Received: by 10.194.185.42 with SMTP id ez10mr6679320wjc.82.1449075036868; Wed, 02 Dec 2015 08:50:36 -0800 (PST)
MIME-Version: 1.0
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
In-Reply-To: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
From: Niklas Keller <me@kelunik.com>
Date: Wed, 02 Dec 2015 16:50:27 +0000
X-Gmail-Original-Message-ID: <CANUQDChMFShsjVxOP4XfiMuP3PkKTitr5MM3y3AaNjgyPeaFgA@mail.gmail.com>
Message-ID: <CANUQDChMFShsjVxOP4XfiMuP3PkKTitr5MM3y3AaNjgyPeaFgA@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>, "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="047d7b874b32d35e670525ed129b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/6sWaJbwgovY7hAxh6OWbRQYWAFU>
Cc: Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:50:43 -0000

In order to validate domain ownership, we would have to have some DNS
record dictating the port. Otherwise there's no difference between 443 and
any other priviledged port.

Regards, Niklas

Richard Barnes <rlb@ipv.sx> schrieb am Mi., 2. Dez. 2015 16:17:

> I agree that we're converging on some rough consensus, but I would
> frame it (again) slightly differently:
>
> 1. ACME needs to validate domain control, not domain+port control,
> because (1) there is no current mechanism for issuing certificates for
> domain+port (vs. just domain), and (2) the primary use cases for ACME
> right now (DV certs, and possibly OV/EV) don't have any notion of
> ports.
>
> 2. Thus the port used for validation needs to be one such that control
> of the port is effectively control of the domain.
>
> If you look at what CAs do today, that basically means the port is
> 80/443.  More generally, it means that the port needs to be specified
> by the challenge mechanism and not by the client.
>
> So that leaves us with 80/443 for the challenges we have today.  If
> people want to define, say, a CalDAV challenge, they can argue for a
> new challenge type, but ISTM it'll be a hard sell.
>
> It's also worth noting that just because we define challenge types
> doesn't mean any particular CA will support them (that's the point of
> extensibility).  For example, Let's Encrypt doesn't support the
> "dns-01" challenge.
>
> --Richard
>
>
> On Wed, Dec 2, 2015 at 9:43 AM, Salz, Rich <rsalz@akamai.com> wrote:
> > Speaking as co-chair, I think Yoav's summary is more accurate.  The
> consensus in the room at Yokohama was that there is not real support for
> other than 443, but that we need to discuss this on the list "one last
> time." I think closing discussion is a bit premature, but at this point
> there seems rough consensus to not require other than 443.
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email