IETF Logo Mail Archive

[Acme] acme-ip reverse-dns discussion

Roland Bracewell Shoemaker <roland@letsencrypt.org> Wed, 21 March 2018 20:56 UTC

Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39FEB128D2E for <acme@ietfa.amsl.com>; Wed, 21 Mar 2018 13:56:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKAOGm4_uI0Z for <acme@ietfa.amsl.com>; Wed, 21 Mar 2018 13:56:05 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF22127342 for <acme@ietf.org>; Wed, 21 Mar 2018 13:56:05 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id 139so12357383wmn.2 for <acme@ietf.org>; Wed, 21 Mar 2018 13:56:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=xQu0ful0MP/Od7Gdc5q9EVnHZTyFx+RYgsKFmJhWbu0=; b=Bjbtd3Uh6cUWou5ypTR3pWW73Uh2Ix8R2cIHmro2AXcvgHgnmqvkXgJqWQYzQ4hwkQ 5WC7RO3yUKHPOAIpnLT8P8OQvETgA1aionMt53HG2amIogthWVW2reQqz12tAriLAQo7 5iwcxFRrhNby25trbK73PbNN8EGotH+ShGV8A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=xQu0ful0MP/Od7Gdc5q9EVnHZTyFx+RYgsKFmJhWbu0=; b=T8jCVSx6l5VO9cizpvYnJzbj+FpBqZ0Vvjsw+UolxVG2JNCfuEhbIjWpVAWTPPwfwn 3+AN1+jCS+S2ZXGQOScJCv6oXX3tVw2hDaJ8V06B+NzNrUphGlNWNFLcThCz6IjTS+bp Q4vWuRa97Kon50/0NbtKhsgBf//GHN6JFFdPReEwYpBbmftv6F8zSBPURXWHpGBNwBT4 7Mi9d1MyDkBmU1jN+sLuNItCIe4ETLGaYvRwQuRw068y9+HaFqPYf+RYNPDmnCU3QIzw LL/PAo7vApwON5NH9aZLHbmxxnG2Ap4nCC+cS8WaszVovnl6G3Lol3GbeicWPftERcXS KrHQ==
X-Gm-Message-State: AElRT7HGhfQaZHhfKxqr7B6TM6E1qJTcXmhEMAkbefVDeMpYthbQ/TlQ 8qaqwofbeIEFFKIctUaE0qxJ2z3OriA=
X-Google-Smtp-Source: AG47ELv1GSG7uPWevzg689JhS9ElGXiMc5WCsHXFH0E7Z70T9p6OKGW4s9xJWMYqh1QkeQbq1uuu6g==
X-Received: by 10.28.147.73 with SMTP id v70mr4069254wmd.128.1521665762808; Wed, 21 Mar 2018 13:56:02 -0700 (PDT)
Received: from [192.168.0.19] (cpc93784-hari17-2-0-cust1834.20-2.cable.virginm.net. [82.34.151.43]) by smtp.gmail.com with ESMTPSA id f10sm583733wrg.67.2018.03.21.13.56.00 for <acme@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Mar 2018 13:56:01 -0700 (PDT)
From: Roland Bracewell Shoemaker <roland@letsencrypt.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <7CCF097B-27FE-43DA-8A46-2378ACB8B668@letsencrypt.org>
Date: Wed, 21 Mar 2018 20:55:59 +0000
To: acme@ietf.org
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7IP6kVYW6djmrammp19D_kRVUTg>
Subject: [Acme] acme-ip reverse-dns discussion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 20:56:07 -0000

Hey all,

Following on from the meeting today I wanted to start a discussion on what to do moving forward with regard to the reverse-dns method defined in draft-ietf-acme-ip. There were arguments on both sides about whether the method should be retained or removed with I’ll quickly paraphrase (if you feel I’ve misrepresented either please correct me).

The argument for removing this was that there are no technical issues with the method as-is but that the reverse DNS zones are historically badly managed and that using them for validation will cause problems down the line (presumably misissuance by a person who controls the zone but doesn’t actually control the IPs the zone represents). The argument for keeping it is that the IETF (or more specifically the ACME WG) should not be where CA or browser policy is dictated and that given these methods are currently allowed under the CABF BRs and browser root programs it would actually be useful to have a technically defined method for validation that can at least be used as a tool for further research on the topic.

As stated at the meeting I’m of the opinion that we should move forward with the method in the document and if individual browsers or CABF feel strongly that these methods are not secure they should disallow their usage in their root programs or the BRs respectively which would prevent any CA from actually using the method. That said there was obviously a contingent of people who disagree with me on this.

I guess one thing to ask is do we have anyone who would actually _want_ to use this? My understanding is the main use case, much like for the dns-01 challenge, is to get certs for IP identifiers before actually having to stand anything up on a machine so that it can instantly start doing its job which seems valuable.

Thanks,
Roland

v2.29.0 | Report a Bug | By Email | System Status