IETF Logo Mail Archive

Re: [Acme] ACME draft is now in WGLC.

Richard Barnes <rlb@ipv.sx> Tue, 14 March 2017 18:25 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0AD312ACAE for <acme@ietfa.amsl.com>; Tue, 14 Mar 2017 11:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmrF8zA-jIPA for <acme@ietfa.amsl.com>; Tue, 14 Mar 2017 11:24:59 -0700 (PDT)
Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53835128BA6 for <acme@ietf.org>; Tue, 14 Mar 2017 11:24:59 -0700 (PDT)
Received: by mail-wr0-x229.google.com with SMTP id l37so129784775wrc.1 for <acme@ietf.org>; Tue, 14 Mar 2017 11:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eVfesGxbB31yLR3HPlodcl24rJeKnVivcFVqnZCpwJc=; b=a96uw+9GtNyoKRiu+0If4g6rhj8yzd1lEnSDWG2qkFoec1nPp4atB/hDnqiSQBibWa Agc4J6pKfoxxiVDI0mgqe+0PYr6mR7ZdriW1Lbsatz2L5HXLL0QGREu5fN01MzxKaB91 WKNjRPadG9WoiCJ2h0EiDjjCjempZWZTnDIg5qO/GZ2Ioo5Pu8JUECxBao1+s7IQdR45 HV+D4eqJ/67LX3otVYpyHE0GPHzAcogFLeZcXWn4JWZKNYgZEvyHYVHzON6FOo80PRHH MRQk8fIvzSO8gOCXgmbIx30l8zSKQfmzuV+qfRL257q0WJ1IQctX2lVXLzxDRSHRf4sk Fhmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eVfesGxbB31yLR3HPlodcl24rJeKnVivcFVqnZCpwJc=; b=OF4HfCwcezefT1rR8rlCfKLXj7njzoElV7HDhvH80x58WEnab9sD3kYoUU6Cnxf+/U teNhfmPQXwEXgkJIAhxt/DEIF4niA2Pr00SzR+n845DuqxSF7iScv/4RcCcTqMikQrGT V8TPJQP46oVvZuVXjk78dYkRVie9xcUqf9+bgp2lgiPYxoXncH9/7+auL4paLxTGaQA/ 7cFxh0NJLzoRp6OKdwSnNx26eK5zO4PDWC3CRUrGRHZajjqcPVElr+vLHedC4B5FwzvU 4eUatsinQ8Ot3+/dMdyCRxFAFU+4vnJwg4iMak/3ULEVPfsCwaUCPonZEPFjeqjVRpLD T+VA==
X-Gm-Message-State: AMke39kGT4Zay2JsMFs73YPix6tinelKwym0THHt2kUMTO72u7rZukiFHIRoEqHCgE+QMwZ90go1gFB4ZKf8JA==
X-Received: by 10.223.139.152 with SMTP id o24mr33928196wra.61.1489515897108; Tue, 14 Mar 2017 11:24:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.31.2 with HTTP; Tue, 14 Mar 2017 11:24:56 -0700 (PDT)
In-Reply-To: <20170314162425.GA13868@andover.lhh.devever.net>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com> <20170307031510.GN7733@mournblade.imrryr.org> <20170307032023.GO7733@mournblade.imrryr.org> <9471a5323a98405eaf0ee111fb0350b0@usma1ex-dag1mb3.msg.corp.akamai.com> <20170313201410.GG4095@mournblade.imrryr.org> <12461433fb264865972e9ddafab1c511@usma1ex-dag1mb1.msg.corp.akamai.com> <20170314162425.GA13868@andover.lhh.devever.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 14 Mar 2017 14:24:56 -0400
Message-ID: <CAL02cgQW5434JjEvZzBp_X1+ViuiK5A2gd_Az7rw6H4DifyjZA@mail.gmail.com>
To: Hugo Landau <hlandau@devever.net>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="f403045e9aceef5215054ab4f15e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9tzZUCIM14GXbVCwBcslxX6BZcI>
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 18:25:01 -0000

On Tue, Mar 14, 2017 at 12:24 PM, Hugo Landau <hlandau@devever.net> wrote:

> > > The CAA check is/was easy to make and crippling it
> > > by not making it a requirement was IMNSHO a mistake.
> > ...
> > > I urge the WG to reconsider.
> >
> > Does anyone else agree with Viktor?  Please speak up on the list this
> week if so.
>
> I'd agree that the CAA check should be made mandatory. At least, I can't
> think of any good reason why it shouldn't be.
>

I very strongly disagree.  What checks the CA does before issuing is up to
the CA's policy.  This document provides tools for CAs to do those checks;
it does not constrain what CAs do.



> I'd also agree that the use of a DNSSEC-validating resolver accessed via
> a trusted network (preferably localhost) should be mandatory.
>

Likewise.

--Richard



>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email