IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Yoav Nir <ynir.ietf@gmail.com> Thu, 26 November 2015 11:27 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 038E21A037E for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:27:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuzxbnzWOR4a for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:27:18 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 712451A037B for <acme@ietf.org>; Thu, 26 Nov 2015 03:27:18 -0800 (PST)
Received: by wmvv187 with SMTP id v187so26849429wmv.1 for <acme@ietf.org>; Thu, 26 Nov 2015 03:27:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lPgivocSqeBm2gkw7I3LH4swnw1bevYJHUS2tTdrs3Y=; b=d7GH7P3vzN88TGnLDXcE0nohXcHLLo+g3SVyciCRlidBgbJupcVZWAVr/wrjbBKOqn x9UGTJdru4Shfcq46EAxNmIILVX7dO6/IV13baxZ4P0Fupwu4smIYPRYwUuqF/Uvy2hq /Z1NbRatSsYLXN4ebmifwAeD6wke6y6zcIGmYVHtnnqck0HNaQ9CQlMwnjnQF8ikKwgc 5iVd4Qfw+2FLHTo9cWyz1S32YSgtq0w6TGEgrrUoIcCvV9lT3kGEaD9EijuFn/IadF2L rOZHIxgqAt58dMXXqbGdgCSha9Q+iaef7MtW3AdHnzZn7UQj8xfB/uoJl95C7Spu9Tlo HTtA==
X-Received: by 10.28.145.144 with SMTP id t138mr2992183wmd.70.1448537237015; Thu, 26 Nov 2015 03:27:17 -0800 (PST)
Received: from [172.24.251.173] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id k125sm2268207wmf.2.2015.11.26.03.27.15 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 03:27:15 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5656E66B.3000803@cs.tcd.ie>
Date: Thu, 26 Nov 2015 13:27:13 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <9DCF723A-8CE9-4732-9DEA-ED7EEBA362A9@gmail.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com> <5656C49E.6070701@cisco.com> <5656E66B.3000803@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ACS6s-CZ27gS30DQBaLXGwG1yis>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, Eliot Lear <lear@cisco.com>, IETF ACME <acme@ietf.org>, Russ Housley <housley@vigilsec.com>, Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 11:27:20 -0000

> On 26 Nov 2015, at 1:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> 
> On 26/11/15 08:36, Eliot Lear wrote:
>> Yes.  The real issue here is that the cert contains the hostname and not
>> the port. 
> 
> So one could define a new always-critical certificate extension
> saying that the cert is only for use with some set of ports. (Or
> maybe someone's already defined it, I forget;-)

An extension - not that I know of, but as was mentioned in the other thread, there’s the URI subject alternate name. However, no current browsers look at this field, so the URI SAN provides no security from the privilege escalation. OTOH a critical extension would block *all* existing browsers from relying on such a certificate, with the only remedy being “Let’s Not Encrypt”.

It might be OK if the extension was added only to certificates issued to those who could not meet the challenge on port 443, but I still prefer to not go there.

Yoav

v2.23.0 | Report a Bug | By Email