IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Peter Eckersley <pde@eff.org> Wed, 02 December 2015 22:03 UTC

Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CE91B2E02 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 14:03:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbRa9NW7GFje for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 14:03:04 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0B21B2DF5 for <acme@ietf.org>; Wed, 2 Dec 2015 14:03:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=2+wlM39dmGZ3bwzBytPDwrElEIBzXCne5sJwj6uCmfo=; b=JIhqfSt6fp/zDyCnzsEWqk9x+Qs/vrYZBdiTnoDhps5iHsnn628241w2POPdufS0HRbcq4mF48vjteer7uNf4xVzhM58n/5EyjkupQubtyRn4KwiXEG+zMR3qtIIpj1vuOWabzHMG2wD/lH+TiOH6hOcD2AmZ7mYa1gOBXi6IkU=;
Received: ; Wed, 02 Dec 2015 14:03:02 -0800
Date: Wed, 02 Dec 2015 14:03:02 -0800
From: Peter Eckersley <pde@eff.org>
To: Ted Hardie <ted.ietf@gmail.com>
Message-ID: <20151202220302.GA18430@eff.org>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CA+9kkMDfmtA9YtqjCxWcV3ZLUoeq4PYOCcPEHWMiGBc4W2HV_A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+9kkMDfmtA9YtqjCxWcV3ZLUoeq4PYOCcPEHWMiGBc4W2HV_A@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/B4TVg-eePQtgqVjnl7LL0nmTPJU>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 22:03:06 -0000

On Wed, Dec 02, 2015 at 08:51:54AM -0800, Ted Hardie wrote:
 >
> ​There was discussion about registering a port specifically for ACME
> challenges, so that a running server on 80/443 did not have to be changed
> during ​the challenge.  That would be a privileged port, and we could
> define the semantics for the challenges there to be similar to the 443
> challenge (essentially a TLS-based challenge on a different, well-known
> port).
> 
> I did not see consensus for this approach, but I also didn't detect the
> same opposition to it that other approaches attracted.  If folks are
> interested in supporting this approach, I'd suggesting writing a draft
> which describes the challenge and proposes registration; that would give us
> a more concrete understanding of whether the effort to support this would
> be appropriate for the number of installations which would use it.

I'm at present quite supportive of this approach for adding a single
specific port <1024 that is supported for DV challenges, and I thought that
in fact past discussions on this list had reached that as a likely
conclusion.  

Are there any strong arguments against having the protocol support this
use case for CAs that want to offer it?

-- 
Peter Eckersley                            pde@eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

v2.23.0 | Report a Bug | By Email