Re: [Acme] Why "HTTP verification"
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 02 December 2014 19:44 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4002C1A1F16 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9j4dKsZ_U8Hj for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:44:43 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1CA41A1EF7 for <acme@ietf.org>; Tue, 2 Dec 2014 11:44:42 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 08F4C282FD0; Tue, 2 Dec 2014 19:44:42 +0000 (UTC)
Date: Tue, 02 Dec 2014 19:44:42 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: acme@ietf.org
Message-ID: <20141202194441.GA285@mournblade.imrryr.org>
References: <B80ACB30-1A35-440E-B250-AB8C80D1FAF1@vpnc.org> <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/BBiScYgexy0C1mjDj95TzLSQqhw
Subject: Re: [Acme] Why "HTTP verification"
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: acme@ietf.org
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 19:44:44 -0000
On Tue, Dec 02, 2014 at 11:15:40AM -0800, Peter Bowen wrote: > The primary case where I see a problem is when the site already has a > trusted certificate and wants to use ACME to get a new certificate. > They are unlikely to want to replace their working certificate with a > self-signed certificate. So the proof would need to happen at the > HTTP layer, not the TLS layer. They can request a certificate for the same private key. The "self-signed" thing so not precise. The real requirement would be *some* certificate with the same key, not necessarily self-signed. So issued by another CA should be fine. [ Nobody has taken me up on discussing the question of whether unauthenticated leap-of-faith by the CA is appropriate when the domain is DNSSEC signed. With signed domains verification of actual DNS control is substantially stronger than the other methods (unauthenticated email, or unauthenticated HTTP). I hope this ultimately gets discussed. ] -- Viktor.
- [Acme] Why "HTTP verification" Paul Hoffman
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Viktor Dukhovni
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Phillip Hallam-Baker
- Re: [Acme] Why "HTTP verification" Ángel González
- Re: [Acme] Why "HTTP verification" Eric Mill
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Ben Laurie
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Peter Bowen