Re: [Acme] Issuing certificates based on Simple HTTP challenges
Julian Dropmann <julian@dropmann.org> Wed, 16 December 2015 09:22 UTC
Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C092A1ACD2A for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 01:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sifOjgpuYhRv for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 01:22:55 -0800 (PST)
Received: from mail-lb0-x242.google.com (mail-lb0-x242.google.com [IPv6:2a00:1450:4010:c04::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207861ACD2B for <acme@ietf.org>; Wed, 16 Dec 2015 01:22:54 -0800 (PST)
Received: by mail-lb0-x242.google.com with SMTP id u9so282359lbp.2 for <acme@ietf.org>; Wed, 16 Dec 2015 01:22:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Qk5u5PI9Ip8n7mp4UJ+pTCEBOPEL1ZoyUVIZ3k53FcA=; b=KMYw5PQ2DzvpOEc0ZkWQeuNgwM0vZ8o4L15jwtyy9JTdh/JSZj4FF6rMmfuHNYV2rc Qclt3gvumlolECSJ9osh/ZGHS+XxZgy7BQvPXNQaz7nIXg1xMNn/sEnwxlA03zXB5nHQ nol2sFrcfCcd64c29Rj9f2XKNuI9hsvmNUK0U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Qk5u5PI9Ip8n7mp4UJ+pTCEBOPEL1ZoyUVIZ3k53FcA=; b=k/vUDcg4d7bcFYQPIrcmHri1AO1OU/+EiJvs0iJSkknmeQIzANY5JHFF03wBh3oecu tvjvGUUaRZbEJQyl8ItuhdHMZxetLoPhU9o5XHbj4Ca8Bp8UhoyVFXbXxcmcV+cOsYKK wo/FWrq/6zXTA/SYvc1s7XUGldRe4eCs6P0DL3UyJhArQ4WCxoMV5Evy3bfpejL4yNsf 9ccJw2Q8vqkCUI//ccR9hvfh2WsLa6kXeGPnpjXg1ndzRtipuxf3Rjkg8A+TInPn4OFL uaeDYDjZv5B2FPmO8enji4VnF0Eq4quliO8BDddxJwjruIbGW/FsCdBHEtrBnUg5lOD4 gClA==
X-Gm-Message-State: ALoCoQks1N2hm8vdOjO6xVWMtYhBzyqP6u7Ca/LqzfBzqxDYBFJzBRmmsNIvA9wSacok5MSEtxKv8j+7u6DXTFvp0146n4Kdkw==
MIME-Version: 1.0
X-Received: by 10.112.242.167 with SMTP id wr7mr15193573lbc.69.1450257773105; Wed, 16 Dec 2015 01:22:53 -0800 (PST)
Received: by 10.25.39.2 with HTTP; Wed, 16 Dec 2015 01:22:52 -0800 (PST)
X-Originating-IP: [62.154.225.234]
In-Reply-To: <5670CBD6.5080000@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <5670CBD6.5080000@cs.tcd.ie>
Date: Wed, 16 Dec 2015 10:22:52 +0100
Message-ID: <CAF+SmEp494K9pQqWNAeH1iS+dsmLSMJnuMpAvjGm0dku3ukEfQ@mail.gmail.com>
From: Julian Dropmann <julian@dropmann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a1134c2ae662e1f0527007381"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/BG4pzV7cF4GRliBYFMLP2Gpj0cQ>
Cc: "acme@ietf.org" <acme@ietf.org>, Noah Kantrowitz <noah@coderanger.net>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 09:22:57 -0000
If the owners of the domain decide you not to give you write access to their zone, there is probably a reason for that. And this reason is that _they_ want to remain in control. So why do you even assume that you should be able to obtain a certificate for their domain if you do not even have control over that zone? In my opinion that is exactly the definition of what CAs should verify: If the requester has control over the zone the CA signs the certificate for. If the CA issues a certificate for the whole zone, it has to check if this happens in consent with the people who have control over that entire zone, and not just one guy running a service there. You push this discussion in a direction where its all about ease of use for the guy running the box to obtain a certificate. But please explain to me then, why the host behind an A record should have that legitimization. On Wed, Dec 16, 2015 at 3:26 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 16/12/15 01:44, Julian Dropmann wrote: > > The target users are server admins right? In order to set up their > > services, they should be familiar with DNS. > > Familiar with != has write access to. > > In my university, I have root on 24U of boxen with zero write > access to the routers, f/w, DNS or mail servers, meaning that > for 13 years I couldn't get the two that are publicly visible > web servers certified by any CA any time I checked, which was > admittedly not that often. > ACME (via LE in that case, but I've no allegiance) fixed that > in a couple of minutes. And those minutes didn't require deep > knowledge of anything - relative ignorance would have worked > just as well, which is fantastic:-) > > And before someone argues, sure there are other situations but > our goal here is to define a protocol that works in the most > common of those cases as easily as possible and that supports > automation. > > > To use the current > > mechanism they already need to configure the A record. > > Not necessarily the same admins. That much is pretty obvious > and unless someone has demographics about how many sysadmins > have what access to what (which would be great!) I think this > is repetitive argument and therefore pointless. > > Cheers, > S. > > > > So whats the > > big difference? Instead of an A record they need to use an SRV > > record. So technically only the record type changes. Nothing else. > > How is that even a higher level of interaction? > > > > There are other services requiring admins to create DNS records > > (Google Apps for example). They are being used. > >
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell