IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Julian Dropmann <julian@dropmann.org> Wed, 16 December 2015 09:22 UTC

Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C092A1ACD2A for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 01:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sifOjgpuYhRv for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 01:22:55 -0800 (PST)
Received: from mail-lb0-x242.google.com (mail-lb0-x242.google.com [IPv6:2a00:1450:4010:c04::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207861ACD2B for <acme@ietf.org>; Wed, 16 Dec 2015 01:22:54 -0800 (PST)
Received: by mail-lb0-x242.google.com with SMTP id u9so282359lbp.2 for <acme@ietf.org>; Wed, 16 Dec 2015 01:22:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Qk5u5PI9Ip8n7mp4UJ+pTCEBOPEL1ZoyUVIZ3k53FcA=; b=KMYw5PQ2DzvpOEc0ZkWQeuNgwM0vZ8o4L15jwtyy9JTdh/JSZj4FF6rMmfuHNYV2rc Qclt3gvumlolECSJ9osh/ZGHS+XxZgy7BQvPXNQaz7nIXg1xMNn/sEnwxlA03zXB5nHQ nol2sFrcfCcd64c29Rj9f2XKNuI9hsvmNUK0U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Qk5u5PI9Ip8n7mp4UJ+pTCEBOPEL1ZoyUVIZ3k53FcA=; b=k/vUDcg4d7bcFYQPIrcmHri1AO1OU/+EiJvs0iJSkknmeQIzANY5JHFF03wBh3oecu tvjvGUUaRZbEJQyl8ItuhdHMZxetLoPhU9o5XHbj4Ca8Bp8UhoyVFXbXxcmcV+cOsYKK wo/FWrq/6zXTA/SYvc1s7XUGldRe4eCs6P0DL3UyJhArQ4WCxoMV5Evy3bfpejL4yNsf 9ccJw2Q8vqkCUI//ccR9hvfh2WsLa6kXeGPnpjXg1ndzRtipuxf3Rjkg8A+TInPn4OFL uaeDYDjZv5B2FPmO8enji4VnF0Eq4quliO8BDddxJwjruIbGW/FsCdBHEtrBnUg5lOD4 gClA==
X-Gm-Message-State: ALoCoQks1N2hm8vdOjO6xVWMtYhBzyqP6u7Ca/LqzfBzqxDYBFJzBRmmsNIvA9wSacok5MSEtxKv8j+7u6DXTFvp0146n4Kdkw==
MIME-Version: 1.0
X-Received: by 10.112.242.167 with SMTP id wr7mr15193573lbc.69.1450257773105; Wed, 16 Dec 2015 01:22:53 -0800 (PST)
Received: by 10.25.39.2 with HTTP; Wed, 16 Dec 2015 01:22:52 -0800 (PST)
X-Originating-IP: [62.154.225.234]
In-Reply-To: <5670CBD6.5080000@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <5670CBD6.5080000@cs.tcd.ie>
Date: Wed, 16 Dec 2015 10:22:52 +0100
Message-ID: <CAF+SmEp494K9pQqWNAeH1iS+dsmLSMJnuMpAvjGm0dku3ukEfQ@mail.gmail.com>
From: Julian Dropmann <julian@dropmann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a1134c2ae662e1f0527007381"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/BG4pzV7cF4GRliBYFMLP2Gpj0cQ>
Cc: "acme@ietf.org" <acme@ietf.org>, Noah Kantrowitz <noah@coderanger.net>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 09:22:57 -0000

If the owners of the domain decide you not to give you write access to
their zone, there is probably a reason for that.
And this reason is that _they_ want to remain in control.

So why do you even assume that you should be able to obtain a certificate
for their domain if you do not even have control over that zone?
In my opinion that is exactly the definition of what CAs should verify: If
the requester has control over the zone the CA signs the certificate for.
If the CA issues a certificate for the whole zone, it has to check if this
happens in consent with the people who have control over that entire zone,
and not just one guy running a service there.

You push this discussion in a direction where its all about ease of use for
the guy running the box to obtain a certificate.
But please explain to me then, why the host behind an A record should have
that legitimization.

On Wed, Dec 16, 2015 at 3:26 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 16/12/15 01:44, Julian Dropmann wrote:
> > The target users are server admins right? In order to set up their
> > services, they should be familiar with DNS.
>
> Familiar with != has write access to.
>
> In my university, I have root on 24U of boxen with zero write
> access to the routers, f/w, DNS or mail servers, meaning that
> for 13 years I couldn't get the two that are publicly visible
> web servers certified by any CA any time I checked, which was
> admittedly not that often.


> ACME (via LE in that case, but I've no allegiance) fixed that
> in a couple of minutes. And those minutes didn't require deep
> knowledge of anything - relative ignorance would have worked
> just as well, which is fantastic:-)
>
> And before someone argues, sure there are other situations but
> our goal here is to define a protocol that works in the most
> common of those cases as easily as possible and that supports
> automation.
>
> > To use the current
> > mechanism they already need to configure the A record.
>
> Not necessarily the same admins. That much is pretty obvious
> and unless someone has demographics about how many sysadmins
> have what access to what (which would be great!) I think this
> is repetitive argument and therefore pointless.
>
> Cheers,
> S.
>
>
> > So whats the
> > big difference? Instead of an A record they need to use an SRV
> > record. So technically only the record type changes. Nothing else.
> > How is that even a higher level of interaction?
> >
> > There are other services requiring admins to create DNS records
> > (Google Apps for example). They are being used.
>
>

v2.23.0 | Report a Bug | By Email