Re: [Acme] kinds of proof

Peter Bowen <pzbowen@gmail.com> Tue, 02 December 2014 04:47 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF9B81A00D8 for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 20:47:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8sCMvzvssyP for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 20:47:38 -0800 (PST)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82EB41A00D6 for <acme@ietf.org>; Mon, 1 Dec 2014 20:47:38 -0800 (PST)
Received: by mail-pa0-f50.google.com with SMTP id bj1so12565007pad.23 for <acme@ietf.org>; Mon, 01 Dec 2014 20:47:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=iGQU71uAWAlCMQoB8BszpawMBGbfSzLO2XncD66fq+M=; b=h5VyPfjEamtWTBABObtjAaAbamZ3UoNbv8xJw+7EnpfqoP8v8xSpH8LHUI1hVvO7wa 2+yFgCNDK+txYWZJvClPem6L+Xsep054mAAbcR3MWxJ58LMSWaQEN65Wbh74wrZbtwnM ArAKjcvrVylenoBdNzIx5WOCcGwAfAkKUoW877UeQq7k02LE1gNkTxVRBNZWh5adSqoE 75gzYudqNfGhjBhmkxLPZv+Gc/+eaGOebzjlnbO62Eq5BpXrY2LoKLwWrevpnmnnjorx 6DzEj8GLTsqnCRH5OZWX3NfIg7js28peerhccStbI/4vJr16j8zC4O8kZg8GAGsFBsZW HFqQ==
MIME-Version: 1.0
X-Received: by 10.66.235.74 with SMTP id uk10mr108080232pac.16.1417495657649; Mon, 01 Dec 2014 20:47:37 -0800 (PST)
Received: by 10.70.76.10 with HTTP; Mon, 1 Dec 2014 20:47:37 -0800 (PST)
In-Reply-To: <20141202025438.GH285@mournblade.imrryr.org>
References: <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com> <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com> <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20141202025438.GH285@mournblade.imrryr.org>
Date: Mon, 1 Dec 2014 20:47:37 -0800
Message-ID: <CAK6vND9GYED3T=2V1fL1M8eCwGz23PCAFOcaZAbxjTG5xtY2Tw@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: acme@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/BJuh_gVxtewKPkqMH8P49OZV_dU
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 04:47:40 -0000

On Mon, Dec 1, 2014 at 6:54 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> On Tue, Dec 02, 2014 at 01:18:20AM +0000, Christian Huitema wrote:
>
>> > Yes, several CAs allow DNS based validation of control.
>
> I thought this too obvious to mention, I was talking *additional*
> verification methods other than DNS.

Today it is not too obvious, as the requirements that CAs follow do
not explicitly allow DNS based validation of control but do explicitly
allow web page based (http) validation of control.

Obviously fetching a Web page identified by a uniform resource
identifier containing the FQDN requires a DNS lookup, but this is
never mentioned in the current requirements.

Thanks,
Peter