Re: [Acme] Want client-defined callback port

Richard Barnes <rlb@ipv.sx> Thu, 23 April 2015 13:18 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8571B2EFC for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 06:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ly4bmMh3Eq8z for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 06:18:57 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8CE1B3027 for <acme@ietf.org>; Thu, 23 Apr 2015 06:18:51 -0700 (PDT)
Received: by labbd9 with SMTP id bd9so12398049lab.2 for <acme@ietf.org>; Thu, 23 Apr 2015 06:18:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=tXRAeNlf5fwaMwDC8ld3AxvqYWSyoANATRWVPEO2H4g=; b=cozdB6KakqTKaI+gU1MzFUYP7F4GXZz/MUIjekFNfnW/+tdRBCQpNvFte9lyATQj94 l7MrWWdZWNH2+yXCCPk6+UyFriT+eGj5ImyRRD+SxLcBgp1wHfgqoyy6QJb9GaUM40Ql 5pd7lQn2jQTN3npzbHjUV3gp7kMdNyjJnQ/r1zWDaMKyqI9HxMhYDNs8XtDqcGd2FFAP 3QG0yO5fecHjeV4Ff85BbKHry6gMJOFkk6EnrdrzHIGAusR2RylWwRq9e3zDeMR0iqip jSuIDS7daLW2ImCya/j54TulqK643Ikb/CChjuZ8cOYl0uDVQEo3wNED5bPCpmxKOARJ oBzQ==
X-Gm-Message-State: ALoCoQloVWYiLbJ0va1d0NuTVg8FXZejE4g0BENUgR7rfaBlftIAykO82T+RyT1LaXPa4qheDEEM
MIME-Version: 1.0
X-Received: by 10.112.125.33 with SMTP id mn1mr2438715lbb.82.1429795130239; Thu, 23 Apr 2015 06:18:50 -0700 (PDT)
Received: by 10.25.214.162 with HTTP; Thu, 23 Apr 2015 06:18:50 -0700 (PDT)
In-Reply-To: <CABkgnnXRoBuydMD2v6Jp5jwZRPEUKQKBqiFTfiK=Fs1KQKUzCg@mail.gmail.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com> <20150423023358.GW27613@eff.org> <CABkgnnXRoBuydMD2v6Jp5jwZRPEUKQKBqiFTfiK=Fs1KQKUzCg@mail.gmail.com>
Date: Thu, 23 Apr 2015 09:18:50 -0400
Message-ID: <CAL02cgTxSOa16-kkEpOZ91yZfKFuSmXXZwyMVD1yYvBe2eP1hg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=089e0116136ad702680514641e82
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/CRSbzXOU7TKCOdrUsZ-myoibgcw>
Cc: "Salz, Rich" <rsalz@akamai.com>, Peter Eckersley <pde@eff.org>, Bruce Gaya <gaya@apple.com>, "acme@ietf.org" <acme@ietf.org>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 13:18:59 -0000

On Thu, Apr 23, 2015 at 12:09 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 22 April 2015 at 19:33, Peter Eckersley <pde@eff.org> wrote:
> > Perhaps those policies can be stored out of band, or perhaps we can add
> > a separate REST API endpoint where clients ask what ports the server
> > considers acceptable for DV Challenges.
>
>
> Or just pick port 100 (or another that isn't already taken) and say
> 443 or _that_.  I can't imagine you would need to have many numbers
> before you found one that was free.
>

This seems like a simpler and safer option to me.  Register an ACME port
and use that if HTTPS isn't feasible.

Bruce, would that meet your use case?  That is, in your scenario, can the
CalDAV service open a new (privileged) port, or does the ACME verification
have to happen on the CalDAV port?