Re: [Acme] kinds of proof

Paul Hoffman <> Sat, 29 November 2014 17:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 44C621A0163 for <>; Sat, 29 Nov 2014 09:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qqHjyNQlj_ND for <>; Sat, 29 Nov 2014 09:22:10 -0800 (PST)
Received: from (Hoffman.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E07E1A014D for <>; Sat, 29 Nov 2014 09:22:10 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.9/8.14.7) with ESMTP id sATHM8oQ094407 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Sat, 29 Nov 2014 10:22:09 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <>
In-Reply-To: <>
Date: Sat, 29 Nov 2014 09:22:08 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.1993)
Subject: Re: [Acme] kinds of proof
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 29 Nov 2014 17:22:11 -0000

On Nov 29, 2014, at 9:05 AM, Viktor Dukhovni <> wrote:
> On Fri, Nov 28, 2014 at 01:57:55PM -0800, Paul Hoffman wrote:
>>> Because unfortunately, Web PKI certificates are host-wide, they don't
>>> specify a port.  Anyone who can run some program on a machine can
>>> bind to some random port and start a web service.  Possibly port-forwarded
>>> somewhere else via SSH!
>>> It is far from clear to me that every "shell" user of a machine
>>> should be authorized to obtain certificates for the whole machine.
>> And it is clear to me that they should be, if we want to see more encryption
>> of traffic. I have no problem with some CAs saying "we'll issue you a cert
>> only if you control port X", but I absolutely want that to be a policy of
>> the CA, not of the enrollment protocol.
> Paul, do you have any examples of CAs that accept any port, or are
> you in part making that up?

When I got a cert for my POP server, what-used-to-be-Verisign required the proof of control to be on a port that was not 80.

However, "does someone allow it" is completely different than "should this new protocol force a business model on all CAs". In the specific case I am thinking about, I want a server that will run DNS over TCP to be able to get a certificate with ACME. For that, the ability to control port 80 on the host is completely irrelevant. The same would be true for IMAP and POP servers. There are plenty non-web uses of TLS where ACME could be useful; hobbling the protocol to be web-only seems premature.

--Paul Hoffman