Re: [Acme] Issuing certificates based on Simple HTTP challenges
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 16 December 2015 20:29 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35651A89B9 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpHibGCNuxl2 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:29:33 -0800 (PST)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 417541A89B8 for <acme@ietf.org>; Wed, 16 Dec 2015 12:29:32 -0800 (PST)
Received: by mail-lf0-x22b.google.com with SMTP id l133so37643026lfd.2 for <acme@ietf.org>; Wed, 16 Dec 2015 12:29:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=tvPrwTChZKlI1IBEypKHqEksHv92jPKa1Cjlc3gFGdE=; b=yKcXFPUo75zEWT7Omt/LJmCC/dQiBjhrDxqiskEJH0Q7ZKgVU+fOjfsX0uz6VxFAhy NsQXAjmqOTMX2dLvdoW5I9GPuBfvw4Lv8wA+BVhgz45lPkgZHohOseOTCkFGSpBSHQKq 5glCZYRQyBGqdB5coZEqmY6GlLNyavXAkaD0IzFKjUMsAxNQ5JHIV87lZSJkCH7VYYys RIc4nIFPAxSUUTlaqbrPw4hX+RznH7OE/6qw0Afb9vW5GuVgtTCFC61/UrElWytI7TF5 tCZ7byBpVDERdKnrmPWfgihCm1ChfnHQ5LIedU8EB0Zvg43a5pwMmMAA8+/+aTEjt3pQ GT/Q==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr15828268lfg.166.1450297770468; Wed, 16 Dec 2015 12:29:30 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 16 Dec 2015 12:29:30 -0800 (PST)
In-Reply-To: <5671C174.5040004@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <894b0ad1f1c34184bbbc9133702ed474@usma1ex-dag1mb1.msg.corp.akamai.com> <5671BBB5.4050308@wyraz.de> <5671C174.5040004@cs.tcd.ie>
Date: Wed, 16 Dec 2015 15:29:30 -0500
X-Google-Sender-Auth: 1wqZ3rjjlouaijTOxGftaixDvM8
Message-ID: <CAMm+LwhLGYvV_3jy=4K29TMEKznoTADN9q849CouiW226feU=g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/HjTOsUYX7Xm89Kfn_ubZBiZthv8>
Cc: "acme@ietf.org" <acme@ietf.org>, Michael Wyraz <michael@wyraz.de>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 20:29:35 -0000
On Wed, Dec 16, 2015 at 2:54 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > On 16/12/15 19:29, Michael Wyraz wrote: >> >> An optional ACME SRV record in the spec would make all happy: > > tl;dr: No, it would not make me happy and I will object to it. > > Sorry about that but it's just a bad idea;-) > > We'd need something like the public suffix list for that to > work. I really don't want the basic mechanism for acme to > depend on dbound. [1] If someone suggests walking the DNS > tree to find the RR, then that'll not be accepted by DNS > folks - there's lots of history for how that discussion > goes. I have no idea how this relates to the choice of A or SRV records. CAs already have to cope with the public suffix list issues. That has been part of being a CA since forever. > And even if/when the public suffix issue is sorted, it'd > still be a bad idea for people in my specific situation. > For example, a record in tcd.ie (which is the correct public > suffix) could prevent me from getting down.dsg.cs.tcd.ie certified > even though the nearest real DNS authority is for cs.tcd.ie who > probably would not publish such a record. That would push me > back to using self-signed certs which would mean that acme was > a step backwards, not forwards. Again, I don't know what the > numbers are like for folks in my situation, but every time I > have described it, people have recognised it as not uncommon. We already went through all that on RFC6844 (CAA). CAs are required to climb the tree. BUT to be compliant with the specification, they are only required to state what they do when authorization is denied. The assumption built into CAA is that if someone delegates part of a domain, they are also delegating the cert issue authority. So cs.tcd.ie does not get to set policy for down.dsg.cs.tcd.ie once they have delegated control of the DNS there. > And even if none of that were an issue, I want (me and others) > to be able to use acme to deal with CAs without there being > a new complex RA interaction as a part of the basic mode of > operation. An optional SRV scheme would inevitably evolve to > have that level of complexity. I don't see how SRV makes things more complex. That might be because I am more comfortable with SRV or it might be because I think the basic A record validation is a bigger can of worms than you imagine. The complication factor here isn't the use of SRV vs A record, it is the decision to automate. We have automated systems but they will fallback to manual processes when a corner case is encountered. Trying to cover every corner case is what is making this a lot hairy-er. > In my case, cs.tcd.ie if they > wanted to publish such a record would need a way to point to > different PIs (i.e. people) in the department as being the > ones who were responsible for authorizing certification > requests. And those people would decide to delegate that to > some student, so we'd have all sorts of non-trivial delegation > issues to tackle if the SRV scheme is to be well-defined. > Even optional things need to be well-defined. Consider pi.dsg.cs.tcd.ie, a $5 Raspberry Pi. * Might it require a TLS cert? - Yes! * Might it need this to be a WebPKI cert? - Possibly not. * Should this be a wildcard cert for *.tcd.ie? - EEEK! The thing that probably isn't obvious to folk who don't operate PKI is that if the cert isn't a WebPKI cert, it is almost certainly going to have to be issued under an RA to be any use to anyone at all. So what looks like a useful tool to remove your student's need for a WebPKI and a reduction in vulnerability actually opens up the requirements you don't want to consider. > By all means define an SRV based challenge but I will argue > strongly against it's inclusion as an option in the basic > mechanism. I will also argue against the basic mechanism > having any documentation dependency on such a scheme (because > I think it'll take 1-2 more years to get done right). OTOH, > if acme gets the basics done and soon and deployed, then I'll > be happy to try help with subsequent work on RA features. I think it will take exactly as long to understand the nature of the problem regardless of the nature of the solutions you accept.
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell