IETF Logo Mail Archive

Re: [Acme] [EXTERNAL] Re: Call for adoption of draft-misell-acme-onion-02

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 09 June 2023 18:31 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCFDDC14E513 for <acme@ietfa.amsl.com>; Fri, 9 Jun 2023 11:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIKjFKoZsX61 for <acme@ietfa.amsl.com>; Fri, 9 Jun 2023 11:31:40 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 946AAC152F17 for <acme@ietf.org>; Fri, 9 Jun 2023 11:31:10 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359Hk6LA001918; Fri, 9 Jun 2023 13:31:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=LVVwPso2s7Z9Vn+hYuyxayNXaEZGtGuJDS+ufAGWK1E=; b=dF/kJsSeXIoxzI9Hh2aYN8+NkGvUMZv0soLDKZljW0v6K9Y4u8BMuBXgBafK6lugWZ/H QF+D0JtWwEwFQX94r5capyBthvCYl8Y1KGny/bfgKu/cOFVJUoobCgWTZgGbG4hgmPjG i9EKrEbwPRfvMtFEmWv3khSrcjUJo493aGjU8521giq1Bh/8ER6tb38ai974tlnfyfyD FtjmJt0XTGJYh3IR6CSbSfKJOz1GUO8qnVPpFH69Il7gdHkmXysbRa6kUuCCOIlllBzb bp+DRpREeYKvY6ljQmoKpE+yT55rTNOxpLOb9Q0D8eeqAzdWhCS44cR3fk79UdZGwNmk Vw==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3r2an9bg76-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 09 Jun 2023 13:31:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Hz0L7/TCC1xr2k9U72f+k6QafRAZ7oUuL/zdbXRNWiSngBsbEAxUjYvLgCEkHlXnMN1YmWvQPGwoJ8zZ5nZ0WEA0oh4tEkMUcvYyg4mb9dJt6rKmRlta2J/Uqyj3dGfliHHT116nfiZR8AkFJn6+jtVZulcqFctR1qD+1BHoWbWd3WB66Zz5v5cWHjrU9EwiMNejC4CYApCxrsLwNWiIBWgdZo8YIBfq2+JIcbEMDLrwAfy0+Q9mz8MVNZhURhm8z8og8qvKDvDG5ly4cI8SHuZ3JoHXJgoqGMiqLZP+DSGJn3pY/jKTfDGQOY4qcmjzqEQmsDQWKGAPnvsde4RqVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LVVwPso2s7Z9Vn+hYuyxayNXaEZGtGuJDS+ufAGWK1E=; b=jfhv1p4tJdDZ/3w+Se4gtcTDGDmi39K0tKMvYX7UfpjUBQnPypyTnXriH0EOvjP9wHkwEv95jzhlECvCTv0Eq/N1ikmSNv6WnQItGgoTssUkGMt3tIFripAAgzg/a1aTxDEXQNQT0rpvXY9Haa2PLdVilmM0zLrjrXHIxlWoxZowvNm6Ez7op0uztROXCm2Z5HDIVK/wCjnoNCGOI15mJ4DpR8AfTSTNrnLtOuYTIyLmyGvprahpz4ARYGiSoaFKyow+XzSyIb+MnPBJiEJSM77vpcgtCQCYucKvJ4pocxQcBv5opqaXUwRStTRWAcnStZuxvPuZv7Vh8R1MiY9YuA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DM4PR11MB6143.namprd11.prod.outlook.com (2603:10b6:8:b1::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.42; Fri, 9 Jun 2023 18:31:05 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3c4:2520:16b0:6271]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3c4:2520:16b0:6271%6]) with mapi id 15.20.6477.016; Fri, 9 Jun 2023 18:31:04 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org>, Deb Cooley <debcooley1@gmail.com>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Acme] Call for adoption of draft-misell-acme-onion-02
Thread-Index: AQHZmvNIx1M7oFiMX0S0xTzdex5FOq+CxwTQ
Date: Fri, 09 Jun 2023 18:31:04 +0000
Message-ID: <CH0PR11MB57398845F919917F950469A09F51A@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CAGgd1OdHCZg=g+2E56YyMdizNgm0_K+cOtcqJCEJD=NBrAo-6w@mail.gmail.com> <CAEmnErfGf_wNcCYjG6ctYy0N5-LFZdJ_1bHNzwrdvL8_9rYjcw@mail.gmail.com>
In-Reply-To: <CAEmnErfGf_wNcCYjG6ctYy0N5-LFZdJ_1bHNzwrdvL8_9rYjcw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|DM4PR11MB6143:EE_
x-ms-office365-filtering-correlation-id: 831a1a24-acd0-46bd-efcc-08db6917af3b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yefUZFZE7KrJ2npEXrbMCZRn1aUz4ugHP+oEuWUmSKz3/o7t7lZYHAF7KDjf2RwN4ufWjYdN3d+vzKT5DX0JOTuSVduLzzULeXSbKDA5evt4fCuZI5xRXsXmwyg2lM+Dp0UzOxa4dk9yeN9NVHvfDTwp9LCKTn56NKyvodjR83PZqRQMh9Ut1sarv/6ot4Hg3OJ3Dr8hC5BcZmfO+YwRh5tLj7jUXRLIT1ok3hzIgFtXUGslDJnn7pMTOLYqi+djRAJ1wSqOD6rhIxCELSnIAVpPpiXQxtz/H+EtUCL7clbqjwOBC0RPP85z5QGYD9YoSywCGilfypu6RtddZlf/hTVYns8tdMJPYt9mPPbF3yOpTXUIvcVW0JinhYHkXLIwP37P9t/nUJ5uCtIJD8gdOvV5APkgees//PlvYe0t5sW6g+x3xx7Q9Z8cTqt/YUJ8/srBu0rqQdpGjbx8MXH/TfyGWwcKO2bA2tN2bu/H66BcNqqpgtOgrxjWTtWP3D4vLK0XVLnbUNl5K4lEzr0COBaAxWWAEvIFeCgTSo0PO9MxDPwf4n5Px9jsUph7V/CabWi6jY29j3P3xCsH12+oe/2CU/etq5/JzSSPteDJU80=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(136003)(366004)(396003)(346002)(376002)(451199021)(38070700005)(166002)(33656002)(86362001)(966005)(110136005)(478600001)(4326008)(66476007)(64756008)(76116006)(71200400001)(66556008)(66446008)(66946007)(316002)(7696005)(55016003)(8936002)(8676002)(41300700001)(52536014)(2906002)(5660300002)(38100700002)(122000001)(83380400001)(53546011)(9686003)(6506007)(26005)(186003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: v7DH3d5Fj3SXmCxIBYKDBBanOmeTCWWsqLVdKazObcWUVqzFIxkA1RDWrS7LAh8VGo5Ila0yHz9omUpOl3tHSnengcnz9XS0RMQDmwn0K0yz0QgyQ0ImA9o/9rE8EbiXDEIPBcS/Irg8Mw6t4UE/omb9sn9PGEAL85HRj2A6gfd48LEmNxkZxXwFEeR4BjOJuhCSOBGDsqm44nQ0NpxO8ypJ/eRzNm8+0poSFC+ukijX71yaDp67kHY4m2faBVU/wj9ptNeCzafe/JhnROsNvCJtej24y2UU6YawLTm8gj3/hKayfC6LbkMLFsnQUx1St7G6Zv5ayMoXNOIXTz5rTZMIY5BojPBn38kldkWWOow8OPhs+QKCo3OdvxcuLJ7zZLjH4FTJVkBuxUjZjFK1c8fiZWO2u1mhTjzMPpFSH0N0jMKnvhqaSNxsTYWNzZyJ0n5IEll1VV5kHkk2YkfzbOmDbAqNKGwkFGwDkcIdvYbgE5yO644SsA3+qUS85aR0DOtWteeJsCtBeYZCs0IsszwXj2M7t+W1NPQVRrLa2HHEZqG2AJJzpTL5nYxdkLQa4CDhtwZEjzoQDIxB6yW0rym6VynZ/8zjgbw88RNA6yTnU9xbp/oftET0M+WMa505RdrKYlj6a5+OvSvcthdSALsQcYu5vTncVZxNtVftEOU0K93wCfwuNYjvKGmedAygzAsnzpYtuPRksuu3HRtJ41j8JYKAR2Wz5ZoSW5YHlDjmd2a6c8ZDOFF/xF5i/HntoMKBQd6sQwFMsMFIqqI86V44HNb40atdVzQrlP2WhJL1lHAS0fkKD/OCTA6npK5kF5733IKwbeEt0aFtaMyTWdlxwT1k3nW0Emn3k3rl5mUA1dDo/vdSwGyukiTQtPrsn1LA9qX9oLz1wTajrMeRO35AFPKlmIdIN32fT1mQ0TsshrUvKk+5vEUOK2H4cY85jq6KZ1MV8WI3WAXzDBtGy5/WjhueortsMNYwLNI9P3HQ7c5DSdzbKq4FtljZpFnDxJ4y7mHHIfpOI8uB28yeEtKVh25nv5sEIYQqgazXHg4B9ysl7XmHYMDTRe2TCwZC/ZOU9UIcVsj1zX7/tQ8kjOF4J1TXvGknUPkGFsh1u93FEJsve+ZuDSTSf+SxKk0JFfmAl7vKLfYswrPSd4PAx4o0YZe8W04QecO3EoxtuAOpjvUgHcsw0L8nq/eoywB0w8OxwHnDi7mqYFTdOOXDiHhBPa2iZP9HnK+3c+WdSYRLFeaYHf5/CqBQma3YYxOUAJNBm4Hdx4x20SLP7JBxiQTsB3fb43SpqxHjNAEBQta+1rGACNfKaCU2LW2bXYrDJIM6vn50rVktWFBHqXmo827Ao8TynHbXwLapXqmM+0OUw9tWSXpuQOdOXjGmJktqhRI8RGTp9uiuvFKKTckR/nFRvb7zKY0Ufi2UUR4b+wt22Gkxg71AAKjQHLWpIYbVlZJ2HsHkQ7Sg407BDy5y2EmuUjlWNcgFd1nJlruzx1W+4103lFAwkO6EOsrGFBo6tjtRvsrp2Mg9Y5f1DIQNRXgKjOsw739Lf9O6MJWHdrobw4hJmbeT8nimJsKrPUrT
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57398845F919917F950469A09F51ACH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 831a1a24-acd0-46bd-efcc-08db6917af3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2023 18:31:04.7839 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6LFmxDUCUlXs6ya63Z+pFT2Y3LYyb0y0KldDoZbWoKR2kYona+Rbk1CG9707WwpTMDnGCbZFFPlDSGp+KOg8ddUtA7WLzV0RcL0JLg60jK4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB6143
X-Proofpoint-GUID: dQ-BeMMHlzrUPEYJ-us1hUDlN-EorWNr
X-Proofpoint-ORIG-GUID: dQ-BeMMHlzrUPEYJ-us1hUDlN-EorWNr
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_14,2023-06-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 impostorscore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 clxscore=1011 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090154
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/I5SlmHo9moTK7Xe6EmbduJ9sKa4>
Subject: Re: [Acme] [EXTERNAL] Re: Call for adoption of draft-misell-acme-onion-02
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 18:31:44 -0000

(with my personal hat on)

I don’t claim to be a great expert on Tor. That said, if this draft is the straightforward ACME extension to implement CA/B F BR 1.8.6 Appdx B, then I support adoption.

That discussion of why a CA would or would not implement this draft begs the next question: are there CA operators with an intent to implement this draft? Basically, is there running code?

---
Mike Ounsworth

From: Acme <acme-bounces@ietf.org> On Behalf Of Aaron Gable
Sent: Friday, June 9, 2023 11:56 AM
To: Deb Cooley <debcooley1@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Subject: [EXTERNAL] Re: [Acme] Call for adoption of draft-misell-acme-onion-02

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi all,

I support the draft for adoption. Specifically, I think it's a good thing to standardize the onion-csr-01 challenge type. I have two classes of comments that I look forward to discussing in-depth after adoption:
1) Obviously it's valuable for this draft to standardize a method that is already accepted by the CA/BF. But in the long term there's no need to use a CSR as the transport mechanism for a random token, a public key, and a signature -- moving away from x509 for this would be nice in the long term. Probably out-of-scope for this document, but worth discussing.
2) The primary benefit of the onion-csr-01 method is that it allows the CA to perform domain control validation without operating a Tor client. However, this benefit is obviated entirely by the need to operate a Tor client to check for CAA in the hidden service descriptor. It seems likely that there are CAs which have avoided implementing HTTP-01 and TLS-ALPN-01 for .onion due to the need to operate a Tor client; these same CAs may have been willing to implement ONION-CSR-01, but now will not due to the CAA mechanism.

Thanks,
Aaron

On Sun, Jun 4, 2023 at 4:07 AM Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>> wrote:
This will be a two week call for adoption ending on 16 June.   Please speak up either for or against adopting this draft.

Thanks,
Deb
_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!dFBmfm1apJ4-UmjFogFCu_Ia3l0BmVVqTZUsaZ_Av0j5LuahOtReLBZjOnb_RkMDev1a1-269Xq8UzPIUIfJ2ugpvMFCJ1Pbilvr$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.43.4 | Report a Bug | By Email | System Status