IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Ted Hardie <ted.ietf@gmail.com> Wed, 02 December 2015 16:51 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B091B2BD0 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:51:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5EKO1c5ZtSX for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:51:57 -0800 (PST)
Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD4F11B2B9E for <acme@ietf.org>; Wed, 2 Dec 2015 08:51:55 -0800 (PST)
Received: by qgeb1 with SMTP id b1so38091015qge.1 for <acme@ietf.org>; Wed, 02 Dec 2015 08:51:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rFEckxDFyxyu1HozimYZqwhc6z/ExwYUNwOpTQIzUsY=; b=rk8oD+6VuRz/qLc6VyGp33qO1hBxS1mtGGy6hDGt47qpgrJ0jW4fj1fLjtRIcO/cMf jnVK1jY5AsOhUUnE5RvP0ZNRuUdagRrpmitk6aoPES2CYNSur6dDQCS87TtXvHv+9khZ BgBfP4J1YUCuPE06izGar5z4rOkzNJjNKY/FrbYxm6HtFLfrGU9S3N2KzZNzusWZrR37 Ns4tUBZg4eYs7RrBi5FfzSwIhY37IevIaaaZ3sq5oJOOVCM7nTdOoVt2NsC12YYFQ+Lk W2UPjWnqO9ULgbH66jDoDpzo+69IchNGgaFLLB/2W2AC8YL07GYIgZFYC3ExtUinOPAA RVEA==
MIME-Version: 1.0
X-Received: by 10.140.94.116 with SMTP id f107mr5311106qge.0.1449075114917; Wed, 02 Dec 2015 08:51:54 -0800 (PST)
Received: by 10.55.14.211 with HTTP; Wed, 2 Dec 2015 08:51:54 -0800 (PST)
In-Reply-To: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
Date: Wed, 02 Dec 2015 08:51:54 -0800
Message-ID: <CA+9kkMDfmtA9YtqjCxWcV3ZLUoeq4PYOCcPEHWMiGBc4W2HV_A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a113aa0727a45950525ed17d9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Jcue8FzqICYPEcDovmU1_mA-dJs>
Cc: Paul Millar <paul.millar@desy.de>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:51:59 -0000

On Wed, Dec 2, 2015 at 7:17 AM, Richard Barnes <rlb@ipv.sx> wrote:

> I agree that we're converging on some rough consensus, but I would
> frame it (again) slightly differently:
>
> 1. ACME needs to validate domain control, not domain+port control,
> because (1) there is no current mechanism for issuing certificates for
> domain+port (vs. just domain), and (2) the primary use cases for ACME
> right now (DV certs, and possibly OV/EV) don't have any notion of
> ports.
>
> 2. Thus the port used for validation needs to be one such that control
> of the port is effectively control of the domain.
>
> If you look at what CAs do today, that basically means the port is
> 80/443.  More generally, it means that the port needs to be specified
> by the challenge mechanism and not by the client.
>
> So that leaves us with 80/443 for the challenges we have today.  If
> people want to define, say, a CalDAV challenge, they can argue for a
> new challenge type, but ISTM it'll be a hard sell.
>
>
​There was discussion about registering a port specifically for ACME
challenges, so that a running server on 80/443 did not have to be changed
during ​the challenge.  That would be a privileged port, and we could
define the semantics for the challenges there to be similar to the 443
challenge (essentially a TLS-based challenge on a different, well-known
port).

I did not see consensus for this approach, but I also didn't detect the
same opposition to it that other approaches attracted.  If folks are
interested in supporting this approach, I'd suggesting writing a draft
which describes the challenge and proposes registration; that would give us
a more concrete understanding of whether the effort to support this would
be appropriate for the number of installations which would use it.

regards,

Ted


> It's also worth noting that just because we define challenge types
> doesn't mean any particular CA will support them (that's the point of
> extensibility).  For example, Let's Encrypt doesn't support the
> "dns-01" challenge.
>
> --Richard
>
>
> On Wed, Dec 2, 2015 at 9:43 AM, Salz, Rich <rsalz@akamai.com> wrote:
> > Speaking as co-chair, I think Yoav's summary is more accurate.  The
> consensus in the room at Yokohama was that there is not real support for
> other than 443, but that we need to discuss this on the list "one last
> time." I think closing discussion is a bit premature, but at this point
> there seems rough consensus to not require other than 443.
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email