Re: [Acme] Server on >= 1024 port
Ted Hardie <ted.ietf@gmail.com> Wed, 02 December 2015 16:51 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B091B2BD0 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:51:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5EKO1c5ZtSX for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 08:51:57 -0800 (PST)
Received: from mail-qg0-x22c.google.com (mail-qg0-x22c.google.com [IPv6:2607:f8b0:400d:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD4F11B2B9E for <acme@ietf.org>; Wed, 2 Dec 2015 08:51:55 -0800 (PST)
Received: by qgeb1 with SMTP id b1so38091015qge.1 for <acme@ietf.org>; Wed, 02 Dec 2015 08:51:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rFEckxDFyxyu1HozimYZqwhc6z/ExwYUNwOpTQIzUsY=; b=rk8oD+6VuRz/qLc6VyGp33qO1hBxS1mtGGy6hDGt47qpgrJ0jW4fj1fLjtRIcO/cMf jnVK1jY5AsOhUUnE5RvP0ZNRuUdagRrpmitk6aoPES2CYNSur6dDQCS87TtXvHv+9khZ BgBfP4J1YUCuPE06izGar5z4rOkzNJjNKY/FrbYxm6HtFLfrGU9S3N2KzZNzusWZrR37 Ns4tUBZg4eYs7RrBi5FfzSwIhY37IevIaaaZ3sq5oJOOVCM7nTdOoVt2NsC12YYFQ+Lk W2UPjWnqO9ULgbH66jDoDpzo+69IchNGgaFLLB/2W2AC8YL07GYIgZFYC3ExtUinOPAA RVEA==
MIME-Version: 1.0
X-Received: by 10.140.94.116 with SMTP id f107mr5311106qge.0.1449075114917; Wed, 02 Dec 2015 08:51:54 -0800 (PST)
Received: by 10.55.14.211 with HTTP; Wed, 2 Dec 2015 08:51:54 -0800 (PST)
In-Reply-To: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
Date: Wed, 02 Dec 2015 08:51:54 -0800
Message-ID: <CA+9kkMDfmtA9YtqjCxWcV3ZLUoeq4PYOCcPEHWMiGBc4W2HV_A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a113aa0727a45950525ed17d9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Jcue8FzqICYPEcDovmU1_mA-dJs>
Cc: Paul Millar <paul.millar@desy.de>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:51:59 -0000
On Wed, Dec 2, 2015 at 7:17 AM, Richard Barnes <rlb@ipv.sx> wrote: > I agree that we're converging on some rough consensus, but I would > frame it (again) slightly differently: > > 1. ACME needs to validate domain control, not domain+port control, > because (1) there is no current mechanism for issuing certificates for > domain+port (vs. just domain), and (2) the primary use cases for ACME > right now (DV certs, and possibly OV/EV) don't have any notion of > ports. > > 2. Thus the port used for validation needs to be one such that control > of the port is effectively control of the domain. > > If you look at what CAs do today, that basically means the port is > 80/443. More generally, it means that the port needs to be specified > by the challenge mechanism and not by the client. > > So that leaves us with 80/443 for the challenges we have today. If > people want to define, say, a CalDAV challenge, they can argue for a > new challenge type, but ISTM it'll be a hard sell. > > There was discussion about registering a port specifically for ACME challenges, so that a running server on 80/443 did not have to be changed during the challenge. That would be a privileged port, and we could define the semantics for the challenges there to be similar to the 443 challenge (essentially a TLS-based challenge on a different, well-known port). I did not see consensus for this approach, but I also didn't detect the same opposition to it that other approaches attracted. If folks are interested in supporting this approach, I'd suggesting writing a draft which describes the challenge and proposes registration; that would give us a more concrete understanding of whether the effort to support this would be appropriate for the number of installations which would use it. regards, Ted > It's also worth noting that just because we define challenge types > doesn't mean any particular CA will support them (that's the point of > extensibility). For example, Let's Encrypt doesn't support the > "dns-01" challenge. > > --Richard > > > On Wed, Dec 2, 2015 at 9:43 AM, Salz, Rich <rsalz@akamai.com> wrote: > > Speaking as co-chair, I think Yoav's summary is more accurate. The > consensus in the room at Yokohama was that there is not real support for > other than 443, but that we need to discuss this on the list "one last > time." I think closing discussion is a bit premature, but at this point > there seems rough consensus to not require other than 443. > > > > _______________________________________________ > > Acme mailing list > > Acme@ietf.org > > https://www.ietf.org/mailman/listinfo/acme > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Roland Zink
- Re: [Acme] Server on >= 1024 port Martin Thomson
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Stephen Farrell
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Eric Mill
- Re: [Acme] Server on >= 1024 port Darren J Moffat
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Ángel González
- Re: [Acme] Server on >= 1024 port Vincent Lynch