Re: [Acme] Server on >= 1024 port
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 02 December 2015 17:01 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C011A00C3 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:01:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.676
X-Spam-Level:
X-Spam-Status: No, score=-0.676 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hf3_u1SQrrEd for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:01:07 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694901A00A1 for <acme@ietf.org>; Wed, 2 Dec 2015 09:01:07 -0800 (PST)
Received: by lfs39 with SMTP id 39so55473532lfs.3 for <acme@ietf.org>; Wed, 02 Dec 2015 09:01:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5GUv9I0P3ehfnIr8YYMyX89PcDgrokpyYVNPnwrJGrs=; b=kL9q8rhIhBFIWEl+2nenZhQoIipeObDPGsf68c3Y/8uesdJFyW3ZLoaNBZnNXYfEgu yRNBmITZNuZhAojxtQtjCLCdG/tgLBj05m0bJk1FCpmYbTonrDI2O7DXtc/7FIIH+w/o fzTJzMGIoMOnhoJvB/uyUMZudLnWclEE8FWLM5E9Dk1kJsfYy5yvjTqWt91pps0Lb6V+ gnVehjm2FrG4Gp3HsGF7oGU4dU4vepXKQd1sw/aB4RfTlp2Og36H0UVpZhJmc/yaV2l7 LrWx448813JuwFMyw0LOCTZxfL+NWu5P/miVR3uT/cpgRcTniTzmydep2BVxEznJNFj8 kJig==
MIME-Version: 1.0
X-Received: by 10.25.206.132 with SMTP id e126mr3309675lfg.39.1449075665101; Wed, 02 Dec 2015 09:01:05 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 2 Dec 2015 09:01:04 -0800 (PST)
In-Reply-To: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
Date: Wed, 02 Dec 2015 12:01:04 -0500
X-Google-Sender-Auth: vk4YxQh_snDHqfW8ks2NEZYOhqg
Message-ID: <CAMm+LwiqfYH-Vt7L2OSyLTNWzPSYBO-qxhjHege2jFqOnPtxjQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a11420706456b710525ed387e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/JpyimH1sesQ_H9HTFZhISYgG_mQ>
Cc: Paul Millar <paul.millar@desy.de>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:01:09 -0000
On Wed, Dec 2, 2015 at 10:17 AM, Richard Barnes <rlb@ipv.sx> wrote: > I agree that we're converging on some rough consensus, but I would > frame it (again) slightly differently: > > 1. ACME needs to validate domain control, not domain+port control, > because (1) there is no current mechanism for issuing certificates for > domain+port (vs. just domain), and (2) the primary use cases for ACME > right now (DV certs, and possibly OV/EV) don't have any notion of > ports. > Again, I think you are missing the real problem here. Let us say we have a new protocol to run over port 666 that is actually a Web service under the covers. Hosting provider has a host that supports the following Web Sites that belong to different parties: example.com malicious.com The hosting provider allows any form of executable to run on the host (10.6.6.6) that does not interfere with apache which has 80 & 443 reserved. [This is typical] Mallet controls malicious.com. He uploads an executable that opens a server on port 666. Applies for a cert for example.com:666 CA tries to validate example.com:666 Resolves A record for example.com -> 10.6.6.6 Makes ACME validation request to http://example.com:666/ Mallet's server can ignore the HostName: field in the HTTP interaction because it is his server. He can now get a cert for example.com:666 So the problem here is not merely that there is no such thing as a 'port bound' certificate. The problem is that there is no way to validate a cert for a single port. My objection to this validation mechanism would stand even if there was a port restriction option available in PKIX. And indeed we should have that type of capability just for reasons of least privilege.
- [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Roland Zink
- Re: [Acme] Server on >= 1024 port Martin Thomson
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Stephen Farrell
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Eric Mill
- Re: [Acme] Server on >= 1024 port Darren J Moffat
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Ángel González
- Re: [Acme] Server on >= 1024 port Vincent Lynch