Re: [Acme] Acme Digest, Vol 13, Issue 3
Ron Aitchison <ron@zytrax.com> Tue, 10 November 2015 14:59 UTC
Return-Path: <ron@zytrax.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CD61B3800 for <acme@ietfa.amsl.com>; Tue, 10 Nov 2015 06:59:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8e4iBJcf3cT for <acme@ietfa.amsl.com>; Tue, 10 Nov 2015 06:59:39 -0800 (PST)
Received: from www.zytrax.com (www.zytrax.com [210.23.9.17]) by ietfa.amsl.com (Postfix) with ESMTP id BACCD1B37FE for <acme@ietf.org>; Tue, 10 Nov 2015 06:59:38 -0800 (PST)
Received: from [192.168.1.66] (dsl-67-230-145-222.tor.primus.ca [67.230.145.222]) by www.zytrax.com (Postfix) with ESMTPA id 95717336873 for <acme@ietf.org>; Tue, 10 Nov 2015 09:49:20 -0500 (EST)
To: acme@ietf.org
References: <mailman.5388.1446977112.6911.acme@ietf.org>
From: Ron Aitchison <ron@zytrax.com>
Message-ID: <56420657.40802@zytrax.com>
Date: Tue, 10 Nov 2015 09:59:35 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <mailman.5388.1446977112.6911.acme@ietf.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/KI5Z0x3sU1cv-LX7gHWNowYnWp8>
Subject: Re: [Acme] Acme Digest, Vol 13, Issue 3
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 14:59:46 -0000
I have just joined this mailing list, read the group charter, the messages over the last week or so (including the meeting report) and the WG draft-ietf-acme-acme-01.txt. I have not read the archives since I assume from the draft date that it reflects current thinking. My comments at this stage are almost all related to the document scope since the methodology (and therefore the required message sets, challenges etc.) should flow from the intended scope not the other way around. Let me start from the position that I would like to see this initiative succeed for a lot of different reasons. All my comments must be read in that context. Section 2 Para 1. This is offered as guiding use case which may have placed unnecessary restrictions, in my opinion, on the ACME scope. I further think that by staying too close to the current CA model an opportunity may been missed to simplify the client/server interactions. As I read the draft it addresses two user case scenarios: Case 1. Where the registered ACME client user wishes to add a domain (user domain apex for want of a better term at this stage, zone may be more appropriate but is not a widely used term outside the DNS world) that they own and control. As a by-product of the domain registration process this user must have control of their DNS and therefore the DNS TXT RR based signed challenge is the only appropriate one as proof of domain ownership. Once this challenge has been verified then subsequent certificate requests for any domain name under the domain (user domain apex) can be granted as long as a) the signed DNS TXT RR is still in place b) the users registration has not been revoked by the CA of record. Whether the domain name requested is a web service, mail service, ldap service, ftp service or even exists is irrelevant. Perhaps, once initial verification is complete the TXT RR could be replaced with a domain cert in a TLSA RR but this may unduly complicate things and I'm not sure it add to security. Case 2. Where a registered user wishes to generate/manipulate certificates for an operational entity where they do not control the domain (the user domain apex) but do control the domain name (the name under the user domain apex). This registered user may have operation control covering multiple domains names (names under multiple user domain apices). There are two sub cases here one where the entity has a web presence (e.g. virtual web hosting) and others where it does not e.g. multi-host mail services or LDAP services etc.. The latter case is not currently supported by the draft, the former can only be handled by a signed file at URL type challenge (a DNS challenge is not appropriate in this case) and is fully handled by the current draft. Case 1 means that for a sub-class of users (domain owners) all the restrictions referenced in the final para of section 4 of the draft are removed. Case 2 stays the same as the current draft, except that non-web services operators could have the various domain owners register as Case 1 and send the domain name certificate and its private key to them (perhaps using ACME client functionality outside the scope of the draft). Whatever user case scenarios are agreed, in whatever form, should appear in the document. A second email follows with some detail comments. -- Ron Aitchison www.zytrax.com ZYTRAX ron@zytrax.com
- Re: [Acme] Acme Digest, Vol 13, Issue 3 Ron Aitchison
- Re: [Acme] Acme Digest, Vol 13, Issue 3 Ron Aitchison