IETF Logo Mail Archive

Re: [Acme] Acme Digest, Vol 13, Issue 3

Ron Aitchison <ron@zytrax.com> Tue, 10 November 2015 14:59 UTC

Return-Path: <ron@zytrax.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CD61B3800 for <acme@ietfa.amsl.com>; Tue, 10 Nov 2015 06:59:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8e4iBJcf3cT for <acme@ietfa.amsl.com>; Tue, 10 Nov 2015 06:59:39 -0800 (PST)
Received: from www.zytrax.com (www.zytrax.com [210.23.9.17]) by ietfa.amsl.com (Postfix) with ESMTP id BACCD1B37FE for <acme@ietf.org>; Tue, 10 Nov 2015 06:59:38 -0800 (PST)
Received: from [192.168.1.66] (dsl-67-230-145-222.tor.primus.ca [67.230.145.222]) by www.zytrax.com (Postfix) with ESMTPA id 95717336873 for <acme@ietf.org>; Tue, 10 Nov 2015 09:49:20 -0500 (EST)
To: acme@ietf.org
References: <mailman.5388.1446977112.6911.acme@ietf.org>
From: Ron Aitchison <ron@zytrax.com>
Message-ID: <56420657.40802@zytrax.com>
Date: Tue, 10 Nov 2015 09:59:35 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <mailman.5388.1446977112.6911.acme@ietf.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/KI5Z0x3sU1cv-LX7gHWNowYnWp8>
Subject: Re: [Acme] Acme Digest, Vol 13, Issue 3
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 14:59:46 -0000

I have just joined this mailing list, read the group charter, the 
messages over the last week or so (including the meeting report) and the 
WG draft-ietf-acme-acme-01.txt. I have not read the archives since I 
assume from the draft date that it reflects current thinking. My 
comments at this stage are almost all related to the document scope 
since the methodology (and therefore the required message sets, 
challenges etc.) should flow from the intended scope not the other way 
around. Let me start from the position that I would like to see this 
initiative succeed for a lot of different reasons. All my comments must 
be read in that context.
Section 2 Para 1. This is offered as guiding use case which may have 
placed unnecessary restrictions, in my opinion, on the ACME scope. I 
further think that by staying too close to the current CA model an 
opportunity may been missed to simplify the client/server interactions. 
As I read the draft it addresses two user case scenarios:
Case 1. Where the registered ACME client user wishes to add a domain 
(user domain apex for want of a better term at this stage, zone may be 
more appropriate but is not a widely used term outside the DNS world) 
that they own and control. As a by-product of the domain registration 
process this user must have control of their DNS and therefore the DNS 
TXT RR based signed challenge is the only appropriate one as proof of 
domain ownership. Once this challenge has been verified then subsequent 
certificate requests for any domain name under the domain (user domain 
apex) can be granted as long as a) the signed DNS TXT RR is still in 
place b) the users registration has not been revoked by the CA of 
record. Whether the domain name requested is a web service, mail 
service, ldap service, ftp service or even exists is irrelevant. 
Perhaps, once initial verification is complete the TXT RR could be 
replaced with a domain cert in a TLSA RR but this may unduly complicate 
things and I'm not sure it add to security.
Case 2. Where a registered user wishes to generate/manipulate 
certificates for an operational entity where they do not control the 
domain (the user domain apex) but do control the domain name (the name 
under the user domain apex). This registered user may have operation 
control covering multiple domains names (names under multiple user 
domain apices). There are two sub cases here one where the entity has a 
web presence (e.g. virtual web hosting) and others where it does not 
e.g. multi-host mail services or LDAP services etc.. The latter case is 
not currently supported by the draft, the former can only be handled by 
a signed file at URL type challenge (a DNS challenge is not appropriate 
in this case) and is fully handled by the current draft.
Case 1 means that for a sub-class of users (domain owners) all the 
restrictions referenced in the final para of section 4 of the draft are 
removed. Case 2 stays the same as the current draft, except that non-web 
services operators could have the various domain owners register as Case 
1 and send the domain name certificate and its private key to them 
(perhaps using ACME client functionality outside the scope of the draft).
Whatever user case scenarios are agreed, in whatever form, should appear 
in the document.
A second email follows with some detail comments.
-- 
Ron Aitchison                      www.zytrax.com
ZYTRAX                             ron@zytrax.com

v2.23.0 | Report a Bug | By Email