Re: [Acme] kinds of proof

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 28 November 2014 17:20 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C21FA1A0267 for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 09:20:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eURrw-IfzWFf for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 09:20:07 -0800 (PST)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C76D1A008D for <acme@ietf.org>; Fri, 28 Nov 2014 09:19:53 -0800 (PST)
Received: by mail-la0-f47.google.com with SMTP id hz20so5836154lab.6 for <acme@ietf.org>; Fri, 28 Nov 2014 09:19:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=h9p6vjseOJz3LnDA5vVlK0a+h+s4L0Rtvdhe+N8FcC0=; b=LjXKNyVdX7aRpTocWtsovEcSfboltdwlPKUtX0F7k4NhYFpjhlMUgD4w09GvbJdZca PvQc0RaR4ITKRdwy9QZsBn7nd3vqdYQtbSFYnfArn2KRwW2kf7lTiJBLPMydZ6GmB5UF FgV5LYa28gx4UJ8swtT6pOzR6zoTm6yH5iSp2997huch1phgEGgmUa7GBtREHdhNstpH /ciyRBfqpca7/a1Pt6a1LkK4QaUa64b9E5vFZnxAhdZ01WLROv6iWLRxZza02cXLaPDk 3Th9lqwhNga8u2zL4UeQUn2F+MPZcB1CPpZtwy6t07XXZTuCyX995tAUFWM3/qek79ml QGvA==
MIME-Version: 1.0
X-Received: by 10.112.160.137 with SMTP id xk9mr2332733lbb.99.1417195191668; Fri, 28 Nov 2014 09:19:51 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.34.212 with HTTP; Fri, 28 Nov 2014 09:19:51 -0800 (PST)
In-Reply-To: <1F442BA7-C7D4-49AD-AA9D-49B86B39159D@vpnc.org>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <1F442BA7-C7D4-49AD-AA9D-49B86B39159D@vpnc.org>
Date: Fri, 28 Nov 2014 12:19:51 -0500
X-Google-Sender-Auth: 6e9Gg-cdkgu-8U744CD-XW7FLyU
Message-ID: <CAMm+Lwgm2N1Cg=i-HoZyLR1PuG2+5a+Siydo=SXvuGjOojph5w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/Ke606hhgEXZUQRpV4bUaY525Ld0
Cc: "acme@ietf.org" <acme@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 17:20:09 -0000

On Fri, Nov 28, 2014 at 10:32 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Nov 28, 2014, at 2:20 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> Yep. Fully agree about DV. But DV isn't the only kind of
>> validation I'd like to be supported here.
>>
>> I'd like if it were possible to extend that to include cases
>> where one has control over the web server, but not the DNS.
>
> Those two paragraphs don't really go together. You absolutely can do DV in cases where you don't have control over the DNS; that's basically how all web certificate enrollment happens today.


I think the underlying question is whether we are just going to
support one provider of free certs (who has yet to issue one) or
support a more general approach. My view is that we should, not least
because my employer has been giving away SSL certs for eight years...

The significant change here is the automation. Free isn't enough on its own.


In addition, any new proposal has to work with DANE and with HSTS and
CAA. Not at all difficult to do, but does require some thought.