Re: [Acme] Issuing certificates based on Simple HTTP challenges
Julian Dropmann <julian@dropmann.org> Tue, 15 December 2015 14:11 UTC
Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 743C31A89AA for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:11:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJpMSZyNiHDY for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:11:47 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869A41A89A7 for <acme@ietf.org>; Tue, 15 Dec 2015 06:11:46 -0800 (PST)
Received: by mail-lb0-x230.google.com with SMTP id lt2so6412164lbb.3 for <acme@ietf.org>; Tue, 15 Dec 2015 06:11:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GDpsi0tlw5dqIxzeoDJmchnSi12hrrsNLhbpfMIK4HE=; b=OG4TnPAsQJVyJ5MwRMno7XyMcodGkmTEZUp2JeyJbQakdaTlziXzGuSBtLX6W2bZ+Q nNksmaGEUsa4cVtZSytFUvLXF7EdcZFR4eXoBi6vvbLsgirwFBpNIvnuWKlDz6HUL4+W Kwvid3kh3Q/XeUqlXG1yp9bWeOxmfkqM7o5E8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=GDpsi0tlw5dqIxzeoDJmchnSi12hrrsNLhbpfMIK4HE=; b=mXSKtP7W7mN4xHCKweGBwIH4mZZG6H3eo+Rc4Gx2Ynnhb+C2YC21XiW9UvlSbqiaVP d2DLczXUutOItoNCA11+EobHCO49HNH3+KKG0bbLmVvltPyCRd3K2Fbw+jrgABQ6ci0a JEhEJHi1YteAifxpMdqyqKZeyxqb6rKbHyHtSePvVDW99An3u7QQgPXOadfVgLP+A5EU cNbhwP45bG4ryZ1YqqVG3kLhANd1M0lJiuY/TO8yDELSdMdC9jiTHqoMQqIJoA97q6Sa 8M5EkMsmlZJuZw5neNBn4Y8LCR3f/9V109sv2FwKc8jXtzfysADoRBBaHwCc07wfa3MP 8E8Q==
X-Gm-Message-State: ALoCoQlfQIn7zZDll+O9k/nEwMA2sC3Eqm0LtA+PUFR/Gl11lkA12cAqooNqlmugX12xN7ayuEq3Aq8DgMBXv5JDeoIGuJOOOA==
MIME-Version: 1.0
X-Received: by 10.112.167.131 with SMTP id zo3mr15748114lbb.91.1450188704593; Tue, 15 Dec 2015 06:11:44 -0800 (PST)
Received: by 10.25.39.2 with HTTP; Tue, 15 Dec 2015 06:11:44 -0800 (PST)
X-Originating-IP: [62.154.225.234]
In-Reply-To: <56701904.2070009@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie>
Date: Tue, 15 Dec 2015 15:11:44 +0100
Message-ID: <CAF+SmEr2LptJ81VrtmaAaKcFrwoC2mD2Pn0hQwi_2K8SpFLAtg@mail.gmail.com>
From: Julian Dropmann <julian@dropmann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11c33ea6985ba20526f05eea"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Kou7IslToMfl65u8L8ydHDeXdn4>
Cc: acme@ietf.org, Michael Wyraz <michael@wyraz.de>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 14:11:52 -0000
I think the problem here is not that its too complex stuff, the real problem is that you are not currently able to automate it in the real world. I understand the reasoning that you subordinate every other goal, even security to this in order to reinforce the usage of TLS in general. But there is a difference, if some random CA offers a proprietary verification mechanism doing this, then when there is a public standard not covering those issues. There should at least be an optional way for implementations which shows how it should be done in a more optimistic scenario, then the current one where, as you mentioned earlier "CAs only have p#10 in common". The same thing applies to domain registrars I guess. On Tue, Dec 15, 2015 at 2:43 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 15/12/15 13:02, Michael Wyraz wrote: > > Stephen, > > > > I agree that getting things started I very important for lets encrypt. > > But in my understanding, this is the mailing list for discussing the > > ACME protocol, not the 1st implementation of it. > > Yes, I understand that and didn't actually refer to LE at all in > my mail. > > > So shouldn't we > > think/discuss what comes after "now"? > > Basically, IMO only after we first get a "now" that works. I've seen > over-complex PKI management efforts fail for 20 years. Another such > failure isn't interesting. > > > IMO using SRV as an option for specifying which host/port (if any) is > > responsible for ACME is a step in the right direction. It can be > > optional which gives security-aware admins the possibility to make > > their system more safe without loosing comfort for those who don't care > > a lot about security. > > I like ideas that are additional to the easiest HTTP stuff. But that > easiest stuff is the core work here. But sure, additional things that > are optional are fine. > > Personally the optional thing in which I'm much more interested is > a simple put-challenge-in-DNS one where the CA pays attention to > DNSSEC, since that's the use-case I have and that would provide > some better assurance to the certs acquired via acme. I can see > that there might also be value for some (other) folks in SRV if > it means no need to dynamically change DNS. > > But, if someone is saying "we must all do these more complex things > for security reasons" then they are, in this context, wrong. And > my mail was reacting to just such a statement. > > > > > Have a look at all the discussions about "allow other ports than > > 80/443". People argue what could be safe ports for ACME and what not. > > Why do an assumption instead of let people declare the port with a > > fallback to 80/443. > > Ease of deployment wins IMO. I think an SRV based solution will be > a niche and ought not be used by the default/basic mechanism. > > S. > > > > > > Regards, > > Michael. > > > > > >> > >> On 15/12/15 03:03, Julian Dropmann wrote: > >>> I agree that the problem would still remain on a global scope, but > >>> the argument, that there are other "dirty" CA's so we have to be > >>> "dirty" too, is very questionable... at least... > >>> > >>> Is this a race to the bottom: The CA with lowest security standards > >>> wins? > >>> > >>> Why should one trust any of those? > >> I think you are not taking into account what I think is the > >> point of acme. The overwhelming goals here are automation and > >> real (*) deployment of a standards based way to manage PKI > >> for the most popular applications using PKI. > >> > >> Once we get the above done, then the security/assurance bar > >> can be raised over time in a useful manner. Today, it cannot, > >> as the CAs only have p#10 in common really and the rest of > >> what they do is effectively proprietary. > >> > >> So it is entirely valid here to argue that "same security as > >> current WebPKI" is a good starting point. > >> > >> Cheers, > >> S. > >> > >> (*) I say that as a co-author of RFC2510 and successors which > >> was afaik the original but by no meanss the only failed attempt > >> to do this. My experience with all of that tells ms that it is > >> more important to prioritise initial deployment over almost all > >> else. > >> > >> > >>>> On 15 Dec 2015, at 03:32, Noah Kantrowitz <noah@coderanger.net> > >>>> wrote: > >>>> > >>>> And the counter to that is the huge number of existing CAs that > >>>> allow URL-based verification. We would pay the costs of increased > >>>> complexity for setup (for example, the existing LE client would be > >>>> totally impossible) but don't actually reap any benefits until the > >>>> last of those CA shuts down. Hence, pragmatism with a bias towards > >>>> improving accessibility. If the person running your website is > >>>> actively hostile, they can probably get into some pretty serious > >>>> mischief anyway :-/ (all of my arguments are absolutely dismissible > >>>> as "slippery slope" fallacies for those playing along at home) > >>>> > >>>> --Noah > >>>> > >>>>> On Dec 14, 2015, at 6:20 PM, Julian Dropmann > >>>>> <julian@dropmann.org> wrote: > >>>>> > >>>>> The important difference is, that only zones which intent to use > >>>>> ACRE would create such an SRV record in the first place. With the > >>>>> current design any A record host in the world can obtain certs. > >>>>> By using an ACRE specific SRV record the domain owner at has at > >>>>> least shown the intent to use ACRE for his zone. And also he > >>>>> could limit it to a specific port number/service on that host. I > >>>>> think this would be a very huge security improvement, and of the > >>>>> verification quality in general, but only if this would not be an > >>>>> optional thing. > >>>>> > >>>>>> On 15 Dec 2015, at 00:02, Noah Kantrowitz <noah@coderanger.net> > >>>>>> wrote: > >>>>>> > >>>>>> It wouldn't matter anyway because even with a SRV delegation > >>>>>> for the challenge, the final cert is still issued against only > >>>>>> a hostname, not a specific service. Combined with the fact that > >>>>>> there are existing CAs that do a rough equivalent of http-01 > >>>>>> and we can't expect that to go away any time soon, it isn't > >>>>>> hard to see why pragmatism won out in the initial design. > >>>>>> Fixing this for reals requires TLS-level protocol improvements > >>>>>> for per-service certificates. Not against that, just saying > >>>>>> you've got a long road ahead of you. > >>>>>> > >>>>>> --Noah > >>>>>> > >>>>>>> On Dec 14, 2015, at 2:47 PM, Michael Wyraz <michael@wyraz.de> > >>>>>>> wrote: > >>>>>>> > >>>>>>> I thought about all the DNS stuff and came to the conclusion > >>>>>>> that focussing ssl certs for https only and ignoring all the > >>>>>>> rest may cause further security issues. E.g. if I delegate > >>>>>>> http (via A-record or CNAME) to someone else, he can now > >>>>>>> create valid ssl certs for my mail server which I did not > >>>>>>> delegate. IMO A-record should be dedicated to http(s) (for > >>>>>>> legacy reasons, see > >>>>>>> > http://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records > ) > >>>>>>> and all other services (inclusing ACME) should use their own > >>>>>>> srv records. > >>>>>>> > >>>>>>> Looks like a decision between comfort and security - let's > >>>>>>> bet what will win... > >>>>>>> > >>>>>>>> Fair, adding a DNS-level opt-out would be a reasonable > >>>>>>>> addition for future iterations, but not a hugely pressing > >>>>>>>> issue given the expected use cases. > >>>>>>>> > >>>>>>>> --Noah > >>>>>>>> > >>>>>>>> > >>>>>>>>> On Dec 14, 2015, at 12:55 PM, Michael Wyraz > >>>>>>>>> <michael@wyraz.de> wrote: > >>>>>>>>> > >>>>>>>>> So just leave out the part with "then switch completely > >>>>>>>>> from A to SRV" and allow both. This gives people the > >>>>>>>>> comfort to use A/CNAME stuff while others who prefer > >>>>>>>>> security use SRV. Both are happy, problem solved ;-) > >>>>>>>>> > >>>>>>>>>> Using normal A/CNAME records matches the default use > >>>>>>>>>> case of HTTPS a lot more smoothly and allows a lot of > >>>>>>>>>> cool transparent upgrade stuffs from folks like > >>>>>>>>>> DreamHost or Fastly that already do the CNAME setup as > >>>>>>>>>> part of user on-boarding and can run http-01 on the > >>>>>>>>>> behalf of the user to set them up on an SNI > >>>>>>>>>> termination. If all the major CDNs did this, it would > >>>>>>>>>> be worth the negative issues where HTTP is delegated to > >>>>>>>>>> an untrusted service. If TLS ever grows per-service > >>>>>>>>>> restrictions that would be appropriate here, but that > >>>>>>>>>> is waaaay out of scope for ACME I would think :-/ > >>>>>>>>>> > >>>>>>>>>> --Noah > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> On Dec 14, 2015, at 11:17 AM, Michael Wyraz > >>>>>>>>>>> <michael@wyraz.de> > >>>>>>>>>>> > >>>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Julian, > >>>>>>>>>>> > >>>>>>>>>>> the issue your described here is caused by the > >>>>>>>>>>> assumption that any the A-record points to a host > >>>>>>>>>>> that should be allowed to create certs for that > >>>>>>>>>>> domain. IMO a solution would be simple: use some > >>>>>>>>>>> special SRV record that points to a service that does > >>>>>>>>>>> the challenge. Allow users to set this record to > >>>>>>>>>>> something like "none" to completely disallow > >>>>>>>>>>> ACME-based cert generation. Use A-record as fallback > >>>>>>>>>>> for a given time (e.g. one year), then switch > >>>>>>>>>>> completely from A to SRV, > >>>>>>>>>>> > >>>>>>>>>>> Problem solved ;-) > >>>>>>>>>>> > >>>>>>>>>>> And it's almost as comfortable as using the A-record > >>>>>>>>>>> because it needs just one single additional step, no > >>>>>>>>>>> change of the client, absolutely minimal change to > >>>>>>>>>>> the server, no extra software or support for dynamic > >>>>>>>>>>> DNS updates or such. > >>>>>>>>>>> > >>>>>>>>>>> As a side effect it solves many problems with ACME in > >>>>>>>>>>> complex environments like geo-distributed dns. > >>>>>>>>>>> > >>>>>>>>>>> Kind regards, Michael. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> Hello, > >>>>>>>>>>>> > >>>>>>>>>>>> maybe I am just a naive concerned user, but in my > >>>>>>>>>>>> opinion there is one major issue with the Simple > >>>>>>>>>>>> HTTP challenge and possibly other challenges, > >>>>>>>>>>>> specified by ACME: > >>>>>>>>>>>> > >>>>>>>>>>>> Any host which is specified by an A/AAAA record of > >>>>>>>>>>>> that domain zone can obtain trusted certificates in > >>>>>>>>>>>> the name of the domain zone owner. Lets assume I > >>>>>>>>>>>> host an private XMPP server using TLS on my own > >>>>>>>>>>>> domain using an SRV record, and I point an A record > >>>>>>>>>>>> to a third party hoster which hosts my public web > >>>>>>>>>>>> blog. Now this third party hoster would be able to > >>>>>>>>>>>> obtain signed certificates for my domain using ACME > >>>>>>>>>>>> and use that to host an XMPP service on that domain > >>>>>>>>>>>> using the standard port. Clients which trust that > >>>>>>>>>>>> CA are now perfectly happy connecting to that > >>>>>>>>>>>> entity. > >>>>>>>>>>>> > >>>>>>>>>>>> By creating an A record I ofcourse need to trust > >>>>>>>>>>>> that host to some degree, but I still would expect > >>>>>>>>>>>> the CA to verify if the requester has control over > >>>>>>>>>>>> the DNS zone itself an not just over a single > >>>>>>>>>>>> service running there. > >>>>>>>>>>>> > >>>>>>>>>>>> And consequently if it is valid to verify over > >>>>>>>>>>>> HTTP, then maybe another CA validates the domain > >>>>>>>>>>>> ownership by a mail service/MX record, and a third > >>>>>>>>>>>> one over XMPP/SRV. > >>>>>>>>>>>> > >>>>>>>>>>>> This effectively means, as a domain zone admin, I > >>>>>>>>>>>> have to trust every single service I define, not > >>>>>>>>>>>> just to properly deliver this service, but also not > >>>>>>>>>>>> to exploit his ability to obtain signed > >>>>>>>>>>>> certificates in my name. > >>>>>>>>>>>> > >>>>>>>>>>>> Also you rely on the fact that on UNIX only root > >>>>>>>>>>>> can bind on port 80 and 443. Lets assume there is > >>>>>>>>>>>> an OS out there which does not enforce this > >>>>>>>>>>>> restriciton, now any user on that host is able to > >>>>>>>>>>>> obtain signed certificates for that domain. > >>>>>>>>>>>> > >>>>>>>>>>>> Maybe I missed something here, but overall this > >>>>>>>>>>>> seems to be a very bad idea to automatically issue > >>>>>>>>>>>> certificates without requiring a change in the > >>>>>>>>>>>> actual DNS zone the certificate is issued for. > >>>>>>>>>>>> > >>>>>>>>>>>> Kind regards, Julian Dropmann > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> Acme mailing list > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Acme@ietf.org > >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme > >>>>>>>>>>> _______________________________________________ Acme > >>>>>>>>>>> mailing list > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Acme@ietf.org > >>>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme > >>>>>>>>>> _______________________________________________ Acme > >>>>>>>>>> mailing list > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Acme@ietf.org > >>>>>>>>>> https://www.ietf.org/mailman/listinfo/acme > >>>>>>>>> _______________________________________________ Acme > >>>>>>>>> mailing list > >>>>>>>>> > >>>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>>>>>>> > >>>>>>>> _______________________________________________ Acme > >>>>>>>> mailing list > >>>>>>>> > >>>>>>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>>>>>> _______________________________________________ Acme mailing > >>>>>>> list Acme@ietf.org > >>>>>>> https://www.ietf.org/mailman/listinfo/acme > >>>>>> _______________________________________________ Acme mailing > >>>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>>>> _______________________________________________ Acme mailing > >>>>> list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>>> _______________________________________________ Acme mailing list > >>>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>> _______________________________________________ Acme mailing list > >>> Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > >>> > >> _______________________________________________ > >> Acme mailing list > >> Acme@ietf.org > >> https://www.ietf.org/mailman/listinfo/acme > > > > > > _______________________________________________ > > Acme mailing list > > Acme@ietf.org > > https://www.ietf.org/mailman/listinfo/acme > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell