Re: [Acme] Want client-defined callback port

Bruce Gaya <gaya@apple.com> Wed, 22 April 2015 02:53 UTC

Return-Path: <gaya@apple.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C3E41A1B2D for <acme@ietfa.amsl.com>; Tue, 21 Apr 2015 19:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.1
X-Spam-Level:
X-Spam-Status: No, score=-4.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yT3zRNd0MnFf for <acme@ietfa.amsl.com>; Tue, 21 Apr 2015 19:53:28 -0700 (PDT)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 541DD1A1BC3 for <acme@ietf.org>; Tue, 21 Apr 2015 19:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1429671206; x=2293584806; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MiUj0w+8qJyfVUxIipPXohgJsRulOkeDA76GwbaRjP4=; b=Iminr4kOAetaVPm4vwE85nS9OyCh3AfkFWe14LgZnzbf5GvenNpx2NeQHBCGOvIs 3ZsZKtwojpymEUnPCySMeGAR7BlE9fii8ZF3olJl+YFzc0zvj77wpk0JZj6SUXMe Df40OeCxNYmRPjgm6/Exz6y71vuWKugEJihQ5LFuB1Du5/IzXLEw96OfrSZzhsib bfLQ+/IMrgVKJbft8iXo70g4EmjzhT/xf975ZOENw6QqzjVge9H6bcRZqK+oh+42 iSLHH+0KUTcb4zzdUjmsLgaBdfMr9luxYF7edKKyNHi+QUjOKvpZ6cE8IXRGpE9+ 6SPVKDwfldPLqyEkfUXHnA==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id AF.03.09025.62D07355; Tue, 21 Apr 2015 19:53:26 -0700 (PDT)
X-AuditID: 11973e15-f79fd6d000002341-90-55370d26a6cb
Received: from spicerack.apple.com (spicerack.apple.com [17.128.115.40]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay5.apple.com (Apple SCV relay) with SMTP id 1A.73.08226.A2D07355; Tue, 21 Apr 2015 19:53:30 -0700 (PDT)
Received: from [17.153.71.124] by spicerack.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NN6003DBTD23F40@spicerack.apple.com> for acme@ietf.org; Tue, 21 Apr 2015 19:53:26 -0700 (PDT)
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-type: multipart/alternative; boundary="Apple-Mail=_0304A9A8-5CC2-481A-8F04-00167939CBD7"
From: Bruce Gaya <gaya@apple.com>
In-reply-to: <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com>
Date: Tue, 21 Apr 2015 19:53:25 -0700
Message-id: <DE264105-7317-4343-BCEE-539A73D42544@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi2FAYoavGax5qsGOXicWq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MrYd30xS8E5lYrGzYtYGhhfy3cxcnJICJhIzNixgB3CFpO4cG89 WxcjF4eQwF5GiQm9F5i7GDnAit4uTYKIT2aSaFh3lwXC+ckocf5aL1i3sICpxKF3yxhBbF4B PYk51xewgdjMAkkSLaf+gtlsAooS01tfMIHYnAKhEqf/HQWzWQRUJfoW9zFC1GdKfP//nhVi jo3ErWfnWSGWHWCWuLH0DdggEQFlieMzHzBCXCcr8XWrHEiNhEAjm8SsS8cYJzAKzUJyxywk d0DY2hLLFr5mhrA1JfZ3L2fBFNeQ6Pw2kXUBI9sqRqHcxMwc3cw8M73EgoKcVL3k/NxNjKCw n24nuoPxzCqrQ4wCHIxKPLwr2M1DhVgTy4orcw8xSnOwKInzWl82CxUSSE8sSc1OTS1ILYov Ks1JLT7EyMTBKdXAuIuhb4tr3IbGD3ta1E70mDqlH3+9659sQob+OuPdUVW7f+W/ntG/9J+X zqr9Rb5lu9Iz1qbECR1fPOGcSJHlwwlxv/a91Vzx88vOvObSRRvSPK9xXEm0W1t52J37ST/3 Ac1Hf3UWXBZ56MkYIns3r/ZCveENg1+LHyjfP7rcPuu3zY+Jt6eaH1NiKc5INNRiLipOBAB4 1XehXAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsUi2FCsoavFax5qcPQFr8Wq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MrYd30xS8E5lYrGzYtYGhhfy3cxcnBICJhIvF2a1MXICWSKSVy4 t56ti5GLQ0hgMpNEw7q7LBDOT0aJ89d62UGqhAVMJQ69W8YIYvMK6EnMub6ADcRmFkiSaDn1 F8xmE1CUmN76ggnE5hQIlTj97yiYzSKgKtG3uI8Roj5T4vv/96wQc2wkbj07zwqx7ACzxI2l b8AGiQgoSxyf+YAR4lJZia9b5SYw8s9CsnoWktUQtrbEsoWvmSFsTYn93ctZMMU1JDq/TWRd wMi2ilGgKDUnsdJUL7GgICdVLzk/dxMjOEwLI3Yw/l9mdYhRgINRiYd3Bbt5qBBrYllxZe4h RgkOZiUR3qULzEKFeFMSK6tSi/Lji0pzUosPMUpzsCiJ8/JOMA0VEkhPLEnNTk0tSC2CyTJx cEo1MOoHLwl5szC0rGT1fEHxWJZoiw0ze1//e26hvOn1SgbXWdc4Sp5oWMw8WMKSk2GhKyQQ vfnGXNMW0RtdjoVbldPjTr5s3fqzVOUMw+u/k9cYyKzfyrMwtD54xm0OV9Hzj3aZPlh1aHpl weIdN9+3Ld3D80FCaJ5r78nTzSeMFW+5aBqfTU6bpaLEUpyRaKjFXFScCADnGBkZTwIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/L6XOy33sZIUzRHLBnnRvYckZrdY>
Cc: Richard Barnes <rlb@ipv.sx>, Nico Williams <nico@cryptonector.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 02:53:30 -0000

> On 21 Apr 2015, at 18:23, Salz, Rich <rsalz@akamai.com> wrote:
> 
> I understand that you want it to “just work” (you said that a couple of times :), but other folks have raised security concerns – do you understand or agree with them?

I agree that client access to ports below 1024 usually requires more privileges and that’s generally safer than allowing any client port.

> One way forward is to say a client MAY specific a port, where the default is 443. An ACME server MAY reject requests for ports other than 443 if it is in violation of the operating policy.

That would work.

The policy of Let’s Encrypt Certificate Authority, however, is very important!   I also would very much like that CA to allow client-defined callback ports below 1024.

Bruce