IETF Logo Mail Archive

Re: [Acme] dns-01 challenge limitations

Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 13 September 2020 22:01 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 423673A0CA0 for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 15:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AB8vEqtNshOp for <acme@ietfa.amsl.com>; Sun, 13 Sep 2020 15:01:23 -0700 (PDT)
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACB763A0C9E for <acme@ietf.org>; Sun, 13 Sep 2020 15:01:23 -0700 (PDT)
Received: by mail-pg1-f181.google.com with SMTP id z17so2164722pgc.4 for <acme@ietf.org>; Sun, 13 Sep 2020 15:01:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xxXmOOoU0wdyBxQvOrjORm6Tld5pdZVjux/JCuZUHz4=; b=OC7jomoYzYDCZwvAYSXJwRRs7KjzLZd6H8UDgJShVlC7q2bUwklcc06RoDUnoT6HVw UbIoJgW8bUEhVeNwGTpnl7yMH+QD2w4m6by1euYLKVXRM3kcp8wDfsYrZUAL4eYoD5Dt SwwZQUPSYo5czcTYNZIe9Li6JBGUFrbcGEAAZz1l4YJCLXTVs5wrzBoajJsDYqfg5lx3 mGGYawD1Y7OmL5ry5YzIHn2Zr10CD2dJzKZsiXzwDpv19drudctK6REm1uY1uhRgLJCZ dcEPIi7Uou9laPH8O7gkKvQW6SZK52wScX+3IIaKF3zyn4ZbLhDdHqEP66VpgyIrQuYN z6Mw==
X-Gm-Message-State: AOAM531R+vkk5eNa1bN0L3TWtJ9zHgSCLhYMIM7dgntmHxfDna+Wz6Tf 2XgMBoZVIDQ6kH6sJ3KaP8a2Fb4SSv0=
X-Google-Smtp-Source: ABdhPJxlKKBhVCGdx0O+X7NEV0UyqHdNanSYqo89C4Mbuje3n4Wn5nBzrB/nXQiHksnTx8zXY7IHag==
X-Received: by 2002:a17:902:a981:: with SMTP id bh1mr11027737plb.157.1600034483042; Sun, 13 Sep 2020 15:01:23 -0700 (PDT)
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com. [209.85.215.174]) by smtp.gmail.com with ESMTPSA id y13sm6688806pgs.53.2020.09.13.15.01.22 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Sep 2020 15:01:22 -0700 (PDT)
Received: by mail-pg1-f174.google.com with SMTP id j34so9922161pgi.7 for <acme@ietf.org>; Sun, 13 Sep 2020 15:01:22 -0700 (PDT)
X-Received: by 2002:a05:6a00:808:b029:13e:d13d:a05d with SMTP id m8-20020a056a000808b029013ed13da05dmr10545482pfk.35.1600034482409; Sun, 13 Sep 2020 15:01:22 -0700 (PDT)
MIME-Version: 1.0
References: <uu-OR5wP1b7svN1Rxems1U8_axHG7M8M9_kYqTBVyhQFxqrddppvhasyxKtLQ-4AZkrbBWhJ_9V-Xs8mQBK5E4smP4_1vANgZazIwicsbq0=@emersion.fr> <28079.1599844001@localhost> <lp_PV1Faiz60HayUqYhD_DtpPHgiEVhFMSeBPicOw9XsiDkG_6S6CmbqqD1CNqy5nN44FlX7BPZ0N4cQRksC2ZG7UmKhzE-HCnPJelNvhaE=@emersion.fr>
In-Reply-To: <lp_PV1Faiz60HayUqYhD_DtpPHgiEVhFMSeBPicOw9XsiDkG_6S6CmbqqD1CNqy5nN44FlX7BPZ0N4cQRksC2ZG7UmKhzE-HCnPJelNvhaE=@emersion.fr>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sun, 13 Sep 2020 18:01:12 -0400
X-Gmail-Original-Message-ID: <CAErg=HEHyHurT_9RhfALNop_qGWPCjqSDC8JJKZAbs7q-rFbJA@mail.gmail.com>
Message-ID: <CAErg=HEHyHurT_9RhfALNop_qGWPCjqSDC8JJKZAbs7q-rFbJA@mail.gmail.com>
To: Simon Ser <contact@emersion.fr>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "Matthew.Holt\\@gmail.com" <Matthew.Holt@gmail.com>, "acme\\@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f3d9f305af390eb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/L7l2ESZbfQxTsbTSV5RjVH1-DCI>
Subject: Re: [Acme] dns-01 challenge limitations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 22:01:25 -0000

On Sun, Sep 13, 2020 at 5:25 AM Simon Ser <contact@emersion.fr> wrote:

> > The question would be whether or not it would get implemented.
>
> Yes, this is why I'm writing to this mailing list. Maybe I should've CC'ed
> some
> Let's Encrypt specific mailing list as well.


It's certainly possible, but to be clear: any option for implementing a
validation method needs to be clear enough that browser/OS vendors will
permit it as acceptable. The gating function here is whether product
vendors, for their products, find it sufficiently secure, not whether CAs
do. CAs can often act as intermediaries, proposing ideas to browser/OS
vendors. Ultimately, as (sometimes contracted, always delegated) suppliers,
acting on behalf of the browser/OS vendor, your ultimate gate isn't
demonstrating whether there's consensus to write an I-D, or consensus with
a CA, but that there's consensus with the browser/OS vendors that would
implement it within their root programs.

v2.29.0 | Report a Bug | By Email | System Status