IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 16 December 2015 13:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B54A1B2D87 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 05:38:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laU_v9SzBNJw for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 05:38:53 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFAA81B2D86 for <acme@ietf.org>; Wed, 16 Dec 2015 05:38:52 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DCE76BE57; Wed, 16 Dec 2015 13:38:50 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xW10mjdxCTeC; Wed, 16 Dec 2015 13:38:50 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9615DBE87; Wed, 16 Dec 2015 13:38:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450273126; bh=eVwtaiLPkTHU2umJ22+A2ZUlAPgcDR8Vmgzw1/4u23k=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=nUTD3h2U7XkGVBQaMZ5ckfAF+LQta+erKUScRo3XxXcRHnJljFmqcRqRd6i8hGw1l JYYlpFzyfJ4HWysHsBsz9jIvUetKV3Mk0MZjGzloyRfGukXt80L08snZelKkrrfQL9 jukEouPX865B2CNUW5M1Y+9Js3yNiLELOe5MhMVQ=
To: Julian Dropmann <julian@dropmann.org>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <5670CBD6.5080000@cs.tcd.ie> <CAF+SmEp494K9pQqWNAeH1iS+dsmLSMJnuMpAvjGm0dku3ukEfQ@mail.gmail.com> <56715280.2070600@cs.tcd.ie> <CAF+SmEqND_9bxroNkr72woY9UBjP3BaUS1FbQa44jzfRWR1v+g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Enigmail-Draft-Status: N1110
Message-ID: <56716964.7070001@cs.tcd.ie>
Date: Wed, 16 Dec 2015 13:38:44 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAF+SmEqND_9bxroNkr72woY9UBjP3BaUS1FbQa44jzfRWR1v+g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/M3HQwv1MId_RTZPFaEd1Qa_uoGo>
Cc: "acme@ietf.org" <acme@ietf.org>, Noah Kantrowitz <noah@coderanger.net>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 13:38:55 -0000


On 16/12/15 12:20, Julian Dropmann wrote:
> If they trust you with that, they could just add an ACRE specific SRV

(ACRE? You mean acme I guess.)

> record, and thereby delegate that privilege to create certs to you and
> everything would be fine.

Yes. They could. But they won't;-)

And as it happens in my own specific case I don't want the ability
to get a cert for any name in the relevant zone, I only want to be
able to get and renew certs for the names of my web servers. So the
semantics of the thing you'd put in DNS (or the thing to which it'd
point) would likely end up quite complex. It'd end up much like an
RA is my guess, and I really don't think we want to go there yet
with acme.

> They were able to do this with the A record too.
> 
> I just do not find it intuitive in general that by defining any record you
> do this implicitly as a domain owner.
> At least I personally was not expecting this, but maybe its just me that is
> so stupid.
> 
> And the question was not about whether you personally are legitimated to
> create certs for your university, but whether this should be the case for
> any host of every single zone.

Not "any host" but any host that runs a web server and where the
entity requesting the cert demonstrates control over that web server.
I think that is fine in general myself.

S.

> 
> On Wed, Dec 16, 2015 at 1:01 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>>
>> Julian,
>>
>> On 16/12/15 09:22, Julian Dropmann wrote:
>>> If the owners of the domain decide you not to give you write access to
>>> their zone, there is probably a reason for that.
>>> And this reason is that _they_ want to remain in control.
>>>
>>> So why do you even assume that you should be able to obtain a certificate
>>> for their domain if you do not even have control over that zone?
>>> In my opinion that is exactly the definition of what CAs should verify:
>> If
>>> the requester has control over the zone the CA signs the certificate for.
>>> If the CA issues a certificate for the whole zone, it has to check if
>> this
>>> happens in consent with the people who have control over that entire
>> zone,
>>> and not just one guy running a service there.
>>>
>>> You push this discussion in a direction where its all about ease of use
>> for
>>> the guy running the box to obtain a certificate.
>>> But please explain to me then, why the host behind an A record should
>> have
>>> that legitimization.
>>
>> I'm sorry but I am not seeing what else there is to explain.
>> But I'll try one more time.
>>
>> I control the hosts in question and have for >10 years, even
>> through h/w upgrades. The university don't care that I have
>> been using self-signed certs for all that time and now don't
>> care that I can finally present a cert that verifies in a
>> browser. They are happy enough to trust me to not mess about
>> inside the college network. All of that is entirely legitimate.
>>
>> S.
>>
>>>
>>> On Wed, Dec 16, 2015 at 3:26 AM, Stephen Farrell <
>> stephen.farrell@cs.tcd.ie>
>>> wrote:
>>>
>>>>
>>>> Hiya,
>>>>
>>>> On 16/12/15 01:44, Julian Dropmann wrote:
>>>>> The target users are server admins right? In order to set up their
>>>>> services, they should be familiar with DNS.
>>>>
>>>> Familiar with != has write access to.
>>>>
>>>> In my university, I have root on 24U of boxen with zero write
>>>> access to the routers, f/w, DNS or mail servers, meaning that
>>>> for 13 years I couldn't get the two that are publicly visible
>>>> web servers certified by any CA any time I checked, which was
>>>> admittedly not that often.
>>>
>>>
>>>> ACME (via LE in that case, but I've no allegiance) fixed that
>>>> in a couple of minutes. And those minutes didn't require deep
>>>> knowledge of anything - relative ignorance would have worked
>>>> just as well, which is fantastic:-)
>>>>
>>>> And before someone argues, sure there are other situations but
>>>> our goal here is to define a protocol that works in the most
>>>> common of those cases as easily as possible and that supports
>>>> automation.
>>>>
>>>>> To use the current
>>>>> mechanism they already need to configure the A record.
>>>>
>>>> Not necessarily the same admins. That much is pretty obvious
>>>> and unless someone has demographics about how many sysadmins
>>>> have what access to what (which would be great!) I think this
>>>> is repetitive argument and therefore pointless.
>>>>
>>>> Cheers,
>>>> S.
>>>>
>>>>
>>>>> So whats the
>>>>> big difference? Instead of an A record they need to use an SRV
>>>>> record. So technically only the record type changes. Nothing else.
>>>>> How is that even a higher level of interaction?
>>>>>
>>>>> There are other services requiring admins to create DNS records
>>>>> (Google Apps for example). They are being used.
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>
> 
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email