Re: [Acme] kinds of proof

Peter Bowen <pzbowen@gmail.com> Tue, 02 December 2014 01:12 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 950E41A1A7A for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 17:12:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u41Avk1z6ULv for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 17:12:35 -0800 (PST)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291401AC43A for <acme@ietf.org>; Mon, 1 Dec 2014 17:12:35 -0800 (PST)
Received: by mail-pa0-f47.google.com with SMTP id kq14so12267964pab.20 for <acme@ietf.org>; Mon, 01 Dec 2014 17:12:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ApPeUKpGovddffESETJE5Uow1nJGtnZNobDT1K0NDNE=; b=fL/kh6KG+4//NYJ/Ii8Bl5UmBodMWa9BNEHFp7/pI3Tx1oXFYi5ErDQ1wIXjY3Uu3L a8Ojy6kLyr3QMGOHPMbEagXdw4zr1m2f8Q12r6oXYsspa/AQB8ZxM1v5GLGgfXVBoWed oBYyrGal48rbx4EZDRygfzV2qc5uso8xML9BrM5Uek88fvxCgY4docU6VY1XT+QAyDte gkL/cdSB/LX687VSlHS9SYM8fPqP1tEcN0yA0Gs7bZVEXIQomvXN7aq0AUy9CuqHYSY+ DVFVyNM+di9bM3JO8t6AI1Yd2kSn6mXZn03D+Kf7C1Sss4htYnVe1OxMeDa7IXmdeU3Y FMhg==
MIME-Version: 1.0
X-Received: by 10.68.179.5 with SMTP id dc5mr740947pbc.147.1417482754407; Mon, 01 Dec 2014 17:12:34 -0800 (PST)
Received: by 10.70.76.10 with HTTP; Mon, 1 Dec 2014 17:12:34 -0800 (PST)
In-Reply-To: <m2tx1ehq63.wl%randy@psg.com>
References: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com>
Date: Mon, 1 Dec 2014 17:12:34 -0800
Message-ID: <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/Mzk7LfFnEf4Ec4FyVFj9DVzox-w
Cc: acme@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 01:12:36 -0000

On Mon, Dec 1, 2014 at 4:05 PM, Randy Bush <randy@psg.com> wrote:
>>> And it is clear to me that they should be, if we want to see more encryption
>>> of traffic. I have no problem with some CAs saying "we'll issue you a cert
>>> only if you control port X", but I absolutely want that to be a policy of
>>> the CA, not of the enrollment protocol.
>>
>> Paul, do you have any examples of CAs that accept any port, or are
>> you in part making that up?  Comodo for example, requires control
>> of port 80:
>
> or dns

Yes, several CAs allow DNS based validation of control.
https://gist.github.com/pzb/3b57ddac91ccf0e4c814 lists several of the
schemes I've seen used.  There is clearly no standard or even
quasi-standard for DNS based validation.

Thanks,
Peter