Re: [Acme] Want client-defined callback port

Richard Barnes <rlb@ipv.sx> Fri, 17 April 2015 01:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C261A88A0 for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 18:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fr6sXeIzTsqV for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 18:57:18 -0700 (PDT)
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14FF41A8881 for <acme@ietf.org>; Thu, 16 Apr 2015 18:57:17 -0700 (PDT)
Received: by lagv1 with SMTP id v1so69944225lag.3 for <acme@ietf.org>; Thu, 16 Apr 2015 18:57:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QjuIb9lJD3nMByklJV1MF1UkuEtfEaf/eC6H2mjpKSw=; b=WFINPex6yAtA1e3vyRfGCO7xA3kuTkPozgIdXUMaJf0KnQZJ4v0Y67pB2aMxODJo8s 93+jWtbDCSFdg7578r2zUsd0zAAg69Bw2hPDXlHHAolMm00UgtzI62gROZ7JbOSUKDfH FjJpT44yvAehA5I5rNKLan0hh6grPKQNj71tRlsfMACbnqUfjpazkvD5z7hcp1rBGkgT BFB7dHsWhx9AWc4mbTQ8b6JG4DsSA+n0SboQaQvqjuJrAtnC5dU5/y8GQp28oZ+VytD3 vJV6YkeHSVkbn8UVdHG5i3QCM/hGQzHEiQPRvV+84b2CE5v6jZ93qbek+91uZwKNtgzp VOxQ==
X-Gm-Message-State: ALoCoQlG53rAu54LWhsNqzlccNOwYRfi9RigCUzxXKVtClQgN4sqStvtu/DRDm2FOQCrR4f1Gmfp
MIME-Version: 1.0
X-Received: by 10.112.17.8 with SMTP id k8mr533387lbd.28.1429235836229; Thu, 16 Apr 2015 18:57:16 -0700 (PDT)
Received: by 10.25.214.162 with HTTP; Thu, 16 Apr 2015 18:57:16 -0700 (PDT)
In-Reply-To: <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com>
Date: Thu, 16 Apr 2015 21:57:16 -0400
Message-ID: <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary=001a11c3d7d451b33b0513e1e617
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/O5NDZHdA_aGGN0djKlGBQbAzqek>
Cc: "acme@ietf.org" <acme@ietf.org>, Bruce Gaya <gaya@apple.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 01:57:20 -0000

Right.  The property that we're trying to authenticate here is that the
ACME client controls something associated with the hostname.  Ideally, this
would be the person with write access to the zone file (cf. DNS
challenges), but to facilitate validation, modern validation accepts
validation of things like controlling an HTTP or HTTPS server.  It's less
clear that it would be acceptable to validate that someone can provision a
service on, say, port 36707.

That said, the ability to do domain validation without service interruption
seems like an important requirement.  It seems like the DNS challenge
listed in the current draft meets that requirement.  We should be able to
design the simpleHttps challenge so that you just have to to provision an
extra file on an HTTPS server, not reconfigure it.

--Richard

On Thu, Apr 16, 2015 at 8:56 PM, Nico Williams <nico@cryptonector.com>
wrote:

> You have to be able to prevent unauthorized users from using this
> alternative callback port to get certs with which to impersonate your
> service.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>