Re: [Acme] draft-misell-acme-onion
Seo Suchan <tjtncks@gmail.com> Sun, 16 April 2023 02:44 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E64C151543 for <acme@ietfa.amsl.com>; Sat, 15 Apr 2023 19:44:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.596
X-Spam-Level:
X-Spam-Status: No, score=-0.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9VMMW-AVzfJ for <acme@ietfa.amsl.com>; Sat, 15 Apr 2023 19:44:41 -0700 (PDT)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EF03C15153F for <acme@ietf.org>; Sat, 15 Apr 2023 19:44:41 -0700 (PDT)
Received: by mail-pj1-x1031.google.com with SMTP id cm18-20020a17090afa1200b0024713adf69dso10228691pjb.3 for <acme@ietf.org>; Sat, 15 Apr 2023 19:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681613080; x=1684205080; h=in-reply-to:subject:from:content-language:references:to:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=ONys2u/jmmG8aDJacUPUATWxAB7MIysMBSPx6J5W+lY=; b=kZlHlWdGRMxduimUY589iUzvFkJVHXEhi9CYhMxI6Sj6m5RNqez9J71vvr3h2PwGxE 85lDwO3v7nq0h4eOegwVUljEwKWJq2vyVXEWlA17ZGU8Hzv0T8CHdz9fDd6gOzfmklEV sMnDyAXqB0YvqNvqvYRYgApUhoCVk/Nzy2RnAwExxnMMokKkCT+9B/yT+2uyc8GMlSFD lDflqmuioSsEjuhJQbrNYfp/wGOlsAD8zVeTemlwKbwKgKQoB56V+5tvciW4em4+qPe1 6zmhWPfow0LFT6V8K1phMYvTGH+eMA+wx2o9XwFhDK0Y9UAIXihclc3pngoDsp5PWurB NKGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681613080; x=1684205080; h=in-reply-to:subject:from:content-language:references:to:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=ONys2u/jmmG8aDJacUPUATWxAB7MIysMBSPx6J5W+lY=; b=hAyCO9gglGtTDMmeyCmt22B9rhjpK1wBbDseHByqu2eXNRnTjBi4yULEZIJbw8BP+s 83zGKTxs5xURD9OYjujrsLIOLDSHWHvNKW7UJzY3LpteBhb7J0TlcnesaVzSLjxKBxe6 ZoLcyHZz92FE+u4FV2CrkMxN5OmTaS2XOQGrJ1W3Hg7DnMCrcUdem1laaYJxgrxmshn9 ckj7YdQwg8pqXEqs7x9sQ6iBcqgeAAn2yXuhLKTtOkcpZcDFhIrUNiSJ4C8npqkj4VSe 7RsCBpVlYqjXmx5+MuAgbRNXrGMZB2pZV64shMO8UgMhHxQIEJN6OSs3R+GkxkYAdGHk 9oDA==
X-Gm-Message-State: AAQBX9dVjxWa0JZ+jmKf+2jAbPmnNYb4MkLJt4riJdQa+ZbX5EkHCD/9 8r0b35mquYT1nkusRUr+FgUZmaWxuK2qhQU2
X-Google-Smtp-Source: AKy350Y7tDzSpbADDpEMuUd6fi/bPrVevK9I/ysBcIKsH0FPKKxKsOuwEkwh8OuvnK19Oky3YidSWg==
X-Received: by 2002:a05:6a21:6da6:b0:cc:5f8f:4f7a with SMTP id wl38-20020a056a216da600b000cc5f8f4f7amr13446105pzb.27.1681613080174; Sat, 15 Apr 2023 19:44:40 -0700 (PDT)
Received: from [192.168.1.30] ([121.129.213.245]) by smtp.gmail.com with ESMTPSA id x20-20020a62fb14000000b005abc0d426c4sm5196392pfm.54.2023.04.15.19.44.39 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 15 Apr 2023 19:44:39 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------jqVCcoe4KlCwNhM7bKvq2Zzs"
Message-ID: <214b80c1-b234-07ae-e33c-bda3d6c1f542@gmail.com>
Date: Sun, 16 Apr 2023 11:44:37 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
To: acme@ietf.org
References: <CAMEWqGuuRsYF-EoFs44DSZ0X0z5iOuKa8iMC38Yuh24F0fWYXQ@mail.gmail.com>
Content-Language: en-US
From: Seo Suchan <tjtncks@gmail.com>
In-Reply-To: <CAMEWqGuuRsYF-EoFs44DSZ0X0z5iOuKa8iMC38Yuh24F0fWYXQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OHFgcY54Hzf-IpPRr0I5db0zsSM>
Subject: Re: [Acme] draft-misell-acme-onion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Apr 2023 02:44:45 -0000
5.2 has few typos CAA when it should mean CA: (CAA can't read any descriptor, it's a text) For running CAA in general, I think appendix B of CA/B BR method b made in a way that CA doesn't have to run Tor client at all. And it actually allows signing a cert for not yet hosted onion domain, given they control right private key to induce that domain name. In that case making CA required to run Tor client to read CAA conflicts this goal. And challenge 3.2, it doesn't work for public CA: in acme context, CSR's pubkey sent in finalization is what CA will sign, but for challange perspective key there need to be ed25519 key (because it's onion v3 private key,) but CA/B does not allow signing ed25519 key in TLS certificate, you can't reuse CSR for both purpose. 2023-04-16 오전 1:22에 Q Misell 이(가) 쓴 글: > Hi all, > > > Hope you've all recovered from IETF116, it was lovely seeing you all > there. Thanks to those who already gave me feedback on my draft. > > As promised in my brief presentation at the WG meeting, here's my post > introducing my draft draft > <https://datatracker.ietf.org/doc/draft-misell-acme-onion/>-misell-acme-onion > <https://datatracker.ietf.org/doc/draft-misell-acme-onion/> to ease > issuance of certificates to Tor hidden services. > > DigiCert and HARICA already issue X.509 certificates to Tor hidden > services but there is no automation whatsoever on this. From my > discussions with the Tor community this is something that bothers them > so I've taken to writing this draft to hopefully address that. > > The draft defines three ways of validation: > - http-01 over Tor > - tls-alpn-01 over Tor > - A new method onion-csr-01, where the CSR is signed by the key of the > onion service > > An explicit non goal is to define validation methods not already > approved by the CA/BF, however if someone can make a compelling > argument for an entirely novel method I wouldn't be entirely opposed > to it. > > Looking forward to your feedback, and some indication that this would > be worth adopting as a WG draft. > > Thanks, > Q Misell > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] draft-misell-acme-onion Q Misell
- Re: [Acme] draft-misell-acme-onion Seo Suchan
- Re: [Acme] draft-misell-acme-onion Q Misell
- Re: [Acme] draft-misell-acme-onion Seo Suchan
- Re: [Acme] draft-misell-acme-onion Q Misell
- Re: [Acme] draft-misell-acme-onion Corey Bonnell
- Re: [Acme] draft-misell-acme-onion Seo Suchan
- Re: [Acme] draft-misell-acme-onion Q Misell