Re: [Acme] Want client-defined callback port

Bruce Gaya <gaya@apple.com> Wed, 22 April 2015 22:23 UTC

Return-Path: <gaya@apple.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CC41B2B8D for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.1
X-Spam-Level:
X-Spam-Status: No, score=-4.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5OH0IDZVP-C for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:23:02 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BF71B2B85 for <acme@ietf.org>; Wed, 22 Apr 2015 15:23:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1429741381; x=2293654981; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MUgeo7K3vnueUUM/alih+RyQ+JKAyeMsBKnPU8vLfE0=; b=pp2tmvb8YM50weKixchtsEtpm4fzgLrgest0GJ9j4bPKo+yoQiM6qffMOcxRpqEQ UKlximqR1vhWTfrYhpz+PVp9gLW/VJPIRBo0ukBMXdGDBoaIMr5Xm6ROB8K/d11p odIkpPSQKX/4NweMVdcPgqKGCQrLD/PEtws1xeh5W8FBdGEMPrEik9zs8SfXHiaz C6Pzl0dy0PYM1ylQBsIEgiIhFq+tHPDiP7TOBq7flP4uG04sw8Km2Dq620o5Ic8h rP41M1llogwHVvPa/wo1xUBuqBpp0MoRG7ZWpv3x5CJ593762PHCAVI+21nx76+u LT823rI0h3wgUGKuOyRSwQ==;
Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id E6.26.19360.54F18355; Wed, 22 Apr 2015 15:23:01 -0700 (PDT)
X-AuditID: 11973e11-f79186d000004ba0-eb-55381f45438e
Received: from marigold.apple.com (marigold.apple.com [17.128.115.132]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay4.apple.com (Apple SCV relay) with SMTP id 45.13.09819.AAF18355; Wed, 22 Apr 2015 15:24:42 -0700 (PDT)
Received: from cc0102a-dhcp146.apple.com ([17.212.158.146]) by marigold.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NN800MIGBIC5Y90@marigold.apple.com> for acme@ietf.org; Wed, 22 Apr 2015 15:23:01 -0700 (PDT)
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-type: multipart/alternative; boundary="Apple-Mail=_68AF09A2-4158-4C8C-9B3E-E50F18C3BD83"
From: Bruce Gaya <gaya@apple.com>
In-reply-to: <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com>
Date: Wed, 22 Apr 2015 15:23:00 -0700
Message-id: <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi2FAYrusqbxFqcPKptMWq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MrY+nMfe8E6o4oFlzrYGxg3a3cxcnJICJhInPy/khXCFpO4cG89 WxcjF4eQwF5GiX2LzrLBFM18cZEFIjGJSeLgxLOMEM40JolVTQeZQKqEBUwlDr1bxghi8wro Scy5vgCsm1kgSWJm+3ewGjYBRYnprS/AbE6BYIk58/6A1bAIqEqsu9/PDFGfK7F2+S2gkziA 5thITJsvBbFrF4vElDVLwGpEBOQlTl9/AFYjISAr8XWrHEiNhEAjm8SZM3vZJjAKzUJyxiwk Z0DY2hLLFr5mhrA1JfZ3L2fBFNeQ6Pw2kXUBI9sqRqHcxMwc3cw8I73EgoKcVL3k/NxNjKCw n24nuIPx+CqrQ4wCHIxKPLwr2M1DhVgTy4orcw8xSnOwKInzfnsBFBJITyxJzU5NLUgtii8q zUktPsTIxMEp1cB4f9PHrYklrhdaK669fpkk/N98NcNOHZHdO8yeVy9+cHjqdo3m7nMuu88/ UOnL6bx1qiyhKOlkjU6dxLvApzPsXH94z02s55ToX87y1ywh5orWRucXq68223I0mgqLO27e 6TFFTu/P8gunrizMa3fdt4ZBYPdlh7XTp+nWvvHzW63hNK0rhVdFiaU4I9FQi7moOBEA9SFQ u1wCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsUi2FDcortK3iLUYMJ5JYtVzwMdGD2WLPnJ FMAYxWWTkpqTWZZapG+XwJWx9ec+9oJ1RhULLnWwNzBu1u5i5OSQEDCRmPniIguELSZx4d56 ti5GLg4hgUlMEgcnnmWEcKYxSaxqOsgEUiUsYCpx6N0yRhCbV0BPYs71BWwgNrNAksTM9u9g NWwCihLTW1+A2ZwCwRJz5v0Bq2ERUJVYd7+fGaI+V2Lt8lusXYwcQHNsJKbNl4LYtYtFYsqa JWA1IgLyEqevPwCrkRCQlfi6VW4CI/8sJJtnIdkMYWtLLFv4mhnC1pTY372cBVNcQ6Lz20TW BYxsqxgFilJzEitN9BILCnJS9ZLzczcxgsO0MHwH479lVocYBTgYlXh4V7CbhwqxJpYVV+Ye YpTgYFYS4V3AYxEqxJuSWFmVWpQfX1Sak1p8iFGag0VJnDdngmmokEB6YklqdmpqQWoRTJaJ g1OqgbGpcJXTze375U5f5ujh8Y6cbrLypZuqyLl0bdeilpvdFu0ZzzfsXtpTvkPwwbQa0RNT s57elWWw15mxV/R/Dn/EHh7evBQWl5upRvpH1YOjSi+X75hyZ92rM4WH5gR/SGzN0RPZKJNf uXORBdvZa8bSi3m2X9zG+v6v8+TJZVbnQwM66iwcNimxFGckGmoxFxUnAgCl1jUbTwIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/O_k9lTe0uFtXy-Dg1eQ1MC6Qu1w>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 22:23:03 -0000

> On 22 Apr 2015, at 15:10, Richard Barnes <rlb@ipv.sx> wrote:
> 
> 
> 
> On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <gaya@apple.com <mailto:gaya@apple.com>> wrote:
> 
>> On 21 Apr 2015, at 18:23, Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com>> wrote:
>> 
>> I understand that you want it to “just work” (you said that a couple of times :), but other folks have raised security concerns – do you understand or agree with them?
>> 
> 
> I agree that client access to ports below 1024 usually requires more privileges and that’s generally safer than allowing any client port.
> 
> So would you be OK with the spec saying that the server MUST reject client-specified ports that are greater than 1023?

Yes.  

Because the ACME client code will run as root any unused port will work so I am happy with this restriction.  My intention is for the ACME client to be as independent as possible from other running services.

>  
>> One way forward is to say a client MAY specific a port, where the default is 443. An ACME server MAY reject requests for ports other than 443 if it is in violation of the operating policy.
>> 
> 
> That would work.
> 
> Let's return to the question of protocol, however.  The CA needs to know how to validate the challenge.  Are you envisioning that this would be an extension to the simpleHttps challenge, so that the validation would still be done using an HTTP request to a .well-known URI, just on a different port?

Yes.  As a developer, it’s easier to have the ACME code be completely separate rather than coordinate with another process.

Bruce