IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 02 December 2015 13:30 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B551A8ACB for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 05:30:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQIWQsyIrUvc for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 05:30:42 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 636D91A8AC3 for <acme@ietf.org>; Wed, 2 Dec 2015 05:30:41 -0800 (PST)
Received: by lffu14 with SMTP id u14so50431974lff.1 for <acme@ietf.org>; Wed, 02 Dec 2015 05:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5D+hsjyInBuLgf/EJRXQsyu4Do78SNj4sSb0Jxm9oUw=; b=t7yG2OeVwsg+GrvOcRi4ZJeBCBrlEltviSJblapVNaKQEdEMv5wzX8qM8oF/0IGcfS jDCnRNIRXoYotv9bqYfm/JrbW76OvniOQrcFPPnLAbIzYKmc7+cci32SW8/vibBvaQzp NPjGMSMUIX/iU/Auq2E0nK3KN/2S5X5G1K4+HaCkY+C7bOgauqeWEvHu1gBnxwgOWqPF ZIwqyMACUldP+Gwmg+Q5OWv9+O+7+x6l2w+2L+gHXqVzu29AUlDzHb3SYJO91dagTjPU 0reTM5yyT/WL/jpbgvPJO5jPt9G/P0PILWi3pFsDkGodbLaYJYC3j7R5En5Jz463Q7D8 s1/A==
MIME-Version: 1.0
X-Received: by 10.25.208.206 with SMTP id h197mr2875025lfg.153.1449063039530; Wed, 02 Dec 2015 05:30:39 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 2 Dec 2015 05:30:39 -0800 (PST)
In-Reply-To: <565EBF56.3070502@desy.de>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de>
Date: Wed, 02 Dec 2015 08:30:39 -0500
X-Google-Sender-Auth: CgO0aZp0NQGHX7BpEhhOEyUsqMA
Message-ID: <CAMm+Lwj7rxj5ABesa+2Gj9rR5KFtpY+mfbktfL=tDbwn-VZzmw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Paul Millar <paul.millar@desy.de>
Content-Type: multipart/alternative; boundary="001a1140118eba7c920525ea479c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/OfBLHLHsVyYLFlpPkFPAerFXxh8>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 13:30:43 -0000

On Wed, Dec 2, 2015 at 4:52 AM, Paul Millar <paul.millar@desy.de> wrote:

> Hi all,
>
> I'm writing just to summarise this thread and check a consensus has been
> reached.
>
> On 25/11/15 11:13, Paul Millar wrote:
>
>> I was wondering whether people have considered services running on a
>> port other than port 443; in particular, ports greater than 1024.
>>
>
> The decision is not to support unprivileged ports (>= 1024) because of two
> factors:
>
>   1.    ACME wishes to support deployments where there are untrusted
>         users have (non-root) access to the same machine that
>         provides a trusted service.
>
>   2.    There is no supported mechanism for a CA to issue a
>         certificate that is bound to a specific port.
>
> Removing either of these points would allow (in principal) ACME to support
> issuing certificates to services running on unprivileged ports.
>
> Is that a fair summary?


No.

The problem is that the validation process for the cert has nothing to do
with the port the cert is going to be used on. The purpose of the
validation process is to determine if the request is authorized by the
holder of the domain. It has nothing to do with what host or port the
certificate is going to be used for.

There is a useful rhyme:

Want a cert for HTTP? Validate the request on port 443
Want a cert for SMTP? Validate the request on port 443
Want a cert for NTP? Validate the request on port 443
Want a cert for Any other TP? Validate the request on port 443

The DNS only provides a binding between the domain name and the IP address
and the IP address identifies a Host that is typically shared between
multiple services and the OS can only be assumed to provide disambiguation
between domain names on port 443.

The only way to fix this would be to require navigation through an SRV
record and even that might not be enough.

Also note that this is not an area where IETF consensus is sufficient. The
IETF can publish an RFC describing a protocol that supports a particular
validation process. But that does not mean that the browser providers are
going to accept certs that are issued under that process.

v2.23.0 | Report a Bug | By Email