Re: [Acme] Want client-defined callback port

Martin Thomson <martin.thomson@gmail.com> Thu, 23 April 2015 00:23 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72CB21B2C00 for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 17:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-kRpwEmjCCD for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF7961B2C06 for <acme@ietf.org>; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
Received: by ykep21 with SMTP id p21so410451yke.3 for <acme@ietf.org>; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rZkuh2rmbRc7D+auKFgwq8GrCtPqy0TNPu1zvVUtZcQ=; b=eKbHUcycYSEKGb8tWQAqgW2IBk+wLWlGfLs6hb83eKMd1kWcX9Pm+NIJJrAMlegf60 CKxqlxIWZdixysvPxUQ4WRfOTR27cg4UIw/D0BYiFmbEUtdMFDxhy9WfDGYU4ngoZZRX GHR2HFSsVjRA+iML5KdAwxGhjqsr4CMeQbOTLOzUXOa5qM4uoq5iYKoaD9PQ5E0rHu52 gZPj06KlUbqHOwOnm3mEiMQpIus4jNDxsH/VbruEJpKU9iYUJvuwAy9gN5eD5koL4yLs ggfKXN56h4do6iJbgQljKrmKLUkrulcxQSjBOCZRtrd9CKpY+S6ZJarWJbxGHcMY3b4n 7poQ==
MIME-Version: 1.0
X-Received: by 10.236.208.36 with SMTP id p24mr153498yho.1.1429748587131; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
Received: by 10.13.247.71 with HTTP; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
Received: by 10.13.247.71 with HTTP; Wed, 22 Apr 2015 17:23:07 -0700 (PDT)
In-Reply-To: <CA+9kkMAqte7O0k0KVRLRaEOmJL-wK0ncoruv3yoqKBjZVnc99g@mail.gmail.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com> <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com> <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com> <CA+9kkMAqte7O0k0KVRLRaEOmJL-wK0ncoruv3yoqKBjZVnc99g@mail.gmail.com>
Date: Wed, 22 Apr 2015 17:23:07 -0700
Message-ID: <CABkgnnVP4as97fXe7XTFpC=rw6ETdXY5s=1cRj1Xan1sgDsx3A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c1c2aca77b0f0514594887
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/PLTnGCQRDRYdaEY-6fkC2XaglNg>
Cc: Richard Barnes <rlb@ipv.sx>, Nico Williams <nico@cryptonector.com>, "acme@ietf.org" <acme@ietf.org>, Bruce Gaya <gaya@apple.com>, "Salz, Rich" <rsalz@akamai.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 00:23:11 -0000

On Apr 22, 2015 4:09 PM, "Ted Hardie" <ted.ietf@gmail.com> wrote:
>
> Forgive the top posting, but I want to be sure I understand something.
If the client specifies a port that is below 1024 but canonically used for
something else, what is the specified behavior?  My reading of the thread
so far is that the server would expect to run ACME over it, even if were
specified for, say, LDAP (389).
>
> Is that what folks expect?

Just to get this on the record, I think that we should have some advice
that suggests a set of ports (other than 1024+) that are off-limits. I note
that browsers are unwilling to connect to certain ports because of the
concerns you allude to, we can recommend that the CA policy do the same
(and be advised by the experience of browsers here). 389 is on that list,
25 probably too.

I can try to find the list that Firefox uses if people think that is good
advice to include.