Re: [Acme] DNS challenge spec doesn't support CNAME model

Eric Mill <eric@konklone.com> Fri, 18 December 2015 18:05 UTC

Return-Path: <eric@konklone.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADAD91B37D1 for <acme@ietfa.amsl.com>; Fri, 18 Dec 2015 10:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmf4in5S3ILL for <acme@ietfa.amsl.com>; Fri, 18 Dec 2015 10:05:40 -0800 (PST)
Received: from sasl.smtp.pobox.com (pb-smtp0.int.icgroup.com [208.72.237.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC2DA1B37D5 for <acme@ietf.org>; Fri, 18 Dec 2015 10:05:35 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 0BB1B301F5 for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:33 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=b3qHiDRTIrhLML+8RWc/t5ldFMU=; b=T1QDfC +1BcDoQjETtlJMY11fIJRUd7Vm6+MKykCLd7gZ3NOPXW7JkLk6MggVAJuLaGUlSs /jS88m/FCKv7DFfLIaTZURXaVvrHXrc5VWAczsGniA/SS4hVujQD0Qk0jE1QItli bUgmwGS7CWrT94M8KLr1UVhy4IjoXW2EHqnd4=
Received: from pb-smtp0.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 01A0D301F3 for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:33 -0500 (EST)
Received: from mail-io0-f169.google.com (unknown [209.85.223.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp0.pobox.com (Postfix) with ESMTPSA id 33750301EE for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:32 -0500 (EST)
Received: by mail-io0-f169.google.com with SMTP id e126so97736312ioa.1 for <acme@ietf.org>; Fri, 18 Dec 2015 10:05:32 -0800 (PST)
X-Received: by 10.107.30.75 with SMTP id e72mr6315877ioe.5.1450461930904; Fri, 18 Dec 2015 10:05:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.2.6 with HTTP; Fri, 18 Dec 2015 10:04:51 -0800 (PST)
In-Reply-To: <CA+9kkMCFh_NVH1wM06_8EsUwDHkK73dvbL5wo2dnYJLJ8SF-Og@mail.gmail.com>
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com> <20151217081948.153cafa35132a31a44794cb7@andrewayer.name> <CANBOYLU9HgD+-Dz=LbKaEBNfnPJAF+e=SsLS8vDwOPf3jup8+Q@mail.gmail.com> <CA+9kkMCFh_NVH1wM06_8EsUwDHkK73dvbL5wo2dnYJLJ8SF-Og@mail.gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Fri, 18 Dec 2015 13:04:51 -0500
X-Gmail-Original-Message-ID: <CANBOYLUF=wfQypNUNA209rG_6gozboibcuSqB9D0h5Fuxc4agA@mail.gmail.com>
Message-ID: <CANBOYLUF=wfQypNUNA209rG_6gozboibcuSqB9D0h5Fuxc4agA@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a1141977e26e63d05272ffc8f
X-Pobox-Relay-ID: EDCF6454-A5B1-11E5-A1C5-6BD26AB36C07-82875391!pb-smtp0.pobox.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/QSA0fXLF5L_Ixb6MaUZk5mtZre0>
Cc: "acme@ietf.org" <acme@ietf.org>, Andrew Ayer <agwa@andrewayer.name>
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 18:05:45 -0000

On Fri, Dec 18, 2015 at 11:49 AM, Ted Hardie <ted.ietf@gmail.com> wrote:

> On Thu, Dec 17, 2015 at 2:40 PM, Eric Mill <eric@konklone.com> wrote:
>
>>
>> To me, it seems like we'll get more widespread use of ACME (and HTTPS
>> adoption) by allowing large services to just "flip the switch" for
>> everyone, rather than involving the user in this decision.
>>
>> So, I'm a wee bit concerned that taking the user out of the decision
> entirely will leave us in a place where the user doesn't have an easy way
> to withdraw approval for this.   If a user transitions from the user base
> you are focused on to the one where they obtain the cert themselves, I'm
> not sure how that works.
>
> Put another way, I think we're tryin to make it easy for the user to get
> what they want; we're not trying to set it up so that they're not involved
> in deciding what they want.
>

I meant this in a user-empowering way -- that users are able to get HTTPS
established for them without them having to do any work, and services are
able to roll out HTTPS support from a central vantage point without
reaching out to existing user bases.

If a user wants to withdraw approval, the CNAME is always theirs to revoke.
The case of a user really liking a third party service, but for some reason
really disliking that service's choice of an ACME-based CA, seems unusual
to me and also something best left to market competition among services.
Users don't generally care or review a third party service's choice of e.g.
web server proxy, and the choice of CA is likely to belong in a similar
bucket.

-- Eric


>
> Just my personal opinion,
>
> Ted
>
>
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>