Re: [Acme] DNS challenge spec doesn't support CNAME model
Eric Mill <eric@konklone.com> Fri, 18 December 2015 18:05 UTC
Return-Path: <eric@konklone.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADAD91B37D1 for <acme@ietfa.amsl.com>; Fri, 18 Dec 2015 10:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmf4in5S3ILL for <acme@ietfa.amsl.com>; Fri, 18 Dec 2015 10:05:40 -0800 (PST)
Received: from sasl.smtp.pobox.com (pb-smtp0.int.icgroup.com [208.72.237.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC2DA1B37D5 for <acme@ietf.org>; Fri, 18 Dec 2015 10:05:35 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 0BB1B301F5 for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:33 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=b3qHiDRTIrhLML+8RWc/t5ldFMU=; b=T1QDfC +1BcDoQjETtlJMY11fIJRUd7Vm6+MKykCLd7gZ3NOPXW7JkLk6MggVAJuLaGUlSs /jS88m/FCKv7DFfLIaTZURXaVvrHXrc5VWAczsGniA/SS4hVujQD0Qk0jE1QItli bUgmwGS7CWrT94M8KLr1UVhy4IjoXW2EHqnd4=
Received: from pb-smtp0.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp0.pobox.com (Postfix) with ESMTP id 01A0D301F3 for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:33 -0500 (EST)
Received: from mail-io0-f169.google.com (unknown [209.85.223.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp0.pobox.com (Postfix) with ESMTPSA id 33750301EE for <acme@ietf.org>; Fri, 18 Dec 2015 13:05:32 -0500 (EST)
Received: by mail-io0-f169.google.com with SMTP id e126so97736312ioa.1 for <acme@ietf.org>; Fri, 18 Dec 2015 10:05:32 -0800 (PST)
X-Received: by 10.107.30.75 with SMTP id e72mr6315877ioe.5.1450461930904; Fri, 18 Dec 2015 10:05:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.2.6 with HTTP; Fri, 18 Dec 2015 10:04:51 -0800 (PST)
In-Reply-To: <CA+9kkMCFh_NVH1wM06_8EsUwDHkK73dvbL5wo2dnYJLJ8SF-Og@mail.gmail.com>
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com> <20151217081948.153cafa35132a31a44794cb7@andrewayer.name> <CANBOYLU9HgD+-Dz=LbKaEBNfnPJAF+e=SsLS8vDwOPf3jup8+Q@mail.gmail.com> <CA+9kkMCFh_NVH1wM06_8EsUwDHkK73dvbL5wo2dnYJLJ8SF-Og@mail.gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Fri, 18 Dec 2015 13:04:51 -0500
X-Gmail-Original-Message-ID: <CANBOYLUF=wfQypNUNA209rG_6gozboibcuSqB9D0h5Fuxc4agA@mail.gmail.com>
Message-ID: <CANBOYLUF=wfQypNUNA209rG_6gozboibcuSqB9D0h5Fuxc4agA@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a1141977e26e63d05272ffc8f"
X-Pobox-Relay-ID: EDCF6454-A5B1-11E5-A1C5-6BD26AB36C07-82875391!pb-smtp0.pobox.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/QSA0fXLF5L_Ixb6MaUZk5mtZre0>
Cc: "acme@ietf.org" <acme@ietf.org>, Andrew Ayer <agwa@andrewayer.name>
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 18:05:45 -0000
On Fri, Dec 18, 2015 at 11:49 AM, Ted Hardie <ted.ietf@gmail.com> wrote: > On Thu, Dec 17, 2015 at 2:40 PM, Eric Mill <eric@konklone.com> wrote: > >> >> To me, it seems like we'll get more widespread use of ACME (and HTTPS >> adoption) by allowing large services to just "flip the switch" for >> everyone, rather than involving the user in this decision. >> >> So, I'm a wee bit concerned that taking the user out of the decision > entirely will leave us in a place where the user doesn't have an easy way > to withdraw approval for this. If a user transitions from the user base > you are focused on to the one where they obtain the cert themselves, I'm > not sure how that works. > > Put another way, I think we're tryin to make it easy for the user to get > what they want; we're not trying to set it up so that they're not involved > in deciding what they want. > I meant this in a user-empowering way -- that users are able to get HTTPS established for them without them having to do any work, and services are able to roll out HTTPS support from a central vantage point without reaching out to existing user bases. If a user wants to withdraw approval, the CNAME is always theirs to revoke. The case of a user really liking a third party service, but for some reason really disliking that service's choice of an ACME-based CA, seems unusual to me and also something best left to market competition among services. Users don't generally care or review a third party service's choice of e.g. web server proxy, and the choice of CA is likely to belong in a similar bucket. -- Eric > > Just my personal opinion, > > Ted > > > > -- konklone.com | @konklone <https://twitter.com/konklone>
- [Acme] DNS challenge spec doesn't support CNAME m… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Thomas Lußnig
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Phillip Hallam-Baker
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Martin Thomson
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Jacob Hoffman-Andrews
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill