Re: [Acme] Want client-defined callback port

Richard Barnes <rlb@ipv.sx> Wed, 22 April 2015 22:24 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89171B2CBF for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZihkdJUhCJWm for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:24:25 -0700 (PDT)
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EBB21B2B85 for <acme@ietf.org>; Wed, 22 Apr 2015 15:24:25 -0700 (PDT)
Received: by lagv1 with SMTP id v1so256435lag.3 for <acme@ietf.org>; Wed, 22 Apr 2015 15:24:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QvJdzfhedT2xMyvwy3wPZQng1lEVhoDfMrtP0DiG5Ew=; b=Gygi8fqQy2I0Q4kR9d0kqZ55LuJUqDS2p1QPK5KXwhO0PN0k7Gt5JAIQiSPhb7nJbV gC+n0QG5Qb0qxnsLJYEMPolXz9IwPc+kzQ5WiMafBRb6MfolRFOQ1eINIXgLL1kJifjW /9bkYeEIjwkqNxJ/hUMf6dJUtagb+OuwcrRF2/q5e4Nmc4+S/kEzf/IQzcxO0dKa2+YU pEYXWxhVM+HrmYZRDBP4m+zzCHJRvevet1j65F4p0/LLAMzvVHAARZ3wgrbh08VglAWP 5yyukbLoO5zWmM8Zb8vwKMqoX0kYXPI319oB6VqXMaKJCtRRJILYrPdSX7bDdfpnLzW1 7+Ew==
X-Gm-Message-State: ALoCoQk079+qPYS1wfUOok0X1XJbT11aZGOEp7ZVfxwipcgiJl8UhyYByWpYxF9bFBudFRXZETKV
MIME-Version: 1.0
X-Received: by 10.152.234.139 with SMTP id ue11mr26586391lac.28.1429741463917; Wed, 22 Apr 2015 15:24:23 -0700 (PDT)
Received: by 10.25.214.162 with HTTP; Wed, 22 Apr 2015 15:24:23 -0700 (PDT)
In-Reply-To: <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com> <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com>
Date: Wed, 22 Apr 2015 18:24:23 -0400
Message-ID: <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Bruce Gaya <gaya@apple.com>
Content-Type: multipart/alternative; boundary=001a1133a85c13e270051457a0a6
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/RGbqP0OSptHLPHHTJ6fAmIwqupw>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 22:24:30 -0000

On Wed, Apr 22, 2015 at 6:23 PM, Bruce Gaya <gaya@apple.com> wrote:

>
> On 22 Apr 2015, at 15:10, Richard Barnes <rlb@ipv.sx> wrote:
>
>
>
> On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <gaya@apple.com> wrote:
>
>>
>> On 21 Apr 2015, at 18:23, Salz, Rich <rsalz@akamai.com> wrote:
>>
>>  I understand that you want it to “just work” (you said that a couple of
>> times :), but other folks have raised security concerns – do you understand
>> or agree with them?
>>
>>
>> I agree that client access to ports below 1024 usually requires more
>> privileges and that’s generally safer than allowing any client port.
>>
>
> So would you be OK with the spec saying that the server MUST reject
> client-specified ports that are greater than 1023?
>
>
> Yes.
>
> Because the ACME client code will run as root any unused port will work so
> I am happy with this restriction.  My intention is for the ACME client to
> be as independent as possible from other running services.
>
>
>
>> One way forward is to say a client MAY specific a port, where the default
>> is 443. An ACME server MAY reject requests for ports other than 443 if it
>> is in violation of the operating policy.
>>
>>
>> That would work.
>>
>
> Let's return to the question of protocol, however.  The CA needs to know
> how to validate the challenge.  Are you envisioning that this would be an
> extension to the simpleHttps challenge, so that the validation would still
> be done using an HTTP request to a .well-known URI, just on a different
> port?
>
>
> Yes.  As a developer, it’s easier to have the ACME code be completely
> separate rather than coordinate with another process.
>

OK.  That at least seems well-defined to me.  I could probably live with it
if others are comfortable.

--Richard



>
> Bruce
>