Re: [Acme] ACME for pre-ACME CAs

"Salz, Rich" <rsalz@akamai.com> Wed, 23 December 2015 14:58 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2189F1A017D for <acme@ietfa.amsl.com>; Wed, 23 Dec 2015 06:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VAVj9jKod5B for <acme@ietfa.amsl.com>; Wed, 23 Dec 2015 06:57:59 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 914ED1A0167 for <acme@ietf.org>; Wed, 23 Dec 2015 06:57:59 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 32BEB4DFA6; Wed, 23 Dec 2015 14:57:59 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 1C2DE4DFA0; Wed, 23 Dec 2015 14:57:59 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1450882679; bh=hhG2/sTGq9vvMPHY2d2CDOp24t5JxSQ+ISQ24EG7J/4=; l=436; h=From:To:Date:References:In-Reply-To:From; b=z+ViHXjkDNJI8nqxvdJWWJo+9xzpxUxMeJOR1jwCGdHuhaeHDiJJuRO5ZhZ6aGD8s OpMhSCL6Gs6QmFzyx/KzABpOtvL66erodSUM5Dm+PDe3A7/BNGcXKMJWUhqPv1l575 fZnscTlKuh/URkQm7e/UiIShGRYwQi7GIFsPrhFo=
Received: from email.msg.corp.akamai.com (usma1ex-casadmn.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id E7E282026; Wed, 23 Dec 2015 14:57:58 +0000 (GMT)
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 23 Dec 2015 09:57:58 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Wed, 23 Dec 2015 09:57:58 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ACME for pre-ACME CAs
Thread-Index: AQHRPPPA4rcgUHkCR0C77WT1Jbgg157YqlyA
Date: Wed, 23 Dec 2015 14:57:58 +0000
Message-ID: <06acad764bc94c1ead53e4e0bfcc8180@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CAL02cgQnXOZFwpbRcbdDAzBjeM2pyqOkoTv3WbXWf_BVT5SdBg@mail.gmail.com>
In-Reply-To: <CAL02cgQnXOZFwpbRcbdDAzBjeM2pyqOkoTv3WbXWf_BVT5SdBg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.96]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/RnMKcTVlhhkP1JC5cBmgfrF-AyY>
Subject: Re: [Acme] ACME for pre-ACME CAs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2015 14:58:04 -0000

Speaking not as chair,

I think an "out of band" makes a great deal of sense.  The challenge should have some opaque token that is used; perhaps the URI is enough.  And the response should be some opaque token that the server can use to verify that the challenge was completed (e.g., an opaque ref to an internal transaction-id).


--  
Senior Architect, Akamai Technologies
IM: richsalz@jabber.at Twitter: RichSalz