Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-ip-07: (with COMMENT)
Roland Shoemaker <roland@letsencrypt.org> Tue, 01 October 2019 17:31 UTC
Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EB2D120289 for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 10:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Evh0Cn1QAuhe for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 10:31:06 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DDB1207FD for <acme@ietf.org>; Tue, 1 Oct 2019 10:31:06 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id t84so15150236oih.10 for <acme@ietf.org>; Tue, 01 Oct 2019 10:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zgstDGsbjohyWk1cnp9TiV7fFNEfaArgwths2RjMLwI=; b=c4L7cVrC8aVLO8xuszRYfkLNjqLp7c5VBFREEghQKgPKz6QPXAuQIqxFDZpAPgu7Do LUZVOuhZ/+Q+bD42pPI337yKGZF0fAD2GmR97KNB5C0V0FyBjTZoMyLuOlh5LEdDmDXx /eYkXR81Tlpdg3t/DxXjbf+rogNtkZd0579Fo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zgstDGsbjohyWk1cnp9TiV7fFNEfaArgwths2RjMLwI=; b=Hwfo/3jLYYDN7yKGSULJ5A0Zl7rZOdyPjHjDRtklXmg3A63Vm7E5ul22+gD3+cXF0e 1ay0WCDiLskkNhm5obFxFHCAuLNcFo4U0gxCmpM8TozgS9fa5slGyXjXs6pUbbJdPJ0Z Pc4pagzGaAfhmTrOy3kRIqRE2scpvqNVOPwxfIjcUBPZxhxTlImIsIEBX07PxTQP9vdd ijd1Td3FJzeO5FGQY/6a/ghNbiwagOryMJOaBwo00sYdFx5spD+sai9Gt9lShqDR0NUv 5kll8IePOhAPwRrZt4R9HvwKsGWmH8KfO0sx45D1QlHJyMFyuHaVh0I70f2JBnnP3++K dy1A==
X-Gm-Message-State: APjAAAUSG8jf9xrtp2yptH5z/r0WQ1TX0ATYzVfpGJpyqP3Xh/7QNzy/ 2EPNfRoGZDR/4SK1i4c9fPQbYA==
X-Google-Smtp-Source: APXvYqxvxoGl8fVb4WGfygV+CX3USAwEB/hbjHPpCAtG7GIsXA/LZU+Pl4//zvV8taDHuovwYzmKSQ==
X-Received: by 2002:aca:5693:: with SMTP id k141mr4930008oib.28.1569951066085; Tue, 01 Oct 2019 10:31:06 -0700 (PDT)
Received: from ?IPv6:2600:1700:bd50:a5b0:acbd:9dc3:a492:1744? ([2600:1700:bd50:a5b0:acbd:9dc3:a492:1744]) by smtp.gmail.com with ESMTPSA id m20sm4780042oih.43.2019.10.01.10.31.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Oct 2019 10:31:05 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Roland Shoemaker <roland@letsencrypt.org>
In-Reply-To: <156989198118.24161.14973758653510180999.idtracker@ietfa.amsl.com>
Date: Tue, 01 Oct 2019 10:31:03 -0700
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-ip@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <6487EA84-B502-4820-8C0A-0EAD5F0BF80E@letsencrypt.org>
References: <156989198118.24161.14973758653510180999.idtracker@ietfa.amsl.com>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SH5rG8EPIB0YyXmMTzTg64R_1hA>
Subject: Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-ip-07: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 17:31:09 -0000
Hey Benjamin, Thanks for the review, I’ve replied to your two comments inline: > On Sep 30, 2019, at 6:06 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-acme-ip-07: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 7 > > There's perhaps some "action at a distance" going on here, in that we > try to apply normative requirements on unrelated things. Perhaps it's > safer to just say "this document does not define any usage of the > 'dns-01' challenge to validate IP addresses. But if we can definitively > rule out any future use, then it doesn't really matter. There is currently no way to use the dns-01 method as specified in 8555 for IP addresses. Including a MUST NOT here was mainly a belt and bracers attempt to prevent future implementers from attempting to come up with a novel way of applying the method (there was initially some work in this document that did try to do this, but there were enough security concerns with the method proposed that the work was discarded.) > > Section 9 > > Is there anything to say about issuing certificates for > non-publicly-routable IP addresses in terms of ensuring that the ACME > server and client are in the same administrative domain [and enforcing > that by network topology]? > I feel like this gets into dictating a level of policy that I’m not comfortable with in this document, especially given the wide and varying topologies that exist within enterprise networks which we are unlikely to be able to properly document and restrict (and is likely better served by internally dictated policies rather than at the standards level).
- [Acme] Benjamin Kaduk's Yes on draft-ietf-acme-ip… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Yes on draft-ietf-acm… Roland Shoemaker