Re: [Acme] Want client-defined callback port

Bruce Gaya <gaya@apple.com> Thu, 16 April 2015 23:10 UTC

Return-Path: <gaya@apple.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A9F1A1BAA for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 16:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WRvxOSJlC6KI for <acme@ietfa.amsl.com>; Thu, 16 Apr 2015 16:10:44 -0700 (PDT)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF3C1A1B57 for <acme@ietf.org>; Thu, 16 Apr 2015 16:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1429225844; x=2293139444; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=t+leiVr9GaV7lDfeMMwgkd/9CvbOOP+8ecAm8uLT97c=; b=o8buzJ+QJ1TiZQWWi7V6LUldFTzne7isj6syir4vxrQPvJJh/0EUpoBYH2Z/zdWQ WgkK9V7lBbd6sayNQIBoEVdTlKhNcx0qr34qxYTvoJL1S35hpf3s8/SUWBjJ0DYl hwtC86IsGKGBJOnYHU38PFYY7DaUGEHCBH+vHPKUZ72327k/JxfLiGyL28lyEvkA B7cwKsI/rGFFQlJIGnIF1/TFi3fBwQW5RoW8fuVbdEmg/3lNzPMpmMfDvy8FSV0K 9mOYReuCPp9DcXX/EyP25EPQbIPVbk8336Ik/Mu8/DZ8eKCc6hFR2bomY3IQ8ydp 6loHWZ6Wu350zWrEIJBQsw==;
Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 14.CA.18963.47140355; Thu, 16 Apr 2015 16:10:44 -0700 (PDT)
X-AuditID: 11973e12-f79456d000004a13-24-553041745a39
Received: from chive.apple.com (chive.apple.com [17.128.115.15]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id 89.2A.05232.56140355; Thu, 16 Apr 2015 16:10:29 -0700 (PDT)
Received: from [17.153.62.199] by chive.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NMX00JK69PIQH20@chive.apple.com> for acme@ietf.org; Thu, 16 Apr 2015 16:10:44 -0700 (PDT)
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-type: text/plain; charset=utf-8
From: Bruce Gaya <gaya@apple.com>
In-reply-to: <55303319.1030707@eff.org>
Date: Thu, 16 Apr 2015 16:10:28 -0700
Content-transfer-encoding: quoted-printable
Message-id: <E6177D18-2C31-4725-976D-FB3FE12FAA03@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <55303319.1030707@eff.org>
To: Jacob Hoffman-Andrews <jsha@eff.org>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHLMWRmVeSWpSXmKPExsUi2FDorFviaBBqsPW+lMWq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MpoXLmKtWALe8WM9p3sDYxfWLsYOTgkBEwk/v+O6mLkBDLFJC7c W8/WxcjFISSwl1GiaeF6FoiEicSihfcYIRLdTBIPD99ih3A+MkpcWXCCEaRKWMBU4tC7ZWA2 r4CexJzrC9hANjALqEtMmZILEmYTUJSY3vqCCcTmBAr3z7jJBmKzCKhK9HQfBIszCwhK7Dnx nRnC1pZ48u4CK8RIG4mGnUvA6oUEIiUufpgIVi8ioCGxcUU/M8QzshJft8qBnCYh8JZVYubr FUwTGIVnIbloFsJFs5BsWMDIvIpRKDcxM0c3M89EL7GgICdVLzk/dxMjKICn2wntYDy1yuoQ owAHoxIPr0eCfqgQa2JZcWXuIUZpDhYlcd5JqnqhQgLpiSWp2ampBalF8UWlOanFhxiZODil GhjzH4ikWPuwnrpnJi1dra80Z9tB1ZSzWys3fC3fu+XVwy25/kta/+aLuM5+MkXvBPu8c7IT Q4stbhx+7tnOGT1NybxBvbXd++KqgvUb4wtVmu9O3l6veUFC5P+pw1neXk1dmRbC/G5arzmV 30jv0LkttOb5bR/V1x+n/uELFVx1L73Yu6Q7vVuJpTgj0VCLuag4EQBokg4qQQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrELMWRmVeSWpSXmKPExsUi2FDMr5vqaBBq8GaPicWq54EOjB5Llvxk CmCM4rJJSc3JLEst0rdL4MpoXLmKtWALe8WM9p3sDYxfWLsYOTkkBEwkFi28xwhhi0lcuLee rYuRi0NIoJtJ4uHhW+wQzkdGiSsLToBVCQuYShx6twzM5hXQk5hzfQFQBwcHs4C6xJQpuSBh NgFFiemtL5hAbE6gcP+Mm2wgNouAqkRP90GwOLOAoMSeE9+ZIWxtiSfvLrBCjLSRaNi5BKxe SCBS4uKHiWD1IgIaEhtX9DODrJIQkJX4ulVuAqPALCRHzEI4YhaSoQsYmVcxChSl5iRWGukl FhTkpOol5+duYgSHXKHzDsZjy6wOMQpwMCrx8Hok6IcKsSaWFVfmHmKU4GBWEuHdZ24QKsSb klhZlVqUH19UmpNafIhRmoNFSZz3prJeqJBAemJJanZqakFqEUyWiYNTqoFRO8xO4PgCQUmh J6KxDg1fT3zc22jT9jpQVjHO5nvWac2HCz5HqZV83afq7LIg3eyZ4YZM1drVtwPs7OXneAcX K/rP9V4oNcukxGb3/Ivbtb68mlL4Od3AoXqHpVKFTKSeyLxokwet7uujvD52Bxf9VddIad8m /2t20LEZJ1rNtKstDf5cva3EUpyRaKjFXFScCACqPectNQIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/TjogOGkl_qYHjB_rzOkACoEUlCg>
Cc: acme@ietf.org
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 23:10:50 -0000

> On 16 Apr 2015, at 15:09, Jacob Hoffman-Andrews <jsha@eff.org> wrote:
> 
> On 04/15/2015 11:04 PM, Bruce Gaya wrote:
>> I want to use an ACME client to get a new certificate without taking down my existing web services that are using a port 443 (with a self-signed certificate or a certificate issued by another CA).
> Right now the Simple HTTP and DVSNI challenges are designed specifically
> to work well with a running server. For the DVSNI challenge type, the
> web server must support config reloads without downtime in order to make
> the test cert available under a special SNI name. Can you tell us more
> about why these approaches won’t work for you?

Because using a client-defined port for call backs does not have the requirement you just mentioned,  That leads to simpler ACME client design. 

Why must there be a dependency on another process that is already using port 443?

Bruce