Re: [Acme] Why "HTTP verification"
Ben Laurie <benl@google.com> Wed, 03 December 2014 16:02 UTC
Return-Path: <benl@google.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F57D1A1BDA for <acme@ietfa.amsl.com>; Wed, 3 Dec 2014 08:02:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCeCI7Swoad0 for <acme@ietfa.amsl.com>; Wed, 3 Dec 2014 08:02:28 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67581A1BBE for <acme@ietf.org>; Wed, 3 Dec 2014 08:01:39 -0800 (PST)
Received: by mail-qg0-f41.google.com with SMTP id j5so11306160qga.28 for <acme@ietf.org>; Wed, 03 Dec 2014 08:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=n6Z2EVEkI1+iv0LhjbUIVuUPb87RYoQ1B544d6F936w=; b=GnPSr19Cqqgh6QcSlXjVE53UIW4ea1INiAovKz1c/WdXD/8qIdW4AZoo4u0eYDLcqU paC/+4XdVww5t/VqSfQCo76+3atU8bKXafoADk+w2ZXwh/ws2BqCXTozWVe9wwVC70w9 f3w0te2biqFZVmqGcxapRUhv0JBSG6AcSk+d9jSTVJDgFUmdLueQceBoOHhg5wnxehOo cAqsnHkaTYlyXhKFodzMysJVvF584qYTJNsm9jYiJuC+HVN+f7cWwlv0YMqXZFpKd9zX VuIT4C3Jh7XusxQFW80p4xxOQNBUkPLl8bZJzUfjHIE/GzExlAW9mrN2E5snIpSk/eZ/ bq2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:from:date:message-id :subject:to:cc:content-type; bh=n6Z2EVEkI1+iv0LhjbUIVuUPb87RYoQ1B544d6F936w=; b=MI91GkGQFgl968nvQX51fGRJqM6gTgp4RhJQRSaw6W3MPIMxLOSqr07A0iGZUdJm45 6+uCFkU60dPwXy6lJLhpj8Vbek5w0bw06h9M6BtRXB+v6aPUjZw0Ikjd+KjcH0TqFo9A xsPElDE2PTti2y2+eDFWxhcUicbARcd4Vgq2sHyYbIQO6Xq5SsqAzDo0pbb1+ZO/zFrL L4pyRL+vPgw+HUrMaOTtgfvDQ/Y4B/RJyBR0h1ZbQpMfsLY0Vp3B6qOBUVRzVem3lkln KxjIS3Pz83wOlnRtvpGZSyC46h06IbhFGIR7QXyxrZHgktv5bhob1H2LmClSwB/i2Bd9 i9HA==
X-Gm-Message-State: ALoCoQlQXQ5n02KtK0AivaIziwBP6zhWjxZZWS8vvOhkwDJxWo5SQe7WPMQ4yFvRJWWyQMITGZ3r
X-Received: by 10.224.129.196 with SMTP id p4mr8764375qas.1.1417622498629; Wed, 03 Dec 2014 08:01:38 -0800 (PST)
MIME-Version: 1.0
References: <B80ACB30-1A35-440E-B250-AB8C80D1FAF1@vpnc.org> <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
Date: Wed, 03 Dec 2014 16:01:37 +0000
Message-ID: <CABrd9STe2DrT3YnUQbUe_aO9QHOzmS0Y7MWN4GHU4ZHm5bQoDA@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a11c2cc9e7520ac050951f5df"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/VJvNVPQdmdqBjQaObGXeILju8BA
Cc: acme@ietf.org
Subject: Re: [Acme] Why "HTTP verification"
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 16:02:30 -0000
On Tue Dec 02 2014 at 7:15:54 PM Peter Bowen <pzbowen@gmail.com> wrote: > On Tue, Dec 2, 2014 at 10:05 AM, Paul Hoffman <paul.hoffman@vpnc.org> > wrote: > > Greetings again. A few people have asked for HTTP-based verification for > the certificate request, but I'm not sure that is needed. Are there > environments where someone who will be able to stand up a server with a > CA-issued cert on HTTPS-over-443 could not stand up such a service with a > temporary self-issued cert? If not, what is the value of checking if the > person can control the content on port 80? > > The primary case where I see a problem is when the site already has a > trusted certificate and wants to use ACME to get a new certificate. > They are unlikely to want to replace their working certificate with a > self-signed certificate. Why would you need to replace it? You use SNI on some new domain... > So the proof would need to happen at the > HTTP layer, not the TLS layer. > > Thanks, > Peter > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Why "HTTP verification" Paul Hoffman
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Viktor Dukhovni
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Phillip Hallam-Baker
- Re: [Acme] Why "HTTP verification" Ángel González
- Re: [Acme] Why "HTTP verification" Eric Mill
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Ben Laurie
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Peter Bowen