Re: [Acme] Server on >= 1024 port
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 02 December 2015 17:25 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931551AC417 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAf-WiLcxAPV for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:25:58 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5F01AC40F for <acme@ietf.org>; Wed, 2 Dec 2015 09:25:57 -0800 (PST)
Received: by lfs39 with SMTP id 39so56399394lfs.3 for <acme@ietf.org>; Wed, 02 Dec 2015 09:25:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=DLSvElnOvmChF0rC7NCT11jOQuOsYFMaIXcDHFLV9Lw=; b=FSCS+7/CABjAoWHrzqcPOEaAv/8wSQkXbxevq7l0zrFQ/aM2yi27ju9aPfdD/QwhWT y1RlerRXIC0RLewVotWU+qEC71mItKJdMmjappCbflIK6uGusEiH8TC6DI6n/T7EjH+6 qaZl6Bv+b4Bv5EyFBldlSAtdaSISycIh3vVEFfov48g5oEBdr6zTJsyE+pH1Uo1o4lvF cpliAEJmoGmb+XlnIcL2UC+pPJJaH+uBAk5ZO/8/1Kju13v0vChgEBnqJoSzPJp6yd1y 5B3UO0Kmnfs5C+65thIxQPHCw+8xfOZ4YfBfST646FWKCvqZ9T2sm9TZf5rGfhNb9JU0 4+yw==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr3347874lfg.166.1449077155552; Wed, 02 Dec 2015 09:25:55 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 2 Dec 2015 09:25:55 -0800 (PST)
In-Reply-To: <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CANUQDChMFShsjVxOP4XfiMuP3PkKTitr5MM3y3AaNjgyPeaFgA@mail.gmail.com> <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 02 Dec 2015 12:25:55 -0500
X-Google-Sender-Auth: sjQSY2nfVy_84gFVG3RlGG-lxao
Message-ID: <CAMm+LwjZc149hfJ3OE-Vi4BgZUdaKqJ1-drKDppMAmqv-JBwxQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a1141257e1be2fb0525ed9175"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/VYQbZExsfK_9QuifU5vu0RqHrmM>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Niklas Keller <me@kelunik.com>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:25:59 -0000
On Wed, Dec 2, 2015 at 11:52 AM, Salz, Rich <rsalz@akamai.com> wrote: > > Otherwise there's no difference between 443 and any other priviledged > port. > > What's a privileged port? :) Clearly it's a local construct, at best. > > That is especially so in the new era of .NET Core and Raspberry Pi Zero. One of the most powerful ways to run .NET Core is on bare metal on a constrained device like a RaPi. I have a few RaPi's in the house that are dedicated to one purpose. If you are developing code for an embedded device there is no separation between the 'root' and 'user' levels whatsoever. The closest you are likely to come is that you may have a co-processor that will allow you to install a public key pair in a secure partition so you can write to the private key store and do private key operations but not a private key read operation. These devices don't have an operating system. They just have the application code running on a core library that is essentially just a BIOS and some commonly used subroutines. Oh and lots of these run Web Sites and you can put ASP on them. So they behave like hosting services. Assigning a well known port for ACME validation is a non starter because there is no way that you are going to get all the half dozen suppliers of sub $30 computers to all implement code to restrict the port. What could work would be to assign a well known port for ACME and allow it to be used PROVIDED THAT there is an indication in the DNS. This could be an SRV record but I would prefer it to leverage CAA because this would be an attribute designed to support certificate issue and CAA is therefore the record to use. So we might have a record of the form: example.com CAA 0 acmedv1 "port=666" I prefer that over SRV because of separation of concerns. There might be really good reasons to allow general access to the SRV record while CAA is obviously a record that should be restricted because it is concerned with cert issue. trying to use SRV would mean giving new semantics to an existing record. If we are going to use CAA however, why not just put a key/fingerprint into a CAA record that specifies a key that can be used to validate requests?
- [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Roland Zink
- Re: [Acme] Server on >= 1024 port Martin Thomson
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Stephen Farrell
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Eric Mill
- Re: [Acme] Server on >= 1024 port Darren J Moffat
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Ángel González
- Re: [Acme] Server on >= 1024 port Vincent Lynch