IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 02 December 2015 17:25 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931551AC417 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAf-WiLcxAPV for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:25:58 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5F01AC40F for <acme@ietf.org>; Wed, 2 Dec 2015 09:25:57 -0800 (PST)
Received: by lfs39 with SMTP id 39so56399394lfs.3 for <acme@ietf.org>; Wed, 02 Dec 2015 09:25:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=DLSvElnOvmChF0rC7NCT11jOQuOsYFMaIXcDHFLV9Lw=; b=FSCS+7/CABjAoWHrzqcPOEaAv/8wSQkXbxevq7l0zrFQ/aM2yi27ju9aPfdD/QwhWT y1RlerRXIC0RLewVotWU+qEC71mItKJdMmjappCbflIK6uGusEiH8TC6DI6n/T7EjH+6 qaZl6Bv+b4Bv5EyFBldlSAtdaSISycIh3vVEFfov48g5oEBdr6zTJsyE+pH1Uo1o4lvF cpliAEJmoGmb+XlnIcL2UC+pPJJaH+uBAk5ZO/8/1Kju13v0vChgEBnqJoSzPJp6yd1y 5B3UO0Kmnfs5C+65thIxQPHCw+8xfOZ4YfBfST646FWKCvqZ9T2sm9TZf5rGfhNb9JU0 4+yw==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr3347874lfg.166.1449077155552; Wed, 02 Dec 2015 09:25:55 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 2 Dec 2015 09:25:55 -0800 (PST)
In-Reply-To: <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CANUQDChMFShsjVxOP4XfiMuP3PkKTitr5MM3y3AaNjgyPeaFgA@mail.gmail.com> <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 02 Dec 2015 12:25:55 -0500
X-Google-Sender-Auth: sjQSY2nfVy_84gFVG3RlGG-lxao
Message-ID: <CAMm+LwjZc149hfJ3OE-Vi4BgZUdaKqJ1-drKDppMAmqv-JBwxQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a1141257e1be2fb0525ed9175"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/VYQbZExsfK_9QuifU5vu0RqHrmM>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Niklas Keller <me@kelunik.com>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:25:59 -0000

On Wed, Dec 2, 2015 at 11:52 AM, Salz, Rich <rsalz@akamai.com> wrote:

> > Otherwise there's no difference between 443 and any other priviledged
> port.
>
> What's a privileged port? :)  Clearly it's a local construct, at best.
>
>
That is especially so in the new era of .NET Core and Raspberry Pi Zero.

One of the most powerful ways to run .NET Core is on bare metal on a
constrained device like a RaPi. I have a few RaPi's in the house that are
dedicated to one purpose.


If you are developing code for an embedded device there is no separation
between the 'root' and 'user' levels whatsoever. The closest you are likely
to come is that you may have a co-processor that will allow you to install
a public key pair in a secure partition so you can write to the private key
store and do private key operations but not a private key read operation.

These devices don't have an operating system. They just have the
application code running on a core library that is essentially just a BIOS
and some commonly used subroutines.

Oh and lots of these run Web Sites and you can put ASP on them. So they
behave like hosting services.


Assigning a well known port for ACME validation is a non starter because
there is no way that you are going to get all the half dozen suppliers of
sub $30 computers to all implement code to restrict the port.

What could work would be to assign a well known port for ACME and allow it
to be used PROVIDED THAT there is an indication in the DNS.

This could be an SRV record but I would prefer it to leverage CAA because
this would be an attribute designed to support certificate issue and CAA is
therefore the record to use.


So we might have a record of the form:

example.com  CAA  0 acmedv1 "port=666"


I prefer that over SRV because of separation of concerns. There might be
really good reasons to allow general access to the SRV record while CAA is
obviously a record that should be restricted because it is concerned with
cert issue. trying to use SRV would mean giving new semantics to an
existing record.

If we are going to use CAA however, why not just put a key/fingerprint into
a CAA record that specifies a key that can be used to validate requests?

v2.23.0 | Report a Bug | By Email