Re: [Acme] acme in a firewalled environment
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 02 December 2014 18:36 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCA81A6EE4 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 10:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYJbOZ8Y7vvx for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 10:36:42 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 142531A1B21 for <acme@ietf.org>; Tue, 2 Dec 2014 10:36:42 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id pv20so6523994lab.27 for <acme@ietf.org>; Tue, 02 Dec 2014 10:36:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MigF7ZWo92cDeaRHKNcnYStensTuC7GSxf6fY/1nV6o=; b=bx35slu0WB/ZqELB8sPDnBUZK/i8x5dgMIGLs2BVyVphswzgdDvsLRjvFo9Tav0uaY ZDaAbxkn0ZTS+XtYnSUqfJEnGkD46Lk4L+Cg8zvPwccF33S0a6QVrV4XMW5B6aPHCcwY Bj/sf379HWMHh3TI/y0kvhFyRi4DYuVl3UfEDtvzDfak3yNCxKy9XezmFlm5O3a7iSNT VGNkhYZK/vP5ttwluH99EYKnjk31j/3nUPSlfUonYRILx53TthXaikZEijYIrJ7Empbk CFFYPCd+Ak4+h2UBpjMFl6JoEnqlCAg1fzqsQtSPoO7vZM5HmeoYqoGOXHslpDgBe5+7 v8Nw==
MIME-Version: 1.0
X-Received: by 10.112.162.101 with SMTP id xz5mr566703lbb.49.1417545400577; Tue, 02 Dec 2014 10:36:40 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Tue, 2 Dec 2014 10:36:40 -0800 (PST)
In-Reply-To: <547DFE94.6090307@cisco.com>
References: <547DFC4B.9040408@cisco.com> <547DFE94.6090307@cisco.com>
Date: Tue, 02 Dec 2014 13:36:40 -0500
X-Google-Sender-Auth: 6eIS7lH391fOsyD-iwCxv51tH7A
Message-ID: <CAMm+LwiCZBM0GYdnaYXS8Ys5-0d7-Z5k5HJXw-_+PdchzaBP0A@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Ben Schumacher <bschumac@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/X8SOFm2KRB2noEf74XLv4x5etz0
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] acme in a firewalled environment
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 18:36:43 -0000
I would assert that it is completely in scope because we have most experience of meeting this requirement. It is also the only model that is going to scale long term. Right now I have 20 services running on 5 servers in my house and I am an outlier. It won't be long before that is a commonplace situation for Internet of Things. The consumer use case is going to look very much like the enterprise. If you want encryption everywhere then you have to support a mechanism that allows one successful validation interaction to be amortized over multiple certificate subscriptions. It is easy enough to do. It is simply a matter of getting the architecture right. And that isn't too difficult since we have at least two tried and tested proprietary schemes that can be used as starting points (OK I don't speak for Symantec's willingness to contribute but Comodo would certainly like to be out of the server plug in maintenance game. On Tue, Dec 2, 2014 at 1:01 PM, Ben Schumacher <bschumac@cisco.com> wrote: > On 12/2/14 10:52 AM, Eliot Lear wrote: >> >> Question: >> >> Are the myriad of enterprise servers in scope for ACME? In those >> environments it's not unreasonable to assume that a firewall exists to >> prevent incoming connections, and DNS control is not available. In fact >> split DNS might introduce all sorts of fun resolution issues even if >> control is possible from the inside. > > > Eliot- > > I would say it is probably out of scope, with regard to public CAs, but > there is nothing that would prevent an enterprise-wide CA that could be ACME > enabled. > > For example, ACME could be integrated into the Certificate Management > functionality of your enterprise directory services / host management > infrastructure. > > Thanks, > Ben > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- Re: [Acme] acme in a firewalled environment Richard Barnes
- [Acme] acme in a firewalled environment Eliot Lear
- Re: [Acme] acme in a firewalled environment Ben Schumacher
- Re: [Acme] acme in a firewalled environment Phillip Hallam-Baker
- Re: [Acme] acme in a firewalled environment Phillip Hallam-Baker
- Re: [Acme] acme in a firewalled environment Salz, Rich
- Re: [Acme] acme in a firewalled environment Eliot Lear
- Re: [Acme] acme in a firewalled environment Stephen Farrell
- Re: [Acme] acme in a firewalled environment Stephen Farrell
- Re: [Acme] acme in a firewalled environment Phillip Hallam-Baker
- Re: [Acme] acme in a firewalled environment Stephen Farrell
- Re: [Acme] acme in a firewalled environment Phillip Hallam-Baker
- Re: [Acme] acme in a firewalled environment Martin Thomson