IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 16 December 2015 20:37 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82ED1A8A03 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:37:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35iZZhQfjTEC for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:37:26 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DBF51A89FB for <acme@ietf.org>; Wed, 16 Dec 2015 12:37:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0F4A6BE7D; Wed, 16 Dec 2015 20:37:24 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKOBszp0QzsR; Wed, 16 Dec 2015 20:37:22 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.31.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EB2A5BE54; Wed, 16 Dec 2015 20:37:21 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450298242; bh=NN/1G11dz95gxMQBxVL0fHFDz3dR8oqVF+uVOUAj3l0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=bk0Syb08GKXqEwyy2bdhsBeKg2Cvs/Qvxw9q4vxfpZmVKry3IY5+8/3+7xZQHnFFw d5oZv1nE+jOZ5v2tdEuqh6lxvPa3FzjFGUkT9GfJnA8l8uV4tpCAWn8YwwpL5cPVv8 rqdilZDfjFleZwIIp3hLI1ip8G9kU0Boy2rPXw0Y=
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <894b0ad1f1c34184bbbc9133702ed474@usma1ex-dag1mb1.msg.corp.akamai.com> <5671BBB5.4050308@wyraz.de> <5671C174.5040004@cs.tcd.ie> <5671C562.9090803@wyraz.de> <5671C92F.5060609@cs.tcd.ie> <CAMm+Lwi+O78YhkcKVtWERGW4=itjsC64=_Oyt8kpX-UjM+9G5g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5671CB81.50003@cs.tcd.ie>
Date: Wed, 16 Dec 2015 20:37:21 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwi+O78YhkcKVtWERGW4=itjsC64=_Oyt8kpX-UjM+9G5g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/XSI7_P6dkYuQWQ6n-lHnkY6Or98>
Cc: "acme@ietf.org" <acme@ietf.org>, Michael Wyraz <michael@wyraz.de>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 20:37:28 -0000


On 16/12/15 20:32, Phillip Hallam-Baker wrote:
> On Wed, Dec 16, 2015 at 3:27 PM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>>
>>
>> On 16/12/15 20:11, Michael Wyraz wrote:
>>> Stephen,
>>>
>>> I fear I have no idea what you mean with a "suffix list" and such.
>>
>> (Caveat: I'm very much an amateur at DNS issues, I hope someone
>> else provides a better/more accurate response if one's needed.)
>>
>> Pretty much all mechanisms of the kind you envisage end up
>> requiring a way to allow the "real" authority for a set of
>> names to control what happens deeper in the hierarchy. So
>> tcd.ie could decide what cs.tcd.ie are allowed to do with
>> acme for example. That means you end up needing to know
>> roughly where the zone cuts are, which is a hard problem
>> in general. The public suffix list is how that's mostly
>> done in the web and dbound is (an IETF activity) trying to
>> tease apart the various uses of that.
>>
>> So one of the problems with what you suggest is that the
>> "right" place to look for my web servers is two up in the
>> hierarchy and not the public suffix and not one up.
> 
> No, that isn't what we do for DV certs unless they are wildcard certs.
> 
> You are not going to be issuing wildcard certs with this mousetrap
> built in this particular way for a long time.

Right. But any proposal to use SRV for a DV-equivalent seems to
me to open this can of worms. Feel free to write the I-D that
shows that I'm wrong though as I may well be misinterpreting
what Michael or you mean.

S.




> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email