Re: [Acme] Server on >= 1024 port
Richard Barnes <rlb@ipv.sx> Wed, 02 December 2015 15:17 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0BE1A0121 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.678
X-Spam-Level:
X-Spam-Status: No, score=-0.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_64=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5mpRq9xofJbq for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:54 -0800 (PST)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 259BC1A00F3 for <acme@ietf.org>; Wed, 2 Dec 2015 07:17:49 -0800 (PST)
Received: by vkca188 with SMTP id a188so26784208vkc.0 for <acme@ietf.org>; Wed, 02 Dec 2015 07:17:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tPVjhFXepuULT3me2xBgtIz/6+LGxleMeUuoykiQdLQ=; b=NtS15fAkVu06U1RcDYIzcQrGr5qRw0H4zBadbuwvn8tmzWLIVD1RTV37UXYEIm6Qnb R8QZ9bGzvhJ7qkKSTmxWttpwJ0nzLHdAHKIfkkxw9ROygsbgDsZzUKbgXs2xqFuQJn9T aPQoBXVlifO9VTE04pj+aWjF05k0gTFRc5wUN0rm3jwhkF2T4GCrPjMAjNmcgQj14asU sSylo7wQk39kYgP1rQByqeC3TqA1nl/YMgxPQIxxBEp41lGjkkDIKXvCkseg9PbTUCzR huVuantUqtb8j+Z5G+EWUWLRE/MPrJ8Pkh4kOPgObVx4wzB97HEVTZXtaUHqr2krBGBl uQ6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tPVjhFXepuULT3me2xBgtIz/6+LGxleMeUuoykiQdLQ=; b=XBnKGoxeDRQPX50UXB8J6hEeNEeDYO2iyW7SuLzCY2Yupv4ZShBYjo6IpIsTXY3qRG oRiWbdfTzn1KlxvSyuHzFHYKiKI7sz87TIJvFeNsUDe3gBTrA8rgLw7zVck5lBSqX7RK ZouvYP+eurDcgOZ9/+ux3Xx8TwOYONjzdxd4R6YPIBJI/5qmQscWgwDUwfmtFrbhqhTV yvOZdEJ4NCvD1Qi7nAnezzSiOnJTSGy+axfkRVH4AC53Z2Cq2vvVBBSTCphv+dt17lPH LaNDQvw0vRy0n1AW/ew0z2enYJM5wNZ0SZDTXy1dnm3pHJSh+MnChnII3dqHmpbp0Q1z YtOg==
X-Gm-Message-State: ALoCoQmcFdHO2miMc4DUNZfIkZht7v9GTDvnV9leNShStSl4Q+uzqfPT6QvHzWWlKokH/kajkzLA
MIME-Version: 1.0
X-Received: by 10.31.15.81 with SMTP id 78mr2285243vkp.10.1449069468173; Wed, 02 Dec 2015 07:17:48 -0800 (PST)
Received: by 10.31.11.81 with HTTP; Wed, 2 Dec 2015 07:17:47 -0800 (PST)
In-Reply-To: <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 02 Dec 2015 10:17:47 -0500
Message-ID: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Xt0Wh5eiRov8CHPFqKpRiq84bAM>
Cc: Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 15:17:55 -0000
I agree that we're converging on some rough consensus, but I would frame it (again) slightly differently: 1. ACME needs to validate domain control, not domain+port control, because (1) there is no current mechanism for issuing certificates for domain+port (vs. just domain), and (2) the primary use cases for ACME right now (DV certs, and possibly OV/EV) don't have any notion of ports. 2. Thus the port used for validation needs to be one such that control of the port is effectively control of the domain. If you look at what CAs do today, that basically means the port is 80/443. More generally, it means that the port needs to be specified by the challenge mechanism and not by the client. So that leaves us with 80/443 for the challenges we have today. If people want to define, say, a CalDAV challenge, they can argue for a new challenge type, but ISTM it'll be a hard sell. It's also worth noting that just because we define challenge types doesn't mean any particular CA will support them (that's the point of extensibility). For example, Let's Encrypt doesn't support the "dns-01" challenge. --Richard On Wed, Dec 2, 2015 at 9:43 AM, Salz, Rich <rsalz@akamai.com> wrote: > Speaking as co-chair, I think Yoav's summary is more accurate. The consensus in the room at Yokohama was that there is not real support for other than 443, but that we need to discuss this on the list "one last time." I think closing discussion is a bit premature, but at this point there seems rough consensus to not require other than 443. > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Roland Zink
- Re: [Acme] Server on >= 1024 port Martin Thomson
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Stephen Farrell
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Eric Mill
- Re: [Acme] Server on >= 1024 port Darren J Moffat
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Ángel González
- Re: [Acme] Server on >= 1024 port Vincent Lynch