IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Richard Barnes <rlb@ipv.sx> Wed, 02 December 2015 15:17 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0BE1A0121 for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.678
X-Spam-Level:
X-Spam-Status: No, score=-0.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_64=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5mpRq9xofJbq for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 07:17:54 -0800 (PST)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 259BC1A00F3 for <acme@ietf.org>; Wed, 2 Dec 2015 07:17:49 -0800 (PST)
Received: by vkca188 with SMTP id a188so26784208vkc.0 for <acme@ietf.org>; Wed, 02 Dec 2015 07:17:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tPVjhFXepuULT3me2xBgtIz/6+LGxleMeUuoykiQdLQ=; b=NtS15fAkVu06U1RcDYIzcQrGr5qRw0H4zBadbuwvn8tmzWLIVD1RTV37UXYEIm6Qnb R8QZ9bGzvhJ7qkKSTmxWttpwJ0nzLHdAHKIfkkxw9ROygsbgDsZzUKbgXs2xqFuQJn9T aPQoBXVlifO9VTE04pj+aWjF05k0gTFRc5wUN0rm3jwhkF2T4GCrPjMAjNmcgQj14asU sSylo7wQk39kYgP1rQByqeC3TqA1nl/YMgxPQIxxBEp41lGjkkDIKXvCkseg9PbTUCzR huVuantUqtb8j+Z5G+EWUWLRE/MPrJ8Pkh4kOPgObVx4wzB97HEVTZXtaUHqr2krBGBl uQ6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tPVjhFXepuULT3me2xBgtIz/6+LGxleMeUuoykiQdLQ=; b=XBnKGoxeDRQPX50UXB8J6hEeNEeDYO2iyW7SuLzCY2Yupv4ZShBYjo6IpIsTXY3qRG oRiWbdfTzn1KlxvSyuHzFHYKiKI7sz87TIJvFeNsUDe3gBTrA8rgLw7zVck5lBSqX7RK ZouvYP+eurDcgOZ9/+ux3Xx8TwOYONjzdxd4R6YPIBJI/5qmQscWgwDUwfmtFrbhqhTV yvOZdEJ4NCvD1Qi7nAnezzSiOnJTSGy+axfkRVH4AC53Z2Cq2vvVBBSTCphv+dt17lPH LaNDQvw0vRy0n1AW/ew0z2enYJM5wNZ0SZDTXy1dnm3pHJSh+MnChnII3dqHmpbp0Q1z YtOg==
X-Gm-Message-State: ALoCoQmcFdHO2miMc4DUNZfIkZht7v9GTDvnV9leNShStSl4Q+uzqfPT6QvHzWWlKokH/kajkzLA
MIME-Version: 1.0
X-Received: by 10.31.15.81 with SMTP id 78mr2285243vkp.10.1449069468173; Wed, 02 Dec 2015 07:17:48 -0800 (PST)
Received: by 10.31.11.81 with HTTP; Wed, 2 Dec 2015 07:17:47 -0800 (PST)
In-Reply-To: <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 02 Dec 2015 10:17:47 -0500
Message-ID: <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Xt0Wh5eiRov8CHPFqKpRiq84bAM>
Cc: Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 15:17:55 -0000

I agree that we're converging on some rough consensus, but I would
frame it (again) slightly differently:

1. ACME needs to validate domain control, not domain+port control,
because (1) there is no current mechanism for issuing certificates for
domain+port (vs. just domain), and (2) the primary use cases for ACME
right now (DV certs, and possibly OV/EV) don't have any notion of
ports.

2. Thus the port used for validation needs to be one such that control
of the port is effectively control of the domain.

If you look at what CAs do today, that basically means the port is
80/443.  More generally, it means that the port needs to be specified
by the challenge mechanism and not by the client.

So that leaves us with 80/443 for the challenges we have today.  If
people want to define, say, a CalDAV challenge, they can argue for a
new challenge type, but ISTM it'll be a hard sell.

It's also worth noting that just because we define challenge types
doesn't mean any particular CA will support them (that's the point of
extensibility).  For example, Let's Encrypt doesn't support the
"dns-01" challenge.

--Richard


On Wed, Dec 2, 2015 at 9:43 AM, Salz, Rich <rsalz@akamai.com> wrote:
> Speaking as co-chair, I think Yoav's summary is more accurate.  The consensus in the room at Yokohama was that there is not real support for other than 443, but that we need to discuss this on the list "one last time." I think closing discussion is a bit premature, but at this point there seems rough consensus to not require other than 443.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email