IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Noah Kantrowitz <noah@coderanger.net> Tue, 15 December 2015 17:25 UTC

Return-Path: <noah@coderanger.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F288C1A90F3 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 09:25:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PxwrneITdPG6 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 09:25:43 -0800 (PST)
Received: from mail.coderanger.net (coderanger.net [72.249.127.182]) by ietfa.amsl.com (Postfix) with ESMTP id 35B921A90E9 for <acme@ietf.org>; Tue, 15 Dec 2015 09:25:43 -0800 (PST)
Received: from [192.168.1.3] (173-228-34-171.dsl.dynamic.fusionbroadband.com [173.228.34.171]) by mail.coderanger.net (Postfix) with ESMTPSA id 33BE5A48006 for <acme@ietf.org>; Tue, 15 Dec 2015 12:25:42 -0500 (EST)
Content-Type: multipart/signed; boundary="Apple-Mail=_32585CF3-6E8A-41FC-A1F3-352F4F9D2E05"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Pgp-Agent: GPGMail 2.6b2
From: Noah Kantrowitz <noah@coderanger.net>
In-Reply-To: <56702EFA.1050008@wyraz.de>
Date: Tue, 15 Dec 2015 09:25:28 -0800
Message-Id: <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de>
To: acme@ietf.org
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Y5FOYG7sjSX0EX88eDGGUsP1FAs>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 17:25:45 -0000

> On Dec 15, 2015, at 7:17 AM, Michael Wyraz <michael@wyraz.de> wrote:
> 
> Stephen,
>> Yes, I understand that and didn't actually refer to LE at all in my mail.
> I'm sorry if I missunderstood you with that.
> 
>> Basically, IMO only after we first get a "now" that works
> We have a working HTTP-01 spec, implementation and CA. What's missing
> for "a 'now' that works"?
> 
>> Personally the optional thing in which I'm much more interested is a
>> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC,
>> since that's the use-case I have and that would provide some better
>> assurance to the certs acquired via acme. I can see that there might
>> also be value for some (other) folks in SRV if it means no need to
>> dynamically change DNS. But, if someone is saying "we must all do
>> these more complex things for security reasons" then they are, in this
>> context, wrong. And my mail was reacting to just such a statement.
> Why not just placing a static public key to DNS that is allowed to sign
> ACME requests for this domain? Simple, no need for dynamic updates (yes,
> it's standardized for years but AFAIK not seen very often in real world
> scenarios).

Anything that makes deployment _harder_ than the current LE client is a move in the wrong direction. UX matters, with security more than just about anything else. Unless you can propose a user flow to go with this change, no amount of hypothetical correctness is worth having a tool no one will use.

--Noah

v2.23.0 | Report a Bug | By Email