Re: [Acme] Want client-defined callback port

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 April 2015 17:21 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866E11ACDE0 for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 10:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2yPj6BHs6Vi for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 10:21:00 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A8D1A7035 for <acme@ietf.org>; Thu, 23 Apr 2015 10:20:44 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 2F78E283032; Thu, 23 Apr 2015 17:20:43 +0000 (UTC)
Date: Thu, 23 Apr 2015 17:20:43 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20150423172042.GA25758@mournblade.imrryr.org>
References: <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com> <CA+9kkMAqte7O0k0KVRLRaEOmJL-wK0ncoruv3yoqKBjZVnc99g@mail.gmail.com> <CABkgnnVP4as97fXe7XTFpC=rw6ETdXY5s=1cRj1Xan1sgDsx3A@mail.gmail.com> <CAMm+Lwg5GiknSceb1Ocs=VxA1cZpmcrmZbPeXpgfAHbOC3CUcw@mail.gmail.com> <CAL02cgReRXAu4QjvsDYYkJN-WKS2bZeWNtZK-AoVndTncMQvag@mail.gmail.com> <CAMm+Lwi97VeE7j72oCXTeqEJWSQ=RTM3VH6hZ_GapbtZ9bmfwQ@mail.gmail.com> <CAL02cgTeztSb2B2pfweQfUL8Ty0XfiBLbtCLTrHwLNZ2LTQPVQ@mail.gmail.com> <CAMm+LwiR2tZVvWYOfKOMKybNNi9f52A_W4QGH6Bxx_haivFz3g@mail.gmail.com> <02937f42ee274952a44476be019f2864@usma1ex-dag1mb2.msg.corp.akamai.com> <CAMm+LwjdSzpg_kSwKgTiCkSpV7LXZk_J_UOg06FFp3mrK5OrCg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMm+LwjdSzpg_kSwKgTiCkSpV7LXZk_J_UOg06FFp3mrK5OrCg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/YEv8XA-lHTe5bHJFgAcZTus7lvs>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: acme@ietf.org
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 17:21:01 -0000

On Thu, Apr 23, 2015 at 01:01:53PM -0400, Phillip Hallam-Baker wrote:

> Another point to consider here is the framing of the problem. People
> are discussing this as validating a certificate request. I think that
> is the wrong way to look at it. What we are doing is to validate the
> holdership of a DNS name. Which is not the same thing. That may be a
> component of a certificate validation process but it is not
> necessarily one that would apply to every certificate issue.

Amen.

> But looking at where we are likely to go with ACME, I think we could
> make a good case for 443 validation only right now and punt on the
> question of seamless issue for protocols on ports other than 443 where
> there isn't a connection to the Web server.

Agreed, and as you note even 443 checks are really not the right
proof of "holdership".  So there'll be more work to do to flesh
out the whole architecture.

-- 
	Viktor.