Re: [Acme] Issuing certificates based on Simple HTTP challenges

Julian Dropmann <julian@dropmann.org> Mon, 14 December 2015 18:34 UTC

Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A61B1B2D3D for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 10:34:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lJ58oxrSFz0 for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 10:34:20 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 946CA1B2B2B for <Acme@ietf.org>; Mon, 14 Dec 2015 10:34:20 -0800 (PST)
Received: by wmnn186 with SMTP id n186so133419071wmn.0 for <Acme@ietf.org>; Mon, 14 Dec 2015 10:34:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=FgE/UYZyoB+mMNt/Fmg2TsF0761qWSGVzn2l2KdgSEk=; b=G7hRzQBvEWssMQRA7Z6oESE5jyHdcEALwFilEhqUoN3COFj+UEDAxxNieB6hOY2VH5 M2B7+hJOrxqUnMhCaDWw87mTk4w4zhXWWEjZg3zCBAhNbN897i6X6VQIQN27pOLA0JdX REpbbJq1sjnp48Lw7zurEp4nT2UlrOLOe8lyY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=FgE/UYZyoB+mMNt/Fmg2TsF0761qWSGVzn2l2KdgSEk=; b=iR8JBBFS+M+UbiCqBTwGS+RPTiOQ+9EL1izqoYelkzSNibHftsliN0H9qoZbP4f3jC bpENPYLA20iOeocCh3PDTiqrnunUBqaq/wkLFdAPCppSbMR5DYH/dT9yZbH525kpvTko U8JBN3Slq8H0B6rcd/RyCy9C2IOixqBvqBhqFHCLcr6y/c3hcnssxIud/Dl/vts3c1/3 Hry71zJyxPtFOGSnvSBMMjKfispl3zhBMzhnDjZcgvqaTOxmwmOnLxD1FuCYGHBs66us /DfOHpnvnZZE7oaZrVxG5mwGbIt/ea1TIweQjI3jiFeFmTYajGulLEghevKnr8Fu5wfX s0Rw==
X-Gm-Message-State: ALoCoQlsCSeVpNh/gr/SaINVrHf1tRDI9zvwpJJuaRz+FeJieGyozguAfsTHnoiYu24EWotUm0tYVsAkyHMPGKNtMIQRNJ/qTg==
X-Received: by 10.28.64.131 with SMTP id n125mr26630343wma.103.1450118059060; Mon, 14 Dec 2015 10:34:19 -0800 (PST)
Received: from ?IPv6:2003:4d:ec1e:4200:e4e3:6611:253:2d53? (p2003004DEC1E4200E4E3661102532D53.dip0.t-ipconnect.de. [2003:4d:ec1e:4200:e4e3:6611:253:2d53]) by smtp.gmail.com with ESMTPSA id 197sm17398782wmt.19.2015.12.14.10.34.17 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 14 Dec 2015 10:34:17 -0800 (PST)
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <3071e2d95eaf49acac00e91d3626ccfa@usma1ex-dag1mb1.msg.corp.akamai.com> <CAF+SmEo_s8svTgwvBPqqHyhKFKCt5e-3kSpZK2dUAqapzzORiw@mail.gmail.com> <1277d750730445858ebcbc2932117318@usma1ex-dag1mb1.msg.corp.akamai.com> <CAF+SmEowPeYNZ0o=AYKMj1SBcgRQiK4WqcKApm=MyKfLHKQNiw@mail.gmail.com> <20151214174407.GA23284@LK-Perkele-V2.elisa-laajakaista.fi>
Mime-Version: 1.0 (1.0)
In-Reply-To: <20151214174407.GA23284@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <0D86D6E6-788F-4817-A708-E4BADC561C52@dropmann.org>
X-Mailer: iPhone Mail (13C75)
From: Julian Dropmann <julian@dropmann.org>
Date: Mon, 14 Dec 2015 19:34:16 +0100
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ZVvY5P0h58qOVIqWsyPHCy1XPWg>
Cc: "Acme@ietf.org" <Acme@ietf.org>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 18:34:22 -0000

> On 14 Dec 2015, at 18:44, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
>> On Mon, Dec 14, 2015 at 06:25:56PM +0100, Julian Dropmann wrote:
>> 
>> If there for example where a standard to make changes to you DNS
>> zone/nameserver, this would be a much better approach to verify domain
>> ownership automatically, so why not provide an automation for that first?
>> But of course I also see the practical approach here...
> 
> Like DNS UPDATE? Standardized in 1997...
> 
> IIRC, there have been patches to the reference ACME client (I don't
> think those have gotten merged) that implement the client side of
> DNS UPDATE.
> 
> It actually depends on usecase which of DNS or HTTP is more convinient.
> 
> 
> -Ilari

If this standard exists, why do we not solely rely on that instead of introducing weaker mechanisms?

You already answered it: Because its more convenient.
You do not rely on name server providers to support that.

By providing those other methods, there is now even less incentive to implement/using it.

And by only having a single CA accepting the HTTP method you already have no security benefit anyway using it.