IETF Logo Mail Archive

Re: [Acme] ACME draft is now in WGLC.

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 07 March 2017 03:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BEC5129AAF for <acme@ietfa.amsl.com>; Mon, 6 Mar 2017 19:15:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xc7bqjUp8s0a for <acme@ietfa.amsl.com>; Mon, 6 Mar 2017 19:15:12 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E778412948A for <acme@ietf.org>; Mon, 6 Mar 2017 19:15:11 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 13A4D7A3309; Tue, 7 Mar 2017 03:15:11 +0000 (UTC)
Date: Tue, 07 Mar 2017 03:15:11 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: "acme@ietf.org" <acme@ietf.org>
Message-ID: <20170307031510.GN7733@mournblade.imrryr.org>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/_BAIfXiGyv-ju0SceaeN-CreC5A>
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: acme@ietf.org
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 03:15:13 -0000

On Tue, Feb 07, 2017 at 05:27:48PM +0000, Salz, Rich wrote:

> I put the time period as six weeks, which takes us to just around IETF-98...
> 
> PLEASE reply on list if you will review and/or are interested in working on interop. 

I see there's no reference to use of DNSSEC resolvers by CAs that
implement DNS challenges.  Just a suggestion to send probes from
multiple networks to avoid MiTM attacks, which seems rather weak
to me.  The MiTM might be collocated near the victim rather than
the CA.

There was some brief discussion of DNSSEC back in Oct/2015:

    https://www.ietf.org/mail-archive/web/acme/current/thrd3.html#00561

	https://www.ietf.org/mail-archive/web/acme/current/msg00561.html
	https://www.ietf.org/mail-archive/web/acme/current/msg00562.html
	https://www.ietf.org/mail-archive/web/acme/current/msg00563.html
	https://www.ietf.org/mail-archive/web/acme/current/msg00564.html
	https://www.ietf.org/mail-archive/web/acme/current/msg00565.html
	https://www.ietf.org/mail-archive/web/acme/current/msg00729.html

but no further action.  Is there a compellng reason to avoid
requiring acme CAs to spin up a validating resolver?  It does not
seem like a lot to ask.  If a domain is DNSSEC-signed then its ACME
challenge should IMHO be validated via DNSSEC.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email