IETF Logo Mail Archive

Re: [Acme] Want client-defined callback port

Ted Hardie <ted.ietf@gmail.com> Wed, 22 April 2015 23:09 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031301B3B43 for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 16:09:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DcP6BnL34U-5 for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 16:09:19 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A80A61B3B40 for <acme@ietf.org>; Wed, 22 Apr 2015 16:09:18 -0700 (PDT)
Received: by wgso17 with SMTP id o17so1170022wgs.1 for <acme@ietf.org>; Wed, 22 Apr 2015 16:09:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9Wcr6PFFP9PoQVTT0ZkQTYzwy2AtAuIIycM8RASqzJw=; b=q4spVfbg2Skbn12aBdp0RR6oZAHHbdcObn+wAdX2IHYyytQ3RZFYG/ny0qs6TzTN9/ WxQ5rp5CsLRPSMQqbImu5pslNo/XqCH7gDnDjik/wGSElFOutrqKZXgnxGEfrq35P6f5 LaXR0PvXEDJ5hZRkGeLXrTDHr9lIuzCbtclq65GQBFfSeB0lLYVfVDkBJq5INboPe5gj 8/jTb0JSRXjSe5w7G7QobA8rcw/msFZqQ1Ob8CsdGxNDXvkDwrc2fnPtn0plrlbDqzgP +XyxA00XwkSkUIKo9rs94UhbMMo8nVT9mkMzsz3HqVgpPysPrrFcJqx75R/giLIT0gW+ DECg==
MIME-Version: 1.0
X-Received: by 10.194.85.116 with SMTP id g20mr6195787wjz.154.1429744157298; Wed, 22 Apr 2015 16:09:17 -0700 (PDT)
Received: by 10.194.233.233 with HTTP; Wed, 22 Apr 2015 16:09:17 -0700 (PDT)
In-Reply-To: <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com> <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com> <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com>
Date: Wed, 22 Apr 2015 16:09:17 -0700
Message-ID: <CA+9kkMAqte7O0k0KVRLRaEOmJL-wK0ncoruv3yoqKBjZVnc99g@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="047d7bfcfd509d94190514584004"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/_r6CM-7n_x9D3QtVJmCJk03nW7g>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Bruce Gaya <gaya@apple.com>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 23:09:21 -0000

Forgive the top posting, but I want to be sure I understand something.  If
the client specifies a port that is below 1024 but canonically used for
something else, what is the specified behavior?  My reading of the thread
so far is that the server would expect to run ACME over it, even if were
specified for, say, LDAP (389).

Is that what folks expect?

Ted

On Wed, Apr 22, 2015 at 3:24 PM, Richard Barnes <rlb@ipv.sx> wrote:

>
>
> On Wed, Apr 22, 2015 at 6:23 PM, Bruce Gaya <gaya@apple.com> wrote:
>
>>
>> On 22 Apr 2015, at 15:10, Richard Barnes <rlb@ipv.sx> wrote:
>>
>>
>>
>> On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <gaya@apple.com> wrote:
>>
>>>
>>> On 21 Apr 2015, at 18:23, Salz, Rich <rsalz@akamai.com> wrote:
>>>
>>>  I understand that you want it to “just work” (you said that a couple
>>> of times :), but other folks have raised security concerns – do you
>>> understand or agree with them?
>>>
>>>
>>> I agree that client access to ports below 1024 usually requires more
>>> privileges and that’s generally safer than allowing any client port.
>>>
>>
>> So would you be OK with the spec saying that the server MUST reject
>> client-specified ports that are greater than 1023?
>>
>>
>> Yes.
>>
>> Because the ACME client code will run as root any unused port will work
>> so I am happy with this restriction.  My intention is for the ACME client
>> to be as independent as possible from other running services.
>>
>>
>>
>>> One way forward is to say a client MAY specific a port, where the
>>> default is 443. An ACME server MAY reject requests for ports other than 443
>>> if it is in violation of the operating policy.
>>>
>>>
>>> That would work.
>>>
>>
>> Let's return to the question of protocol, however.  The CA needs to know
>> how to validate the challenge.  Are you envisioning that this would be an
>> extension to the simpleHttps challenge, so that the validation would still
>> be done using an HTTP request to a .well-known URI, just on a different
>> port?
>>
>>
>> Yes.  As a developer, it’s easier to have the ACME code be completely
>> separate rather than coordinate with another process.
>>
>
> OK.  That at least seems well-defined to me.  I could probably live with
> it if others are comfortable.
>
> --Richard
>
>
>
>>
>> Bruce
>>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email