Re: [Acme] kinds of proof

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 29 November 2014 17:05 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EADFB1A1BDD for <acme@ietfa.amsl.com>; Sat, 29 Nov 2014 09:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5EGU9gV7tof for <acme@ietfa.amsl.com>; Sat, 29 Nov 2014 09:05:41 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBE3D1A1BDC for <acme@ietf.org>; Sat, 29 Nov 2014 09:05:39 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 376E2282FD0; Sat, 29 Nov 2014 17:05:38 +0000 (UTC)
Date: Sat, 29 Nov 2014 17:05:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: acme@ietf.org
Message-ID: <20141129170537.GK285@mournblade.imrryr.org>
References: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/a-agNgPhZSIefasMkbMei5FYwhM
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: acme@ietf.org
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2014 17:05:46 -0000

On Fri, Nov 28, 2014 at 01:57:55PM -0800, Paul Hoffman wrote:

> > Because unfortunately, Web PKI certificates are host-wide, they don't
> > specify a port.  Anyone who can run some program on a machine can
> > bind to some random port and start a web service.  Possibly port-forwarded
> > somewhere else via SSH!
> > 
> > It is far from clear to me that every "shell" user of a machine
> > should be authorized to obtain certificates for the whole machine.
> 
> And it is clear to me that they should be, if we want to see more encryption
> of traffic. I have no problem with some CAs saying "we'll issue you a cert
> only if you control port X", but I absolutely want that to be a policy of
> the CA, not of the enrollment protocol.

Paul, do you have any examples of CAs that accept any port, or are
you in part making that up?  Comodo for example, requires control
of port 80:

    https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/791/16/

(See DCV method 3).

> > The protocol is just a syntax, and indeed I am asking a question about
> > appropriate CA policy.  Perhaps some guidance to CAs implementing
> > the protocol would not be amiss.
> 
> If you want to write such a thing as a separate document whose
> target audience is CAs, that's grand. It does not belong in the
> protocol.

I have no set views of whether such a thing should or not be written,
or, if yes, where.  I think some discussion of the topic is
reasonable, and perhaps you're trying to shut that down prematurely.
If the discussion yields some hints of some kind of consensus, then
we can worry about what to record and where.

-- 
	Viktor.