Re: [Acme] ACME or EST?

Eliot Lear <lear@cisco.com> Fri, 28 November 2014 16:05 UTC

Return-Path: <lear@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC2E1A016F for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 08:05:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVR0sr5F1e2L for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 08:05:38 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E5BD1A0151 for <acme@ietf.org>; Fri, 28 Nov 2014 08:05:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1550; q=dns/txt; s=iport; t=1417190738; x=1418400338; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=g/Ik14vIRQ+9sXMcE0ZafHo/QdGg1mwj3phSKUtKtas=; b=ZKYGiwbYxpXwjt8I75Q0v7jnw6ak22SNJNOHZ2TFlPz75bOi2F20qCx6 YRIShlehQMDqx5GZW1cD6/G/awMgsb5B4ReFdhGMi8eCGnFtEtjqnq55h BN8qZm1hoEDu40/2Mj9B8MhFfEf0+nwwSPivSvlnxGuF32Pj+CDqGCPza A=;
X-Files: signature.asc : 486
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqYEAL2ceFStJssW/2dsb2JhbABbzy2DEQKBJAEBAQEBfYQDAQEEI1URCxgJFgsCAgkDAgECAUUTCAEBiDy8VJVWAQEBBwIgkQIWgmKBVQEElQyBVYggiAyPEIN9PoJ6AQEB
X-IronPort-AV: E=Sophos;i="5.07,477,1413244800"; d="asc'?scan'208";a="252934775"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 28 Nov 2014 16:05:35 +0000
Received: from [10.61.90.213] (ams3-vpn-dhcp6870.cisco.com [10.61.90.213]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id sASG5ZFQ002192 for <acme@ietf.org>; Fri, 28 Nov 2014 16:05:35 GMT
Message-ID: <54789D4F.5060406@cisco.com>
Date: Fri, 28 Nov 2014 17:05:35 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: acme@ietf.org
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org>
In-Reply-To: <20141127211348.GE25114@mournblade.imrryr.org>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CdINSPk8TNN39MMdfIhmTjrQLgsSnlcaA"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/a8PT4HYgzPuYCGE9EDTGf-mrBKg
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 16:05:43 -0000

Viktor,

On 11/27/14, 10:13 PM, Viktor Dukhovni wrote:
>
> A certification authority that always accepts the weakest form of
> evidence even for domains that should be able to present stronger
> evidence would be unfortunate by bringing everyone's security down
> to the lowest common denominator.

What you've written above is quite consistent with the notion of
opportunistic security ;-)  At the same time, I'm not sure what it means
in practice.  Does it mean, for instance, that DV is not to be allowed? 
Is a single system required, or is there some sort of classification
approach?

Eliot