IETF Logo Mail Archive

Re: [Acme] acme in a firewalled environment

Eliot Lear <lear@cisco.com> Tue, 02 December 2014 19:23 UTC

Return-Path: <lear@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1194B1A6F32 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:23:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytg5JnElw6Jt for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:23:18 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9B41A1BE9 for <acme@ietf.org>; Tue, 2 Dec 2014 11:23:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3111; q=dns/txt; s=iport; t=1417548198; x=1418757798; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=dq8yHCwAL4HowdvPTB9iV203hGG8PH/MhbbM3hnJbtE=; b=PRRhANHAx6F4S/0LPROQDg+K7G1W2RDmRFZwbwfJJ7MzcPtJsF13S1fl cHajDm8MUtmw6GAfx0c3MqBK5Fo85Rwy6d25hS6YRNV4QnE8xH69i6kOo 2qR/VK6l8xNPL4cWv52nIX54kOBOhQrY4cgPq/uAAt/rGB0/asVFGmbEo E=;
X-Files: signature.asc : 486
X-IronPort-AV: E=Sophos;i="5.07,502,1413244800"; d="asc'?scan'208,217";a="254081568"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP; 02 Dec 2014 19:23:15 +0000
Received: from [10.61.83.192] (ams3-vpn-dhcp5057.cisco.com [10.61.83.192]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id sB2JNFOv024318; Tue, 2 Dec 2014 19:23:15 GMT
Message-ID: <547E11A2.1010209@cisco.com>
Date: Tue, 02 Dec 2014 20:23:14 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Ben Schumacher <bschumac@cisco.com>
References: <547DFC4B.9040408@cisco.com> <547DFE94.6090307@cisco.com> <CAL02cgSsLk-xjnL1bC_FbeRykMzAU8a9h-JTqUu58_ZpipCuHQ@mail.gmail.com>
In-Reply-To: <CAL02cgSsLk-xjnL1bC_FbeRykMzAU8a9h-JTqUu58_ZpipCuHQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="leC9Xm8Hj3L55kIPnQpaiLMnAVircFBhR"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/auxoMGiC81nuEaUO6gBgCh7gyhg
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] acme in a firewalled environment
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 19:23:23 -0000

On 12/2/14, 7:07 PM, Richard Barnes wrote:
> Presumably, your web server (or whatever server you're going to use
> this cert for) is going to need to accept incoming connections.

Sure.  I think the only additional protocol aspect here is discovery. 
For the enterprise that case is easy (I think), which is to use an
optional SRV record.  From the service aspect, I do have another
question, which is whether name constraints can be used in combination
with an intermediate CA to avoid having to diddle browser cert caches. 
ACME already supports them, so that's not a protocol thing.

Eliot

v2.23.0 | Report a Bug | By Email