IETF Logo Mail Archive

Re: [Acme] Issue: Allow ports other than 443

Yoav Nir <ynir.ietf@gmail.com> Thu, 26 November 2015 11:50 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B50DB1A1A24 for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHCzjzbwNjSg for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:50:33 -0800 (PST)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4751A0430 for <acme@ietf.org>; Thu, 26 Nov 2015 03:50:33 -0800 (PST)
Received: by wmww144 with SMTP id w144so19273036wmw.0 for <acme@ietf.org>; Thu, 26 Nov 2015 03:50:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DtGDrDeusNFJghmLExnEaZtg5yc7KQ54tgqIVktgXHI=; b=Dc4pIJEjhQ0BBcuMQvJzZx6HY3LMIMmlje3SZz61m6EiObUl5HmSSFvUZMtJZBBus5 Wdn5TcnU+W72NLFDzCuJZsqOFq/xohnmIPsvB7SYTCw7KTfgPFqPie6jozokOPI0aXxF tOaMBcZ+1jzbE39yn40+8RtRrV31OnYguL2AqKOLV20ZH0yyoO6I+TnXVPu7dZli8DSK CgrYftVvqDSVJP3Hk0LJJoNhS3tYOJEob12aVv4uDe0JRiiuvgbOxyHTU5L63+AP3YJN zxBUv9zHpQa5q1fCmXyxxBwarpBVqY2ZZpzuklXeTbqUPdetCUsBFFCDA3iIGxhcDBwF ldnw==
X-Received: by 10.28.19.84 with SMTP id 81mr3427910wmt.26.1448538632129; Thu, 26 Nov 2015 03:50:32 -0800 (PST)
Received: from [172.24.251.173] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id h189sm2378818wme.1.2015.11.26.03.50.30 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 03:50:31 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5656F075.1070704@comodo.com>
Date: Thu, 26 Nov 2015 13:50:28 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <4BD49C12-4C5C-47D0-AA7A-68A402A0EA0F@gmail.com>
References: <5e9b22a3942d4a39981878b13e4a7752@usma1ex-dag1mb1.msg.corp.akamai.com> <0630035C-E4F6-41AA-A339-7101B448F0FA@vigilsec.com> <CABkgnnUxSwMmOR=QVE-gMvj9dHW6Tk2Z=EO7RDx6E5zVAp_SrQ@mail.gmail.com> <20151124033325.GH18430@eff.org> <56545B4C.3020406@cisco.com> <CAMm+Lwg-MktfPZ0TkRgKsTan2dzDSHuaRsrCcfF-Y-HY6aTKmw@mail.gmail.com> <5656C49E.6070701@cisco.com> <5656E66B.3000803@cs.tcd.ie> <9DCF723A-8CE9-4732-9DEA-ED7EEBA362A9@gmail.com> <5656EEFA.6000109@cs.tcd.ie> <5656F075.1070704@comodo.com>
To: Rob Stradling <rob.stradling@comodo.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/bQiHarpuaQOKJHNbuLuDmvFfdQw>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, Eliot Lear <lear@cisco.com>, IETF ACME <acme@ietf.org>, Russ Housley <housley@vigilsec.com>, Peter Eckersley <pde@eff.org>, Martin Thomson <martin.thomson@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Acme] Issue: Allow ports other than 443
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 11:50:36 -0000

> On 26 Nov 2015, at 1:43 PM, Rob Stradling <rob.stradling@comodo.com> wrote:
> 
> On 26/11/15 11:37, Stephen Farrell wrote:
> <snip>
>> True. A port-specific cert would only work with updated browsers
>> which I guess is a fairly fatal objection to the idea. Ah well.
> 
> Is it worth considering requiring proof of control of (some particular combination of) _multiple_ ports rather than just a single port?  Would that strengthen the validation in any meaningful way?

Not really. I have user access (with shell) to the a bunch of Linux servers where I work. I can run programs and open any high port I want, but I can’t open ports below 1024. 

Running some script to run a web server on a bunch of high ports is trivial in a case like that. Of course “proper” environments won’t let anyone other than an administrator get shell access to a computer running a public-facing web server, but we can’t rely on all environments being properly run.

Yoav

v2.23.0 | Report a Bug | By Email