Re: [Acme] Fixing the TLS-SNI challenge type

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 19 January 2018 17:24 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95414126FB3 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 09:24:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gjNW9hOrWNV2 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 09:24:08 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8479126CF6 for <acme@ietf.org>; Fri, 19 Jan 2018 09:24:06 -0800 (PST)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-8.bemta-12.messagelabs.com id E2/37-02572-6B9226A5; Fri, 19 Jan 2018 17:24:06 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTa0wTWRzFe2dupwMyZigofxuazTY+WJK2wop pgiYmfGl0fazxE8HoVGdpY1tIp7AYY5YsLgYIBkQBG2tRIcaqiQ+MxjevqPUNCSVoWKG4PpAl xAfWBdxOb0H99rv3nHv+Z27usLR6ktGwYolbdDkFu46Jx48Mx4361p8suUtDHfEm/8tfTY/fq kxjVxuwyRdiTaHTjdh0cN9K0/vnFfQqlflmTQsyNzeHKXPdOQ82+w/9zZivBQaw+WnVYWYDk6 u0OS0FJVuV1uCFWmXh55UlD6Y3lKLB7EoUz2J+jIKJZh8tL9R8HQUdvWNKsuhEUHGrAleiOJb hl0Lv9duUzMn8GvjS+Cclm2j+PoLRqQ+REyybxGfBqU498SyHf//agwlb4P7R/5QyY34RBPef ieZwfB48G5rAZNheDIGWZ1jOieOXQX+PUfYgfj5MBE5H/TSfAv3DvigDnwyDT+4xhOfB69C0k vjzwPuuPbavg6dnPiHCWuj2VcW4lYKPrQ7CBrhYOxrbXwv9zwMquQ/wJxC8aBhSESEdjk1cpw nvgIsfy5WEs6Gsp4ciB4I0HG97EEtKheHuL0oilDPw4t2raJKa3w4H/DP1dkFtuAzXoHTPN1/ nid6qD0Gd9wjyRK8pEe4eGsbEpIcrN27RhH+AS6OHY5wNjZ/bGMI/woGqQRXhLBjpGkdNiPWj NEl0FYsufeYyg8Vly7e6HYLNrs/IyDQ4REkS8kW7YJEM2woc51HkDf6hUKDL6GjD6na0gKV08 7jiKSFXPddSsH2nVZCsW1xFdlFqR6ksqwPOm2bJVSe6xHyx5DebPfKQZ2RgE3TJ3PiSiMxJhY JDsuUTKYB+ZlsbXpbTbN+rkXJajZ0FTlGTwlnkJF62Woucs0EzP0U30mqSOKRQKNQJhaLLYXN /r79BKSzSJXFheWCCzemenfcmUoWKVKmtFuQqbuGrpClFm9vyKjxXTf/sTgvbHbvHN66rmeQ8 1VpV9fv+keZgU07jyDHFpo4r3YGNnoEd9U1lc7dmL4T1xVwvLvOerF9xYbH/YVfYbc+Z7CsdM C6oLPoUFzRqmq4xDzOHtIlm6+88Dd7Us3umjL9srr8TGsq6d0Qzp+/kwlKdXXujZfrtWh2WrE JGOu2ShP8BC+Tzmw8EAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-2.tower-219.messagelabs.com!1516382643!207277961!1
X-Originating-IP: [207.46.163.47]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 1944 invoked from network); 19 Jan 2018 17:24:04 -0000
Received: from mail-cys01nam02lp0047.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (207.46.163.47) by server-2.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Jan 2018 17:24:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yRl3UqIhQT7ve8XoNjraY4O6FJ5y+iXA1qHtGOcZ1wE=; b=WeTGwYcjlbD4usbVqrcTkiWp55z6kXKDo2JXjl5zvg7WibG7VLiaLVsbyHqYlqB3UJn1nA/8gmFLt6Qm8pD8JI3iNyslaS3x6G0CQm6rMEf2hB0AS77Hz+Yc6PHUT8qL/7/VxHj9gxhWKvDEmTZ+PzHlacp1ZyWOskCuwTOpCK0=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1291.namprd14.prod.outlook.com (10.173.132.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.7; Fri, 19 Jan 2018 17:24:02 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0407.012; Fri, 19 Jan 2018 17:24:02 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Richard Barnes <rlb@ipv.sx>
CC: Jonathan Rudenberg <jonathan@titanous.com>, Patrick Figel <patrick@figel.email>, IETF ACME <acme@ietf.org>, Daniel McCarney <cpu@letsencrypt.org>, Roland Bracewell Shoemaker <roland@letsencrypt.org>
Thread-Topic: [Acme] Fixing the TLS-SNI challenge type
Thread-Index: AQHTiz9G0+Dpp/43tke+4NU5ZM+pfqNvjg8AgADPoQCACvOtgIAAAiKAgAANIQCAAAKkgIAAA+KAgAAVr0A=
Date: Fri, 19 Jan 2018 17:24:01 +0000
Message-ID: <DM5PR14MB12897EDDBC38AB0AC2C95D2883EF0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org> <0603b570-f790-88a7-5514-b324eff4f087@figel.email> <CAKnbcLj=eYhm8qRj0B0U5FOu=UMn0wY+5apkJ-aHhhfh+mS-uw@mail.gmail.com> <CAKnbcLj+UaUbu=EDbPU8UWwm9hUefXBKmtS=ZwSy7_2zCA=pmg@mail.gmail.com> <20180119153832.GA28022@LK-Perkele-VII> <CAL02cgRmAb7G-8EkK9UBZs36FMRMyfU1v0JVwVRXjXBO0TR8Hg@mail.gmail.com> <20180119160153.GA28756@LK-Perkele-VII>
In-Reply-To: <20180119160153.GA28756@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1291; 7:50kl4z2h1cMHbJwThd0eRytPOhpcKe0ysmPqFpx00Gh90tjEWf3RMdPq509TC9NPLN+I7ErT5rt2JicLpEGA/WR6tng6g4g5bUXGcwHKwxVyfjVr7abw08CGafgDHk5aLL/vWFlcR6MDaBuusqzukA6gaH47i54lHe1znyA1+RT1gsCif95joaHk7XqP1Ahn9jSe5Xy70vk5fB0HtsVVV4F/0HQkjLlfqmYtu7VmyYxlwlB2uknJjMNo2OD3HeT/
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: aeea4066-f3da-4c85-d5d7-08d55f616ef3
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:DM5PR14MB1291;
x-ms-traffictypediagnostic: DM5PR14MB1291:
x-microsoft-antispam-prvs: <DM5PR14MB12911ED8272D4978D639798683EF0@DM5PR14MB1291.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231023)(2400080)(944501161)(10201501046)(6041268)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(2016111802025)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1291; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1291;
x-forefront-prvs: 0557CBAD84
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(39380400002)(376002)(366004)(39860400002)(346002)(396003)(199004)(189003)(2950100002)(25786009)(33656002)(561944003)(316002)(110136005)(54906003)(2900100001)(93886005)(229853002)(66066001)(478600001)(6436002)(8676002)(81156014)(8936002)(81166006)(68736007)(53936002)(2906002)(9686003)(55016002)(4326008)(6246003)(105586002)(106356001)(102836004)(6506007)(14454004)(5660300001)(99286004)(6116002)(3846002)(3280700002)(3660700001)(59450400001)(7696005)(76176011)(99936001)(77096007)(74316002)(97736004)(86362001)(305945005)(7736002)(26005)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1291; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: O3ppEA3pSHlpTxaCDRvQwfMOzICqOc0CIC67tb7yQtpdIltXkNxTdaUI3KVdxYOEAqh9eB4Fsx5tWFbq4Igy+Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_04DA_01D3910F.94C56DE0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aeea4066-f3da-4c85-d5d7-08d55f616ef3
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2018 17:24:01.9170 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1291
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dfRtYB8CCnJMumuZBe6m7ZXRQs4>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 17:24:10 -0000

> > I'm less worried about this constraint.  If there's consensus for a
> > change, changes can be made to the BRs much more quickly than an RFC can
> be issued.
> 
> Oh yeah, the minimum process latency for changing BRs is ~7 weeks.
> 
> However, that would take well-fleshed proposal to do it even close to that
> quick. Take note that "10 methods" took years.

Years is a bit of an exaggeration.  One and change, I think it was.  And
that
was to get agreement on all ten methods and to work out exactly how the
forum's IPR policy applied to validation methods (which was about 2/3
of the timeline ...).

I think a well-written proposal to add or improve an existing validation
method could easily get passed in close to the minimum timeline.

As the Validation WG chair, I'm even willing to help get secure, 
well-analyzed and well-specified proposals through the voting process.

-Tim