Re: [Acme] Want client-defined callback port

Phillip Hallam-Baker <> Thu, 23 April 2015 01:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 31AFD1B2D43 for <>; Wed, 22 Apr 2015 18:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QbeQgi7iUFhH for <>; Wed, 22 Apr 2015 18:51:15 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A577E1B2D3F for <>; Wed, 22 Apr 2015 18:51:13 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so2750324lbb.3 for <>; Wed, 22 Apr 2015 18:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=In71pk5AXNG4MW9rhkO8sPrxRm9qS8QoMjnC/lG+VfE=; b=RYrDB/tqvPb6Gc/jCNDVJSFRxkihHxLpadV4a1su4TQLeCB7yO9GtUiKcQ0BMBFjg6 uqYJ9EbdQ9HUFzbRFNparQ+opr+7p+CZur14xKlqJzT2UMQ4vrTr5paYPxGeoWLMhpGk +PINRyoNp9m/qUAe3MDqa+D6ODE7nZU6i26UxFBRxjkCC0rYlGwUPCBIR2r5HCEn1dLO StsCUReRjiQupumlQzoOJ/JmS2j1X1Jfoju/YdQCWsYTovZVhXjqAJGRoBHAUvAXKh3B jV803JZAC7iemhIrQ4oBXT0/PF6qzLvsBxnH6S/DxIadwZjNgsBkKCG5cPyMsh50MJyA 4qAA==
MIME-Version: 1.0
X-Received: by with SMTP id r9mr401446lbl.58.1429753872232; Wed, 22 Apr 2015 18:51:12 -0700 (PDT)
Received: by with HTTP; Wed, 22 Apr 2015 18:51:12 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Wed, 22 Apr 2015 21:51:12 -0400
X-Google-Sender-Auth: iunUEECpYF0AbLH8hPECme-6keU
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Martin Thomson <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: Ted Hardie <>, Richard Barnes <>, "Salz, Rich" <>, "" <>, Bruce Gaya <>, Nico Williams <>
Subject: Re: [Acme] Want client-defined callback port
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Apr 2015 01:51:17 -0000

I think this discussion is getting way too deep into the weeds of
policy. That isn't a concern IETF has generally taken a definitive
stand on. If it had there would not have been the need to set up
CABForum outside IETF.

As I see it the specification should allow:

* A mechanism for the client to indicate the proof(s) of DNS control
it can provide.

* A mechanism for the service to indicate the proof(s) of DNS control
it will accept.

Who offers and who chooses is something the protocol can make a
decision on but it is probably best if a 'no' from the service is
accompanied by a list of what is acceptable.

It is useful for IETF to provide security considerations on particular
proofs but IETF cannot and should not choose. That is ultimately up to
the people who write the path validation code and the data it consumes
(including root lists). They bear the liability, unless they can
figure out how to hand the hot potato to someone else.

Another reason to not make the choice in IETF is that this is not a
once and for all decision. It is a decision that should be under
constant review.