Re: [Acme] Want client-defined callback port

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 23 April 2015 15:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 090F61AC436 for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 08:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZMw-k1ewm11 for <acme@ietfa.amsl.com>; Thu, 23 Apr 2015 08:29:11 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C27311AC3E7 for <acme@ietf.org>; Thu, 23 Apr 2015 08:28:49 -0700 (PDT)
Received: by lagv1 with SMTP id v1so15339240lag.3 for <acme@ietf.org>; Thu, 23 Apr 2015 08:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=NYmtB6X35wiZrQ2o+nw7RkKiGqJr32g6bffE/z4qE2g=; b=FRL6Dc3ZAi6MJ6E9+9rJzEE+DhmjXC/wXb46AXlpDg0sF5Zz14tKSzi9dzMRdiU0jN hR/oHkk8tfbc5oM6q0wlQ6BGQd07G24eaKU4BDliPGgHbYMVC39OiBvmtQvts2gQ8baX o/pDMi043GrX0kBez4cR/kgbXp/AH7gBT6Y3wgH0YJ8vfD2pGIrfweuErdaAT5BJTgdW APNO7A/BnhEZpGb6DRNotxNpwVkiCy5oL9LNZPT/wBM9swl4rHKs4/pfFjcoVzLqX3Sq sSzCmGZfvH3fIov4FHyvDDCcx9AOUjTe8KhaV3h3qiIHrR6tprT1lgxcu3lrBpNAziTL Co+A==
MIME-Version: 1.0
X-Received: by 10.152.45.97 with SMTP id l1mr2976144lam.55.1429802928189; Thu, 23 Apr 2015 08:28:48 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Thu, 23 Apr 2015 08:28:48 -0700 (PDT)
In-Reply-To: <CAL02cgTeztSb2B2pfweQfUL8Ty0XfiBLbtCLTrHwLNZ2LTQPVQ@mail.gmail.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com> <0609C348-A6D8-46D5-AF58-5BE69910D261@apple.com> <CAL02cgT_DPY-Bn9A=UtCx+g2FKHON-TXGCWfH-gL8rR4yEFHZg@mail.gmail.com> <CA+9kkMAqte7O0k0KVRLRaEOmJL-wK0ncoruv3yoqKBjZVnc99g@mail.gmail.com> <CABkgnnVP4as97fXe7XTFpC=rw6ETdXY5s=1cRj1Xan1sgDsx3A@mail.gmail.com> <CAMm+Lwg5GiknSceb1Ocs=VxA1cZpmcrmZbPeXpgfAHbOC3CUcw@mail.gmail.com> <CAL02cgReRXAu4QjvsDYYkJN-WKS2bZeWNtZK-AoVndTncMQvag@mail.gmail.com> <CAMm+Lwi97VeE7j72oCXTeqEJWSQ=RTM3VH6hZ_GapbtZ9bmfwQ@mail.gmail.com> <CAL02cgTeztSb2B2pfweQfUL8Ty0XfiBLbtCLTrHwLNZ2LTQPVQ@mail.gmail.com>
Date: Thu, 23 Apr 2015 11:28:48 -0400
X-Google-Sender-Auth: Jyh1lbyfsj6esFLncDQyMPsccsU
Message-ID: <CAMm+LwiR2tZVvWYOfKOMKybNNi9f52A_W4QGH6Bxx_haivFz3g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/fGKuEJK5kAsg4mCNjtKqhXVJlBY>
Cc: Ted Hardie <ted.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Bruce Gaya <gaya@apple.com>, Nico Williams <nico@cryptonector.com>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 15:29:12 -0000

On Thu, Apr 23, 2015 at 10:16 AM, Richard Barnes <rlb@ipv.sx>; wrote:

> We can design mechanisms here that we believe have a sufficient level of
> security.  CABF and the individual CAs are free to opine on whether those
> mechanisms are suitable for a given context.
>
> In other words, it is my earnest hope that the validation methods listed in
> Section 11.1.1 of the BRs [1] will not be designed by the CABF, but selected
> from a list that IETF defines.  CABF is not an engineering organization,
> after all.

I think we can decide on a mechanism. But getting into long arguments
as to whether ports other then 443 should be accepted or if so which
ones seems to be unnecessary.

IETF should deliver

* A mechanism with sufficient agility and flexibility
* Security considerations explaining the consequences of a CA
permitting various approaches

Then let the decision of which ports are to be allowed and when to CABForum.

This is exactly what happens with crypto algorithms. IETF has
described dozens of algorithms and curves for ECC, CABForum has chosen
RSA plus three of the NIST curves.


What I am saying is let CABForum select the color to paint the bike
shed but point out where the choice has consequences.