Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)

Jacob Hoffman-Andrews <jsha@eff.org> Tue, 01 October 2019 21:20 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602CE1200B8; Tue, 1 Oct 2019 14:20:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNtwqQNG4QlX; Tue, 1 Oct 2019 14:20:45 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77DD1120089; Tue, 1 Oct 2019 14:20:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Hj6qAhzIwrVTchxr1kIY511hKLMITK4ABK1cOc2cDhw=; b=N5x5LzessTsPcVmTBN2MJTHNFv kXbNGgU0lUhoQ/1anHMR50u1WTvVemzk1diughLh66xl11GOg5ms0lVhkEmH/4byvS73D4GtNvHJT eoJnF5tl64/GvKSbuDVmDRJuV9hzYtO/U0/g885je06ASddxOFCBb2eVlMm6ncZfX1LY=;
Received: ; Tue, 01 Oct 2019 14:20:32 -0700
To: Warren Kumari <warren@kumari.net>, Roland Shoemaker <roland@letsencrypt.org>
Cc: draft-ietf-acme-ip@ietf.org, Tim Chown <tim.chown@jisc.ac.uk>, acme@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, Joel Jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>, acme-chairs@ietf.org
References: <156994353133.23716.18054738012405816713.idtracker@ietfa.amsl.com> <797CB1A6-2C78-4BF7-A12E-B3B2DE910E9F@letsencrypt.org> <CAHw9_iLqSqLbmnKQsRuyfos4CFWrw4APovMKGXHLjMXPuXQsGQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <af476f4f-570e-d620-b003-90f55dd0c234@eff.org>
Date: Tue, 01 Oct 2019 14:20:24 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iLqSqLbmnKQsRuyfos4CFWrw4APovMKGXHLjMXPuXQsGQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/fN6251-UQZKDvYIJVVIrfG_1wII>
Subject: Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 21:20:46 -0000

It's important to note that automated validation of IP addresses for 
certificates is already a part of the Web PKI, but is not standardized. 
This protocol will standardize it, which I believe will make  overall 
validation of IP addresses more secure, within the threat model that 
Roland described.

We could attempt to ban automated validation of IP address certificates, 
or ban IP address certificates entirely, but that wanders into the realm 
of policy rather than standards, and would be better suited to browser 
root programs IMO.

Overall, given the tradeoffs, I think it is better to have a 
standardized method of IP address validation than to have none.