Re: [Acme] DNS challenge spec doesn't support CNAME model
Thomas Lußnig <lussnig@suche.org> Thu, 17 December 2015 15:56 UTC
Return-Path: <lussnig@suche.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF141B2EFD for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 07:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.049
X-Spam-Level:
X-Spam-Status: No, score=0.049 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, J_CHICKENPOX_65=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxtLRybWKmDi for <acme@ietfa.amsl.com>; Thu, 17 Dec 2015 07:56:44 -0800 (PST)
Received: from relay-mx.smcc.de (relay-mx.smcc.de [194.50.33.90]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14F971A0074 for <acme@ietf.org>; Thu, 17 Dec 2015 07:56:43 -0800 (PST)
Received: by mx-32.smcc.de (Postfix, from userid 65534) id 0CF066462F; Thu, 17 Dec 2015 16:56:41 +0100 (CET)
X-Spam-SCL: 1
Received: from localhost (localhost [127.0.0.1]) by mx-32.smcc.de (Postfix) with ESMTP id 37EF864547; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mx-30.smcc.net
Received: from relay-mx.smcc.de ([127.0.0.1]) by localhost (relay-mx-02.smcc.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTu549fNom52; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
Received: from [192.168.1.3] (unknown [5.147.109.14]) by mx-32.smcc.de (Postfix) with ESMTPSA id 1CA4F64355; Thu, 17 Dec 2015 16:56:40 +0100 (CET)
To: acme@ietf.org, eric@konklone.com
References: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
From: Thomas Lußnig <lussnig@suche.org>
Message-ID: <5672DB38.3030900@suche.org>
Date: Thu, 17 Dec 2015 16:56:40 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Thunderbird/43.0a2
MIME-Version: 1.0
In-Reply-To: <CANBOYLWRn_k1LoMx3pgQx=0spM8VQMXen8DuOx44ksBtWjdHUA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/fcJoHrc_G3xsZAIGPqbOmYC4eo8>
Subject: Re: [Acme] DNS challenge spec doesn't support CNAME model
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 15:56:45 -0000
Hi, even better it would be if it does not introduce an new record. The challenge could be that the user sign an random token + random value from him with an private key. So CA send (token, challenges[...]) User reply (userToken, SIGNED(token,userToken),publicKey,"tlsa-311") This has two advantages over the current model: 1) There is no dynamic update required 2) The CA can direct verify the challenge since the user can pre publish the tlsa record. 3) It is not more insecure than any other dns-01, tls-sni-01 or http-01 since if he have controll over the DNS he can select the ip. 4) It should be compatible with cname. Gruß Thomas
- [Acme] DNS challenge spec doesn't support CNAME m… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Thomas Lußnig
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Phillip Hallam-Baker
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill
- Re: [Acme] DNS challenge spec doesn't support CNA… Martin Thomson
- Re: [Acme] DNS challenge spec doesn't support CNA… Andrew Ayer
- Re: [Acme] DNS challenge spec doesn't support CNA… Jacob Hoffman-Andrews
- Re: [Acme] DNS challenge spec doesn't support CNA… Ted Hardie
- Re: [Acme] DNS challenge spec doesn't support CNA… Eric Mill