IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Vincent Lynch <vtlynch@gmail.com> Fri, 04 December 2015 07:10 UTC

Return-Path: <vtlynch@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63A121B2E5C for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 23:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82FDgIr282_Y for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 23:10:46 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432EE1ACEB0 for <acme@ietf.org>; Thu, 3 Dec 2015 23:10:46 -0800 (PST)
Received: by lfdl133 with SMTP id l133so105507949lfd.2 for <acme@ietf.org>; Thu, 03 Dec 2015 23:10:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TDJN8xYKOYE82RoOb+VoBbdwK0mjSztQHB7iGrYysvE=; b=ZPuSgDDFuF3AqGK4Qj7+pIfY48AzACqAZo+8N/0Mkd6Ic/dcfnYhn2xgQxuPtKZpEt 4DImYEe+ySrz5ZHQ/RUfPdtkM5ivOfTkUvp2Ny+O3I3EE0Tn4BwDr/syIgfNOGQV9mac 7kPxos67qSCSl94NYTRmr6qVE9hyBUIeco8fcr/cXIha7kXpBkx0G2jLKsHoDR/oC5+g cHw0azFYbz8+wyiuwaNaFII42EpvZbBwaK9bW1uq/grbKjlMuUO8asqDeYRs9226/MVX clPAf7kBKwGdcEVmRHobDRcJNt5FTR6t2adtmxiEDhlgl74qxp+bNrYSQnPrR1gtHmGL Bbww==
MIME-Version: 1.0
X-Received: by 10.25.87.79 with SMTP id l76mr7386965lfb.136.1449213044381; Thu, 03 Dec 2015 23:10:44 -0800 (PST)
Received: by 10.114.29.34 with HTTP; Thu, 3 Dec 2015 23:10:44 -0800 (PST)
In-Reply-To: <CANBOYLUJ1df5_yx10u2e8jeGehbineuXvaoosKGq3aPku+79qQ@mail.gmail.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <m3si3kih5s.fsf@carbon.jhcloos.org> <CAL02cgTSXqK7sR_Lrfu94PTkqPZf1+ZOkBHrSgWCP05OwehVbQ@mail.gmail.com> <CANBOYLUJ1df5_yx10u2e8jeGehbineuXvaoosKGq3aPku+79qQ@mail.gmail.com>
Date: Fri, 04 Dec 2015 02:10:44 -0500
Message-ID: <CAM_pNrfnyTuD-d4cqZSqcqXqTT7kH=ZrwM_W92J-U5q9vnLxzA@mail.gmail.com>
From: Vincent Lynch <vtlynch@gmail.com>
To: Eric Mill <eric@konklone.com>
Content-Type: multipart/alternative; boundary="001a1141e920b6dd3305260d3416"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/g35BrYU00ip1iuMxIho6kbCR5CA>
Cc: Richard Barnes <rlb@ipv.sx>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, Paul Millar <paul.millar@desy.de>, James Cloos <cloos@jhcloos.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 07:10:49 -0000

Just to elaborate on what Eric Mill said:

Comodo allows validation of DV certs via the following methods:

1. Email based challenge
2. File based challenge: Upload a provided file with unique content to the
server. The file can be provided over HTTP or HTTPS.
3. DNS challenge: validation by adding a specified value via a CNAME record.

These challenges are evaluated automatically and the values generated are
based off hashes of the CSR.

RapidSSL, GeoTrust, and Thawte (all Symantec CAs) have similar mechanisms.
If anyone would like to test these methods, I can assist with providing
certificates and a medium through which these challenges are available.


On Wednesday, December 2, 2015, Eric Mill <eric@konklone.com> wrote:

>
> On Wed, Dec 2, 2015 at 6:12 PM, Richard Barnes <rlb@ipv.sx
> <javascript:_e(%7B%7D,'cvml','rlb@ipv.sx');>> wrote:
>
>> On Wed, Dec 2, 2015 at 6:07 PM, James Cloos <cloos@jhcloos.com
>> <javascript:_e(%7B%7D,'cvml','cloos@jhcloos.com');>> wrote:
>> >>>>>> "RB" == Richard Barnes <rlb@ipv.sx> writes:
>> >
>> > RB> If you look at what CAs do today, that basically means the port is
>> > RB> 80/443.  More generally, it means that the port needs to be
>> specified
>> > RB> by the challenge mechanism and not by the client.
>> >
>> > What CAs do any kind of challenge over anything other than smtp?
>>
>> Let's Encrypt and WoSign spring immediately to mind.  They both do
>> web-based validation.
>>
>> SSLMate also supports HTTP-based validation, and their certs are
>> issued by real CAs.
>>
>
> SSLMate also supports DNS-based validation (and since SSLMate is a
> downstream provider of multiple upstream CAs, such as Comodo, each upstream
> CA necessarily supports the same validation mechanism).
>
> -- Eric
>
>
>> So it's out there.
>>
>> --Richard
>>
>>
>> > Tcp port numbers have no significance to "control of a domain".
>> >
>> > Or "control of a hostname", since the certs are issued for hostnames and
>> > not for domain names.
>> >
>> > -JimC
>> > --
>> > James Cloos <cloos@jhcloos.com
>> <javascript:_e(%7B%7D,'cvml','cloos@jhcloos.com');>>         OpenPGP:
>> 0x997A9F17ED7DAEA6
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org <javascript:_e(%7B%7D,'cvml','Acme@ietf.org');>
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
>
>
> --
> konklone.com | @konklone <https://twitter.com/konklone>
>


-- 
Vincent Lynch

v2.23.0 | Report a Bug | By Email