Re: [Acme] kinds of proof

Randy Bush <randy@psg.com> Tue, 02 December 2014 20:43 UTC

Return-Path: <randy@psg.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19AB51A1DE1 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 12:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0dOpNtAHWrS for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 12:43:33 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [198.180.150.18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16EAA1A1B5A for <acme@ietf.org>; Tue, 2 Dec 2014 12:43:33 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from <randy@psg.com>) id 1XvuIF-0003JL-Aq for acme@ietf.org; Tue, 02 Dec 2014 20:43:31 +0000
Date: Wed, 03 Dec 2014 05:43:30 +0900
Message-ID: <m2y4qpeqa5.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: acme <acme@ietf.org>
In-Reply-To: <B303B16C-C282-4C15-99D1-BC59B9FC3989@vpnc.org>
References: <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com> <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com> <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20141202025438.GH285@mournblade.imrryr.org> <CAK6vND9GYED3T=2V1fL1M8eCwGz23PCAFOcaZAbxjTG5xtY2Tw@mail.gmail.com> <B303B16C-C282-4C15-99D1-BC59B9FC3989@vpnc.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/h1Z8WGp2r7crVmkJ_cyLB6VDopQ
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 20:43:34 -0000

[ statement of obvious ]

if the goal is merely to enable OE, then self signed will do.

[ personally, i trust a self-signed cert about as much as one descending
from one of the 300+ cas who paid to be installed in the browser. ]

"oh, but we want the browser (or mail client or ...) indicator to turn
green."  well then, we need to agree on what that green indicator means
(swamp 1), and then how to 'prove' that the certificate requestor meets
those criteria (swamp 2), and how that proof continues in time.

i am not seeing simple clear guidance through either swamp.

randy