Re: [Acme] Issuing certificates based on Simple HTTP challenges

"Salz, Rich" <rsalz@akamai.com> Mon, 14 December 2015 17:05 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B97B31ACD9A for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 09:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YRhHpcO_9yB for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 09:05:11 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 426191ACD7A for <Acme@ietf.org>; Mon, 14 Dec 2015 09:05:11 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id A9288200016; Mon, 14 Dec 2015 17:05:10 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 93506200012; Mon, 14 Dec 2015 17:05:10 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1450112710; bh=XksQjpk8LZPNTUv2TINRkg/G9ssquow5QQ8k4EDOB78=; l=1942; h=From:To:CC:Date:References:In-Reply-To:From; b=C1FJLjulSYRjS3slI+8AzqvVz9odGqV+c8uh3DibBGlis2GDG2gSacrxv/52tuQ6P sAOOGHWCxs+vJUhw45ko5/FsaOivOlBA0eBtol2+hv27uGFyv6fZCOvYu73gJlmc3n oQs9UpKqe7+PrnRbwSKQS/qwod0czzOnulyVvPnk=
Received: from email.msg.corp.akamai.com (usma1ex-cas2.msg.corp.akamai.com [172.27.123.31]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 77D2E98082; Mon, 14 Dec 2015 17:05:10 +0000 (GMT)
Received: from USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 14 Dec 2015 12:05:10 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 14 Dec 2015 09:05:09 -0800
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Mon, 14 Dec 2015 12:05:09 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Julian Dropmann <julian@dropmann.org>
Thread-Topic: [Acme] Issuing certificates based on Simple HTTP challenges
Thread-Index: AQHRNoxeRsO2GSKRUUipnCeiiPw0U57KrmDQgABYNID//66C8A==
Date: Mon, 14 Dec 2015 17:05:09 +0000
Message-ID: <1277d750730445858ebcbc2932117318@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <3071e2d95eaf49acac00e91d3626ccfa@usma1ex-dag1mb1.msg.corp.akamai.com> <CAF+SmEo_s8svTgwvBPqqHyhKFKCt5e-3kSpZK2dUAqapzzORiw@mail.gmail.com>
In-Reply-To: <CAF+SmEo_s8svTgwvBPqqHyhKFKCt5e-3kSpZK2dUAqapzzORiw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.44.40]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/hgTSTLTr7RdQLGNmuN7rsjsHSZ0>
Cc: "Acme@ietf.org" <Acme@ietf.org>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 17:05:14 -0000

> >This effectively means, as a domain zone admin, I have to trust every single service I define, not just to properly deliver this service, but also not to exploit his ability to obtain signed certificates in my name.

> And you are perfectly aware, that this was not the case before ACME-enabled CAs existed, and now applies to every single domain admin on this planet, right?

This absolutely was the case.  Other CA's have had http/https-based service.  Many do email-based confirmation, which requires that nobody run a "rogue" email server, for example.  Others have just replied with similar cases.

The DNS owner must trust or ensure that the hosts he/she is putting into the DNS data are behaving properly, for *their own definition of properly.*  This was always the case.  Likewise, the host owner must trust or ensure that all services on the host are similarly well-behaved, for their own definition of behavior.  This was always the case.

> If it was not for security, then why not allow other ports, so you can verify the ownership while for example an application server is bound to that port? The A record does not specify the port anyway.

As you say, the record does not specify the port.  The certificate is *for the host* So in essence, your last sentence answers your own question.

But alternative ports as being discussed on the mailing list here.  Have you been following it?