Re: [Acme] Why "HTTP verification"
Peter Bowen <pzbowen@gmail.com> Tue, 02 December 2014 21:41 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54521A1A48 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 13:41:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ys_WSgnbY_vn for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 13:41:43 -0800 (PST)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA3F01A1B11 for <acme@ietf.org>; Tue, 2 Dec 2014 13:41:42 -0800 (PST)
Received: by mail-pa0-f49.google.com with SMTP id eu11so14261014pac.36 for <acme@ietf.org>; Tue, 02 Dec 2014 13:41:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Dd/TrAg9N1nZJs2+1nMpjHgbjmKcdoolsi7irsOwhxQ=; b=JBe8lFZACEm+D0AdhyO5HFXPFKwv9ihea21zBQUhe/nK/BSKohbe/8HyqT66gtI2Nc Asvv+FwsyxIcJmiN4EnU3/EIBYIdMFiaVrOFec05rhZeWRLUhqHxj9ESDg5+/CavsdaY X7X2HhVdE492/RfoheztDYcka1rT4jwM8ntvgRpRUk7a9tcoh/FW2TE0dqIFxJY3icRV 5Yaoc9dYMZTbZvX3Gv6o67eOtkKrNl+rAhBrOvbkPoeWuNYpFaMjR2FzuUxopQBsE+e5 DtkHk8s8HoKkdA4xErdcRZxAMX0CoEZbLKTiDzBfZ4qiYsDDQNJ0ySNt2WEdauJpW1Ef XnXQ==
MIME-Version: 1.0
X-Received: by 10.70.20.129 with SMTP id n1mr2200055pde.135.1417556501598; Tue, 02 Dec 2014 13:41:41 -0800 (PST)
Received: by 10.70.76.10 with HTTP; Tue, 2 Dec 2014 13:41:41 -0800 (PST)
In-Reply-To: <20141202194441.GA285@mournblade.imrryr.org>
References: <B80ACB30-1A35-440E-B250-AB8C80D1FAF1@vpnc.org> <CAK6vND-001PK0gP_3Txoge2hvYiKPuA+trd9zj7PzaooOOMH3A@mail.gmail.com> <20141202194441.GA285@mournblade.imrryr.org>
Date: Tue, 02 Dec 2014 13:41:41 -0800
Message-ID: <CAK6vND9GcnQ1UbrLd6osj4vQ-GDr5Gwwh-Cx97nSHw-z3i5Vkw@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
To: acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/i3tZGenwBUEpkHzCsWkdhpHEd9o
Subject: Re: [Acme] Why "HTTP verification"
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 21:41:45 -0000
On Tue, Dec 2, 2014 at 11:44 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Tue, Dec 02, 2014 at 11:15:40AM -0800, Peter Bowen wrote: > >> The primary case where I see a problem is when the site already has a >> trusted certificate and wants to use ACME to get a new certificate. >> They are unlikely to want to replace their working certificate with a >> self-signed certificate. So the proof would need to happen at the >> HTTP layer, not the TLS layer. > > They can request a certificate for the same private key. The > "self-signed" thing so not precise. The real requirement would be > *some* certificate with the same key, not necessarily self-signed. > So issued by another CA should be fine. I would hope that many sites would have a policy of rotating their private key, as a reasonable number of clients still use the same key for identification and key exchange. I'm not sure what the protocol should look like for proving possession of the old and new keys at the same time, but it would be good to support this case. Thanks, Peter
- [Acme] Why "HTTP verification" Paul Hoffman
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Viktor Dukhovni
- Re: [Acme] Why "HTTP verification" Peter Bowen
- Re: [Acme] Why "HTTP verification" Phillip Hallam-Baker
- Re: [Acme] Why "HTTP verification" Ángel González
- Re: [Acme] Why "HTTP verification" Eric Mill
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Ben Laurie
- Re: [Acme] Why "HTTP verification" Martin Thomson
- Re: [Acme] Why "HTTP verification" Peter Bowen