Re: [Acme] Issuing certificates based on Simple HTTP challenges

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 15 December 2015 14:55 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4541A8A89 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWvoZWWnhQPN for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 06:55:18 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C13F1A8A4F for <acme@ietf.org>; Tue, 15 Dec 2015 06:55:17 -0800 (PST)
Received: by mail-lb0-x232.google.com with SMTP id kw15so7262745lbb.0 for <acme@ietf.org>; Tue, 15 Dec 2015 06:55:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=4wMGT5HX9+NL3D1XI2/ssVCIFKNqPFwcjn1AAV2+b+8=; b=rD10RpS/ZFYhnTetkUKrv2wWp0e2SXhpYMENBVkeeQ9ml1HLDeXHuc9o8FcdPXh5UZ 1V9YjCeHqxaqORJd23hZagAF9TUW/bQzZBpYLN6B06w7q08+doJ2jePnmAfFFckdzKw1 36CLY2goXDoMEnMD2yq6Ht1Znb0fCg2foe7c7kyMeB7JLoZMHWKoJwlzk8bauAoEvOQS otoI96asALMdaXkQEu/5Ra0/TVhFCNGQanb0xZLTR+GB5upvMMp3okxztwc5MMSv3hsX 1ZQuIqlzDOKyvvVL67gJK3dP9uyqTOQ1T52RnRLTu6PnePaSidz84H2LAzzAG13xAWlf oW+A==
MIME-Version: 1.0
X-Received: by 10.112.16.135 with SMTP id g7mr16646664lbd.80.1450191315198; Tue, 15 Dec 2015 06:55:15 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Tue, 15 Dec 2015 06:55:14 -0800 (PST)
In-Reply-To: <f9f3ca6a1de94175b2e8e90004513eeb@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <437a94d0be804643b6324ea91186a31d@usma1ex-dag1mb1.msg.corp.akamai.com> <567025B5.5030501@zash.se> <f9f3ca6a1de94175b2e8e90004513eeb@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Tue, 15 Dec 2015 09:55:14 -0500
X-Google-Sender-Auth: q0YJTSbsEXp0bbddQb1sWxvV9GI
Message-ID: <CAMm+LwgjH5OnZXArhLsqawB5uu=3TTtcQFZZcwc4L5beC6j6Kg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a11c3c77832ead90526f0fae4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/i4G5eW-sWwFy01NzflKIE3X3bAI>
Cc: Kim Alvefur <zash@zash.se>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 14:55:19 -0000

On Tue, Dec 15, 2015 at 9:39 AM, Salz, Rich <rsalz@akamai.com> wrote:

>
> > There's SRVName from https://tools.ietf.org/html/rfc4985 which in theory
> > already can be applied to https already.  SRVNames are used in the XMPP
> > world a lot, maybe other places as well.
>
> But you can't put a SRVName in a certificate SAN field, can you?


Actually you can. The SRV label is simply a DNS name. That is arguably the
only way that you can legitimately create service specific certs in the
WebPKI.

Port specific certificates are an abomination that must not happen. Well
Known Ports are not a viable discovery technique for modern services and
the idea that they can provide domain separation is utter nonsense. SRV
prefixed domain names do actually provide the necessary separation.

The only objection people would make to SRV is that they would have to
rewrite their application to use SRV for discovery. But I don't see that as
a legitimate concern when the alternative would be having to re-engineer
PKIX and the WebPKI which simply isn't going to happen.

Port numbers are a transport layer attribute and the WebPKI is an
application layer concern.