IETF Logo Mail Archive

Re: [Acme] Looking for comments on https://github.com/ietf-wg-acme/acme/issues/215

Philipp Junghannß <teamhydro55555@gmail.com> Sat, 03 December 2016 21:48 UTC

Return-Path: <teamhydro55555@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5119C128E18 for <acme@ietfa.amsl.com>; Sat, 3 Dec 2016 13:48:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlIr5j7K9caZ for <acme@ietfa.amsl.com>; Sat, 3 Dec 2016 13:48:03 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85572128AB0 for <acme@ietf.org>; Sat, 3 Dec 2016 13:48:03 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id a197so47656393wmd.0 for <acme@ietf.org>; Sat, 03 Dec 2016 13:48:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2EEsbbpVAWI/mXWBlv1L/WQPPQdEqwcMwKmDMwRoxmk=; b=HTBMxM7bkmmNzMNAmvmCYlR/dg8Xtd1YpW2Twerv29UYMvrU6Uc5RYbaX75pLF8yHJ 8MtzxVM0NCmJB7tInF4bbK1ZR1d79iRjpo5eFnwkLtGvYE3Val14XUPz+JfVh5ex4Nzz SorT+OxnXEIxaTtOtvGrn+v6wXDruAeFviqnjAiHtUhZ+1zi8NX9JYOY/DXYLr8AkWUc 2QOs2wmhmfgCScngHxVC5A2DDXZJp/92W+WLcTYqe5TA/81Mb2VS/jStpHjM9G4itJFB DazX/UjOfI1Wn6iQN6uYdCP2BJc8XUHIXwuLBunFWvBdelsITSTKzOpNE6Pf5F/mK7XI WguQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2EEsbbpVAWI/mXWBlv1L/WQPPQdEqwcMwKmDMwRoxmk=; b=NtwIA8+cFP3797nX/8weTAAi4yMmyQDwSBw8CvUKT6UhFmvobOivZ8OBCUU7Yi+bwR qZudG++KimcwhyEoWGqhmUWmYCRfSplYp/oZX8xIzXOkpKmFW/SFxB3Gq+XRZovSt+lZ nfiOa4jRNIkDsDpatDUJGoipJetviL+4YeKjHNPvg+RK+EM0pGl7BgOWcNwYbpwCZ3Wk E/8UDE+xnmGc6AwSVSbDmld7RdQUKCEmoKiq/QZF+CCD4ArmQ2KOiVQDlW+mVqP2ognM YWU3+tX4kdys2RKjX27qckPCgOndbTY/iC1GkG5PBAPOdqF+qEAfeNwfV9rMGxgof6cX tbKQ==
X-Gm-Message-State: AKaTC00CJcyHR4DbmpmOegbDtHzI8to3mWmiREQSYsiQ1exQYpXcQqE1T5wv8ekngbLmxWCQs8Vx1mmXk1jVag==
X-Received: by 10.28.13.144 with SMTP id 138mr2907766wmn.120.1480801681919; Sat, 03 Dec 2016 13:48:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.167.164 with HTTP; Sat, 3 Dec 2016 13:47:21 -0800 (PST)
In-Reply-To: <CABPsnA=gFpOKSnSd0c4FagQFBWiD8iCrxW8M22m5cO3kY0fPsQ@mail.gmail.com>
References: <0af93d402273472f9b54603f6aa73e5f@usma1ex-dag1mb1.msg.corp.akamai.com> <CABPsnA=gFpOKSnSd0c4FagQFBWiD8iCrxW8M22m5cO3kY0fPsQ@mail.gmail.com>
From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Sat, 03 Dec 2016 22:47:21 +0100
Message-ID: <CACHSkNoZLu+hS3jviw-7tvuFGoZWSbBtjg2NBu6UA9_z8xvxeQ@mail.gmail.com>
To: Patrick Figel <patrick@figel.email>
Content-Type: multipart/alternative; boundary="001a114436163bd45a0542c802ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/iZMS0izBxUKF77cCWuXkIqzOsCk>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Looking for comments on https://github.com/ietf-wg-acme/acme/issues/215
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Dec 2016 21:48:06 -0000

well I think it's a bad idea. as I commented in the issue directly
TLS-SNI-01 fell straight on the face because of the way servers may handle
hosts without a setting.

2016-12-03 13:35 GMT+01:00 Patrick Figel <patrick@figel.email>:

> I wrote together some thoughts on this proposal here[1]. In short, I think
> it's
> vulnerable to the default vhost attack that caused simpleHTTP to be
> dropped, and
> it's not compatible with the "Agreed-Upon Change to Website" method
> described
> in the BRs, which would prevent adoption by any publicly-trusted CA.
>
> The proposed workaround for this issue[2] would make this a variant of
> tls-sni,
> AIUI, which already has these pseudo-hostnames, so I think we're down to
> "allow
> other ports" here, and I believe there's consensus against this.
>
> Patrick
>
> [1]: https://mailarchive.ietf.org/arch/msg/acme/
> QiXu84RJtURfGVVEYfSpRdtcU5o
> [2]: https://mailarchive.ietf.org/arch/msg/acme/
> NFKJ5sqBePGlJglKRwodc5m4ZEo
>
> On Sat, Dec 3, 2016 at 3:18 AM, Salz, Rich <rsalz@akamai.com> wrote:
> > With the couple of recent pull requests, the document editors are about
> to
> > close all but on issue, #215.
> >
> >
> >
> > Does the WG have any feelings on this?  Is it something we need to
> address
> > NOW, or can we add a new type of challenge later on if there’s interest?
> >
> >
> >
> > Please reply on-list by earl next week.
> >
> >
> >
> > --
> >
> > Senior Architect, Akamai Technologies
> >
> > Member, OpenSSL Dev Team
> >
> > IM: richsalz@jabber.at Twitter: RichSalz
> >
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email