IETF Logo Mail Archive

Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization

"Gerd v. Egidy" <gerd.von.egidy@intra2net.com> Fri, 12 January 2018 16:33 UTC

Return-Path: <gerd.von.egidy@intra2net.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22A112E89D for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:33:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMmn2pmNUT_P for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:33:48 -0800 (PST)
Received: from rs07.intra2net.com (rs07.intra2net.com [85.214.138.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B4B12420B for <acme@ietf.org>; Fri, 12 Jan 2018 08:33:47 -0800 (PST)
Received: from mail.m.i2n (unknown [172.17.128.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by rs07.intra2net.com (Postfix) with ESMTPS id 52FEE150013C; Fri, 12 Jan 2018 17:33:46 +0100 (CET)
Received: from localhost (mail.m.i2n [127.0.0.1]) by localhost (Postfix) with ESMTP id 07CBC6A9; Fri, 12 Jan 2018 17:33:46 +0100 (CET)
X-Virus-Scanned: by Intra2net Mail Security (AVE=8.3.48.112,VDF=8.14.37.110)
Received: from thunder.m.i2n (thunder.m.i2n [172.16.1.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: smtp-auth-user) by mail.m.i2n (Postfix) with ESMTPSA id 2EA2B501; Fri, 12 Jan 2018 17:33:44 +0100 (CET)
From: "Gerd v. Egidy" <gerd.von.egidy@intra2net.com>
To: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Cc: acme@ietf.org
Date: Fri, 12 Jan 2018 17:33:43 +0100
Message-ID: <2324058.FQg2fvf6N7@thunder.m.i2n>
Organization: Intra2net AG
In-Reply-To: <6BFE35AF-898A-4C0E-9780-C9178FF1D381@ipifony.com>
References: <1812883.r3FRolLa0t@thunder.m.i2n> <6BFE35AF-898A-4C0E-9780-C9178FF1D381@ipifony.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/jzL_Ub-d_DF-I-opUNTJaDNPqEc>
Subject: Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 16:33:50 -0000

> I did want to say that if an acceptable mechanism is found in this manner,
> it does help with some but not all in-band TLS validation mechanisms.  It
> works for web server cases.  It does not fully replace the mechanisms of
> the TLS-SNI sort because it would not work for other protocols running over
> TLS (like SMTP/TLS).  The TLS-SNI mechanisms do facilitate that.

Really? Isn't TLS-SNI-01/-02 just allowed over TCP port 443?

"This connection MUST be sent to TCP port 443 on the TLS server"

v2.23.0 | Report a Bug | By Email