Re: [Acme] kinds of proof
Eric Mill <eric@konklone.com> Sun, 30 November 2014 06:30 UTC
Return-Path: <eric@konklone.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2A91A0242 for <acme@ietfa.amsl.com>; Sat, 29 Nov 2014 22:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aiBQ-dGiAe5c for <acme@ietfa.amsl.com>; Sat, 29 Nov 2014 22:30:54 -0800 (PST)
Received: from sasl.smtp.pobox.com (pb-smtp1.int.icgroup.com [208.72.237.35]) by ietfa.amsl.com (Postfix) with ESMTP id BDEA11A0078 for <acme@ietf.org>; Sat, 29 Nov 2014 22:30:54 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 94289229EE for <acme@ietf.org>; Sun, 30 Nov 2014 01:30:52 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=16qjeSEhblRYdwPHH8hhiqKBx58=; b=iT7fqN Ynmi0Im/0ZE63ISqQZEANLtDlRorg2kruc/EiGzUQboHaX65eZd7UrmEsZ/w1U5S Vbi3l+3ISodNn2Q0jrpsdf+TvbjzY2kyEP3gYs7UxE8LXmy7NmJRe0oJagmyASSQ ONGC9QsWtbIcfJO1ntQ3NHfBaXFh0s6kiFPFg=
Received: from pb-smtp1.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 8AE6D229ED for <acme@ietf.org>; Sun, 30 Nov 2014 01:30:52 -0500 (EST)
Received: from mail-oi0-f51.google.com (unknown [209.85.218.51]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 059D3229EB for <acme@ietf.org>; Sun, 30 Nov 2014 01:30:51 -0500 (EST)
Received: by mail-oi0-f51.google.com with SMTP id e131so6154307oig.38 for <acme@ietf.org>; Sat, 29 Nov 2014 22:30:51 -0800 (PST)
X-Received: by 10.202.71.212 with SMTP id u203mr30354049oia.54.1417329051060; Sat, 29 Nov 2014 22:30:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.144.97 with HTTP; Sat, 29 Nov 2014 22:30:09 -0800 (PST)
In-Reply-To: <2B947AA7-1F40-4935-B003-F86A4FF4BB3A@vpnc.org>
References: <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <046F438F-6230-4A3A-8A5C-708BA91E002B@vpnc.org> <20141129221139.GL285@mournblade.imrryr.org> <2B947AA7-1F40-4935-B003-F86A4FF4BB3A@vpnc.org>
From: Eric Mill <eric@konklone.com>
Date: Sun, 30 Nov 2014 01:30:09 -0500
Message-ID: <CANBOYLWBrDg_u+mc7-_Kx_q1s99aP0p2Bj7TYf=vROo+DPQp5Q@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a113e3e2e9e515505090da2b3"
X-Pobox-Relay-ID: 6E444C5C-785A-11E4-A823-42529F42C9D4-82875391!pb-smtp1.pobox.com
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/n5bFaTjO6yTi85vGgeWB9wmblgo
Cc: acme@ietf.org
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2014 06:30:57 -0000
On Sat, Nov 29, 2014 at 10:29 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On Nov 29, 2014, at 2:11 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> > wrote: > > Sure, and the domain owner can field servers on whatever port he/she > > wishes after demonstrating control over the domain, which to me > > means control over the DNS (be it direct, or indirect via whoever > > administers the DNS). > > I think this will have to be an "agree to disagree" situation. The Let's > Encrypt promotional material indicates that they want to get more HTTPS out > in the world, so they need to deal with the huge number of folks who use > hosting companies and thus have no DNS control. I believe that is a great > goal. > I agree with your assessment of LE's goal, and with the goal itself, but aren't hosting companies themselves a meaningful target audience for ACME and expanding HTTPS? Anything that's in charge of your domain's DNS, or to whom you've delegated control, should also be able to automate the provisioning of a free certificate for you. No one's disputing that. So even if ACME did not prove domain ownership by checking port 80, there'd be reason to believe it would expand the playing field, if hosting companies found offering free certificates a competitive feature. That all said, I just read through the ACME draft spec[1], and none of the listed proof-of-ownership methods involved just checking a path on port 80. The HTTP-based proof mechanisms function by fetching a well-known URI over port 443, and ensuring that a *valid self-signed certificate* is used to make the connection and display the correct response. That self-signed cert needs to use the same keypair that the server is attempting to validate for use in making the CA-signed certificate. That's smart, and completely removes concerns over things like user-generated content hijacking a URI for someone else's server. To prove you own a server without owning its DNS, you need to be able to generate a keypair on the box and tell a webserver to use it -- the exact same control you'd need to use Let's Encrypt in the first place -- and nothing less. -- Eric [1] https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.txt > > --Paul Hoffman > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > -- konklone.com | @konklone <https://twitter.com/konklone>
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson