Re: [Acme] kinds of proof
Trevor Freeman <trevor.freeman99@icloud.com> Tue, 02 December 2014 19:36 UTC
Return-Path: <trevor.freeman99@icloud.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD4A71A1EF7 for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:36:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dq_zPcOFhY4v for <acme@ietfa.amsl.com>; Tue, 2 Dec 2014 11:36:26 -0800 (PST)
Received: from mr11p24im-asmtp001.me.com (mr11p24im-asmtp001.me.com [17.110.78.41]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 592651A6FE2 for <acme@ietf.org>; Tue, 2 Dec 2014 11:36:26 -0800 (PST)
Received: from Den (c-67-183-152-156.hsd1.wa.comcast.net [67.183.152.156]) by mr11p24im-asmtp001.me.com (Oracle Communications Messaging Server 7.0.5.33.0 64bit (built Aug 27 2014)) with ESMTPSA id <0NFY00M50ZSN9K10@mr11p24im-asmtp001.me.com> for acme@ietf.org; Tue, 02 Dec 2014 19:36:25 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2014-12-02_08:2014-12-02,2014-12-02,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1408290000 definitions=main-1412020167
From: Trevor Freeman <trevor.freeman99@icloud.com>
To: 'Paul Hoffman' <paul.hoffman@vpnc.org>, acme@ietf.org
References: <20141127211348.GE25114@mournblade.imrryr.org> <54784C61.2080508@cs.tcd.ie> <20141128170917.GC285@mournblade.imrryr.org> <88B49E1D-1601-4B86-8D93-14CF71501DFC@vpnc.org> <20141128213724.GG285@mournblade.imrryr.org> <7261AA75-5912-4514-A393-94F602C941C2@vpnc.org> <20141129170537.GK285@mournblade.imrryr.org> <m2tx1ehq63.wl%randy@psg.com> <CAK6vND83ehPaMtKm0i9nX2H+8k-xo_ztuh+fbnETn7HaoZqr3Q@mail.gmail.com> <DM2PR0301MB0655E1CABDDFF7E3198CA2BFA87A0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20141202025438.GH285@mournblade.imrryr.org> <CAK6vND9GYED3T=2V1fL1M8eCwGz23PCAFOcaZAbxjTG5xtY2Tw@mail.gmail.com> <B303B16C-C282-4C15-99D1-BC59B9FC3989@vpnc.org>
In-reply-to: <B303B16C-C282-4C15-99D1-BC59B9FC3989@vpnc.org>
Date: Tue, 02 Dec 2014 11:36:18 -0800
Message-id: <007501d00e67$3f0b2620$bd217260$@icloud.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_0076_01D00E24.30EE00A0"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQGSAWoMOWbPM63Lg/bucBKRIHyRQwI/XhhvAhyJYcsBIF/JYQKjNS8FAafZ1toB1+EZBQGt8DVOAc9pp/8CXEbkjQJll7srAw5ul9gBnkNCnJw0bKgg
Content-language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/pdoSyhnykSvrKOj3v_Ppjx1X5T4
Subject: Re: [Acme] kinds of proof
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 19:36:29 -0000
-----Original Message----- From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Paul Hoffman Sent: Tuesday, December 02, 2014 9:30 AM To: acme@ietf.org Subject: Re: [Acme] kinds of proof Greetings. It seems that some people want ACME to force a higher level of assurance on the protocol than those of us who are trying to get more authenticated encryption everywhere would want. Given that we still don't have a published Internet Draft (ahem), it would be good to come to agreement early on what is going to be required. A specific use case that is important to me is someone running a web server on a commercial hoster should be able to get a TLS cert using ACME even if the hoster does not have its own ACME support. The site admin in that case should be able to run an ACME client on their laptop and be able to go through the ACME steps needed to get a cert that they can load into their web site, then tell the hoster to turn on port 443. If the hoster supports the ACME steps itself, the web admin might not even need to do anything: the hoster can run ACME for them to get the cert. Given that hosters are always trying to cut customer service costs, ACME should allow hosters to automate the cert process to the point where no human interaction is needed after the hoster decides "this site will now use HTTPS". Proposal: - ACME clients and servers can be run without human interaction during the ACME exchange itself. All configuration can be done before the ACME client initiates the session, as long as the system running the ACME client has control over the service for which the certificate is being issued. A human may need to make manual changes if their system does not have an ACME setup, but the ACME protocol supports full automation as well. [TF] Totally agree with the sentiment. However each ACME client will need some minimal configuration and I stress minimal. I would submit it should be possible to use: 1. The URL of the ACME server 2. An authenticator to prove this request belongs to a DV RA That is all we need. The ACME client should be able to use this data to learn when type of request(s) to build, what parameters to use, then summit the request with a high confidence it will success because it used the information from the ACME server to build the request, and install the certified once issued. The small the bootstrap data set, the less scope for misstates when repeating across multiple ACME clients. - A CA must verify that the system on which the ACME client is running can control the service for which the certificate is being issued. [TF] The ACME server would have previously verified the DV RA. The biding between the RA and the individual request is a form of delegations i.e. this request belongs to the DV RA. - The system running the ACME client does not have to have control over the DNS service that controls the domain name being used in the requested certificate; however, particular DNS control can be required by policy by an ACME server. [TF] This relates to the type of proof and scope the DV RA used. If the DV RA used a DNS based POC then the CA can issue names in any subdomain i.e. if you validated foo.com then you can issue *.foo.com. If the POC was to a specific URL, then the ACME server can only issue to that same domain name. - The ACME protocol has to have expressive enough semantics so that an ACME server can tell an ACME client in detail what policy is causing the ACME server to reject a particular certificate request. [TF] an ACME server can tell an ACME client in detail what is causing the ACME server to reject a particular certificate request. Let's not assume the only failures are policy. _______________________________________________ Acme mailing list <mailto:Acme@ietf.org> Acme@ietf.org <https://www.ietf.org/mailman/listinfo/acme> https://www.ietf.org/mailman/listinfo/acme
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson