IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 16 December 2015 20:32 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC971A89FC for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:32:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfVmNymiGJn3 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 12:32:51 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3A31A89FF for <acme@ietf.org>; Wed, 16 Dec 2015 12:32:48 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id p203so38281671lfa.0 for <acme@ietf.org>; Wed, 16 Dec 2015 12:32:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=TRohiwk21zFzZbVH85YCW+yhSVXb+LWZkZhJ/b2mgpg=; b=xeXh9hG+vz3hJEmswKk4HPldqgYyPoYMu7SHoOr+DNjseTII3lkTJXfqKpayDrnH9T dfqng7ItAIPIwPFKp7PSU5IvWLfI/V9uocLAocW2hTht9ZirXOIWQB8qp78b7J9fh5/n yKPhkh7fBNsBf1hKB7a0EA4SqNfDr6UqRgZalkDx+iib7UvTmDcjI7YUea+f73Y2PGgL h2Tj0Vm+8+O09VzWj6Bl44npmRFJe/IfJ0rH+GWQzSeT3eBowWo2LYtu7bazcrZbPjM+ HHmW3EFwi1qt20WyquLslx2txM8ZKBeG8L5NrG/2+OBYemu+M0w0allilkVw9GhDr4VW Meqg==
MIME-Version: 1.0
X-Received: by 10.25.208.206 with SMTP id h197mr19863009lfg.153.1450297967103; Wed, 16 Dec 2015 12:32:47 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 16 Dec 2015 12:32:46 -0800 (PST)
In-Reply-To: <5671C92F.5060609@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <894b0ad1f1c34184bbbc9133702ed474@usma1ex-dag1mb1.msg.corp.akamai.com> <5671BBB5.4050308@wyraz.de> <5671C174.5040004@cs.tcd.ie> <5671C562.9090803@wyraz.de> <5671C92F.5060609@cs.tcd.ie>
Date: Wed, 16 Dec 2015 15:32:46 -0500
X-Google-Sender-Auth: UO0qCygJ-gwsoL9s3C6S9KIx-QY
Message-ID: <CAMm+Lwi+O78YhkcKVtWERGW4=itjsC64=_Oyt8kpX-UjM+9G5g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/pf8iYju27zguK21vCbr4v_1g8d4>
Cc: "acme@ietf.org" <acme@ietf.org>, Michael Wyraz <michael@wyraz.de>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 20:32:53 -0000

On Wed, Dec 16, 2015 at 3:27 PM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> On 16/12/15 20:11, Michael Wyraz wrote:
>> Stephen,
>>
>> I fear I have no idea what you mean with a "suffix list" and such.
>
> (Caveat: I'm very much an amateur at DNS issues, I hope someone
> else provides a better/more accurate response if one's needed.)
>
> Pretty much all mechanisms of the kind you envisage end up
> requiring a way to allow the "real" authority for a set of
> names to control what happens deeper in the hierarchy. So
> tcd.ie could decide what cs.tcd.ie are allowed to do with
> acme for example. That means you end up needing to know
> roughly where the zone cuts are, which is a hard problem
> in general. The public suffix list is how that's mostly
> done in the web and dbound is (an IETF activity) trying to
> tease apart the various uses of that.
>
> So one of the problems with what you suggest is that the
> "right" place to look for my web servers is two up in the
> hierarchy and not the public suffix and not one up.

No, that isn't what we do for DV certs unless they are wildcard certs.

You are not going to be issuing wildcard certs with this mousetrap
built in this particular way for a long time.

v2.23.0 | Report a Bug | By Email