Re: [Acme] Agreement integrity checksum
Niklas Keller <me@kelunik.com> Tue, 15 December 2015 23:04 UTC
Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C701A8A9A for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 15:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.673
X-Spam-Level: *
X-Spam-Status: No, score=1.673 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmFzz2RYNCcp for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 15:04:36 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2AE1B2CC6 for <acme@ietf.org>; Tue, 15 Dec 2015 15:04:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1450220670; l=2358; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=1pClnKKjX+K/btNuG7bg9fvKA4eXfxv/v7QLc2D9D5Q=; b=Xz3O1FIaSouQtlLm2N7bRibfFFKKB55pzpw3tNNr5PP3NW+bIWVbf9uecapB5x7xil7 lccseLGFUiW4Lun9XH6F3jWFtPN1Qtw2dwCStenHcOF2kWjzjLbST4ORLCuCCmOzBzAoz HLXVumoArdswqday1auDNf+e4aZRml+7ws8=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3o6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f49.google.com ([74.125.82.49]) by smtp.strato.de (RZmta 37.15 AUTH) with ESMTPSA id K02456rBFN4U6Ju (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <acme@ietf.org>; Wed, 16 Dec 2015 00:04:30 +0100 (CET)
Received: by mail-wm0-f49.google.com with SMTP id l126so15102142wml.1 for <acme@ietf.org>; Tue, 15 Dec 2015 15:04:30 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.171.97 with SMTP id at1mr47064943wjc.39.1450220670826; Tue, 15 Dec 2015 15:04:30 -0800 (PST)
Received: by 10.194.5.226 with HTTP; Tue, 15 Dec 2015 15:04:30 -0800 (PST)
In-Reply-To: <CAL02cgRiGr1c6_R-TiytqMAHZZJM_dddX+AXhU_+XV96XzSjBg@mail.gmail.com>
References: <CAHGSkqiDpHmPQHROB+MdKYBS47a2oXekeDV1EcdORhqwLFBiVg@mail.gmail.com> <CABkgnnWGmC5fDNAyg4-QZw_vgKQYLHikpMvBL_O+dH36YTQoGg@mail.gmail.com> <CANUQDCjhr6SW-Mppdo-49L7+KJzbUmD34W2dQcYHMpgJw9quBQ@mail.gmail.com> <5668798B.5090206@eff.org> <CANUQDChu8ER+VCb8VyhR9h-qrK8m1tMpZYU+xFuGhQ332xaeYQ@mail.gmail.com> <CAL02cgRiGr1c6_R-TiytqMAHZZJM_dddX+AXhU_+XV96XzSjBg@mail.gmail.com>
Date: Wed, 16 Dec 2015 00:04:30 +0100
X-Gmail-Original-Message-ID: <CANUQDCjEAxC6q6xQvaXpFW_8B4eCZqm0S8-qLB8THReT8veFrQ@mail.gmail.com>
Message-ID: <CANUQDCjEAxC6q6xQvaXpFW_8B4eCZqm0S8-qLB8THReT8veFrQ@mail.gmail.com>
From: Niklas Keller <me@kelunik.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="089e013c6150ee46220526f7cf58"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/q4LJsJ_u1IIptqLX468uD8qYZXY>
Cc: Michael Tandy <iaectmfe@mjt.me.uk>, Martin Thomson <martin.thomson@gmail.com>, Jacob Hoffman-Andrews <jsha@eff.org>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Agreement integrity checksum
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 23:04:40 -0000
2015-12-15 17:27 GMT+01:00 Richard Barnes <rlb@ipv.sx>: > Thanks for the PR! I agree that having an integrity hash is overkill, > and we should focus on advising CAs. > > That said, the considerations for how CAs track agreements are very > much specific to each CA, so I'm hesitant to have MUST-level > requirements. If you change it to a SHOULD, then I think we're good > to go. I don't know whether it should be a MUST or SHOULD. It's not only CAs that track agreement, but also the clients. I'd like some additional way to signal to a client that continued usage signifies acceptance of new terms for a given CA. Based on that the client can check for the terms URI every time it starts and update the registration if necessary. Otherwise it would have to error out in a hard way breaking automation.
- [Acme] Agreement integrity checksum Michael Tandy
- Re: [Acme] Agreement integrity checksum Ángel González
- Re: [Acme] Agreement integrity checksum Martin Thomson
- Re: [Acme] Agreement integrity checksum Niklas Keller
- Re: [Acme] Agreement integrity checksum Niklas Keller
- Re: [Acme] Agreement integrity checksum Jacob Hoffman-Andrews
- Re: [Acme] Agreement integrity checksum Niklas Keller
- Re: [Acme] Agreement integrity checksum Richard Barnes
- Re: [Acme] Agreement integrity checksum Niklas Keller
- Re: [Acme] Agreement integrity checksum Richard Barnes