IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 15 December 2015 16:52 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50F71A8F43 for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 08:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H598yiJKZYLS for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 08:52:23 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC1391A88DA for <acme@ietf.org>; Tue, 15 Dec 2015 08:52:23 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8FD67BE32; Tue, 15 Dec 2015 16:52:21 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvdLb7NJURKu; Tue, 15 Dec 2015 16:52:19 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.31.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E5444BDCF; Tue, 15 Dec 2015 16:52:18 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450198339; bh=Fv6DLo64yTB0AFgAKknxCeZPI1XzIHQ0TNrNfZyCt0Q=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Ikrsy/mOz0myuWYj8fX1bn1fqzG6jwPdGLkR8u7MiXpZoCF/ztGQsdr9embJ/v4U8 3eI7fJK4sNDIuo642IL/26g7qzO/S3T3jBBPfz5hDjgvxVQoqK4ZCc/4TlvO/NQmxl pW3Vbat8rIAb4o/lpYaIvo1SIKNV8RjziF7zMXSE=
To: Michael Wyraz <michael@wyraz.de>, acme@ietf.org
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56704541.6080508@cs.tcd.ie>
Date: Tue, 15 Dec 2015 16:52:17 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <56702EFA.1050008@wyraz.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/qN9K-tHFfmncFZfNUeCIVW5roOI>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 16:52:28 -0000

Hiya,

On 15/12/15 15:17, Michael Wyraz wrote:
>> Basically, IMO only after we first get a "now" that works
> We have a working HTTP-01 spec, implementation and CA. What's missing
> for "a 'now' that works"?

PKI management with automation that gets deployed and that
provides interop between end entities and a range of CAs.
The core stuff acme is doing is the missing bit.

>> Personally the optional thing in which I'm much more interested is a
>> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC,
>> since that's the use-case I have and that would provide some better
>> assurance to the certs acquired via acme. I can see that there might
>> also be value for some (other) folks in SRV if it means no need to
>> dynamically change DNS. But, if someone is saying "we must all do
>> these more complex things for security reasons" then they are, in this
>> context, wrong. And my mail was reacting to just such a statement. 
> Why not just placing a static public key to DNS that is allowed to sign
> ACME requests for this domain? Simple, no need for dynamic updates (yes,
> it's standardized for years but AFAIK not seen very often in real world
> scenarios).

Once one can modify DNS at all then that can be yet another optional
thing some folks might like I guess.

I don't know how this WG can choose between all these various options
in a meaningful manner tbh. I'm pretty sure that trying to do so now
wouldn't necessarily be a good plan. I'd be for waiting and seeing
how a few CAs running acme get on, and what real demands arise for more
than the basic approach that doesn't need to  modify DNS might be the
right idea. (Even if that's goes against my own wish to have the DNSSEC
based thing done soon.) But that's a question for the chairs and not
me.

S.


> 
> Regards,
> Michael.
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email