Re: [Acme] Want client-defined callback port

Richard Barnes <rlb@ipv.sx> Wed, 22 April 2015 22:10 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 284211B2B06 for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ui3PmCVCO3H for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 15:10:16 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7CAE1B2AD8 for <acme@ietf.org>; Wed, 22 Apr 2015 15:10:15 -0700 (PDT)
Received: by lbcga7 with SMTP id ga7so135865lbc.1 for <acme@ietf.org>; Wed, 22 Apr 2015 15:10:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PG5ggC980TRmVHJCfTzdyz/G5pRXvrPo9pnu0edtUgo=; b=f34Xz+wZqyEsUvsiOY6whJGw+FJI/BtAOL0TneIrIdaTsbL8+B11IZD89fN6fcFk70 J53arBZaxUHHsyMr2Dlkfm0nGn0EPf6JaiOeZq1MKuasbB34UyPa/wnaA7s7iRsNyepR KNjSCZo5jjnDtdTjPScLYLCHu1TY4VWT69VWP8uwGIcRqoUAa0Cun5tgtQDsfqbBzn0r cUkaQPNgcZpc+wrD8Z7SmlL633cok2sOKOsD0nmUAMaH4m0Bjc16P5CJsDulQAPrk2ND 59qGXu07TH2ClNFGfTpYVGTk0YQS6zjNNsJEsL4a+ayRY4XbsHkJ+w0LdtnEHhdp1keN XjfA==
X-Gm-Message-State: ALoCoQlrXcHUnFGMf/8K3eis8/9BmkWGvTo8qpfYli36DFXFRYscFFL8nR6bYDmbK886njRAdHl3
MIME-Version: 1.0
X-Received: by 10.152.234.139 with SMTP id ue11mr26545570lac.28.1429740614081; Wed, 22 Apr 2015 15:10:14 -0700 (PDT)
Received: by 10.25.214.162 with HTTP; Wed, 22 Apr 2015 15:10:13 -0700 (PDT)
In-Reply-To: <DE264105-7317-4343-BCEE-539A73D42544@apple.com>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com>
Date: Wed, 22 Apr 2015 18:10:13 -0400
Message-ID: <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Bruce Gaya <gaya@apple.com>
Content-Type: multipart/alternative; boundary=001a1133a85c6c758e0514576d5d
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/sS_xntj0MeujJ90AOiRgC8lpLDQ>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 22:10:25 -0000

On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <gaya@apple.com> wrote:

>
> On 21 Apr 2015, at 18:23, Salz, Rich <rsalz@akamai.com> wrote:
>
>  I understand that you want it to “just work” (you said that a couple of
> times :), but other folks have raised security concerns – do you understand
> or agree with them?
>
>
> I agree that client access to ports below 1024 usually requires more
> privileges and that’s generally safer than allowing any client port.
>

So would you be OK with the spec saying that the server MUST reject
client-specified ports that are greater than 1023?


> One way forward is to say a client MAY specific a port, where the default
> is 443. An ACME server MAY reject requests for ports other than 443 if it
> is in violation of the operating policy.
>
>
> That would work.
>

Let's return to the question of protocol, however.  The CA needs to know
how to validate the challenge.  Are you envisioning that this would be an
extension to the simpleHttps challenge, so that the validation would still
be done using an HTTP request to a .well-known URI, just on a different
port?

--Richard



>
> The policy of Let’s Encrypt Certificate Authority, however, is very
> important!   I also would very much like that CA to allow client-defined
> callback ports below 1024.
>
> Bruce
>
>
>
>