IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Julian Dropmann <julian@dropmann.org> Wed, 16 December 2015 12:20 UTC

Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29CC91B2A58 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 04:20:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9eR5eTsbU26 for <acme@ietfa.amsl.com>; Wed, 16 Dec 2015 04:20:47 -0800 (PST)
Received: from mail-lf0-x242.google.com (mail-lf0-x242.google.com [IPv6:2a00:1450:4010:c07::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DE8A1B29D4 for <acme@ietf.org>; Wed, 16 Dec 2015 04:20:47 -0800 (PST)
Received: by mail-lf0-x242.google.com with SMTP id y184so2740638lfc.0 for <acme@ietf.org>; Wed, 16 Dec 2015 04:20:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MSN4C068IWDaCD5EepbhiLSkR5nSebm5UR0+06RDIdc=; b=ZVtP6h/ZFIACOdSNEXwP0L90L6DvF9GoA7uL8X0tFdZVKYkBDo51lg7p0KCA7U/OX1 +MIKWZWuxPBppVczSjRdjXZvVZQGYwCzfZj18hfRKfyoROvD7n8e6f1ghWGX6NUh7An4 pI/K6INNDwrF+2LWi+j+ylTcpzneRqRW6xhn4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MSN4C068IWDaCD5EepbhiLSkR5nSebm5UR0+06RDIdc=; b=eDLJ6MWrt+sLiF13lBGJEqjxVKIXXy13/vudN+n4LcN1i9XyZr9NiFCcG4KDPrm4hF zXkFZCP/CptyX4/vgpYY/kgypGFkQ0gwh5kYZrHjjiSKKi/nLzJyD/fUCalf/zqtyEJ+ o9bi+1KqgFIrgi+HDro7VFEGcyPwiQSFs0JXLMK0/SXTQLoh0naAW/e/9h0U3O83izHf 0J2xjB8QbKSkv5wr6Dl35CcfiQr/dkZfGymjzD/C+MtLtNM3IGffH4/DEUrqNMDJq+FT BLKb54BQ6P8R50onkFiz3WdJm6Du5exgJ+QAjDOCMuCd3sXyxPK2h1AT2fWJZ4Xyjg/h IGvw==
X-Gm-Message-State: ALoCoQkTBhtbGtRdG/n2HnL8chenKERIinhoKgF1rSRyLhbMx+/rK+r/u1iOHLqzs7ZsqkVZFdEmPTaDOPZmmg0Pif13uzGGRg==
MIME-Version: 1.0
X-Received: by 10.25.159.130 with SMTP id i124mr17848881lfe.144.1450268445309; Wed, 16 Dec 2015 04:20:45 -0800 (PST)
Received: by 10.25.39.2 with HTTP; Wed, 16 Dec 2015 04:20:45 -0800 (PST)
X-Originating-IP: [62.154.225.234]
In-Reply-To: <56715280.2070600@cs.tcd.ie>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <174B082E-2721-41AE-992D-2937DCCB74CB@dropmann.org> <5670CBD6.5080000@cs.tcd.ie> <CAF+SmEp494K9pQqWNAeH1iS+dsmLSMJnuMpAvjGm0dku3ukEfQ@mail.gmail.com> <56715280.2070600@cs.tcd.ie>
Date: Wed, 16 Dec 2015 13:20:45 +0100
Message-ID: <CAF+SmEqND_9bxroNkr72woY9UBjP3BaUS1FbQa44jzfRWR1v+g@mail.gmail.com>
From: Julian Dropmann <julian@dropmann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a114013c08333dd052702ef50"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/t2jwmKH2lKLFvnj2ZmCmFvTJpLc>
Cc: "acme@ietf.org" <acme@ietf.org>, Noah Kantrowitz <noah@coderanger.net>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 12:20:50 -0000

If they trust you with that, they could just add an ACRE specific SRV
record, and thereby delegate that privilege to create certs to you and
everything would be fine.
They were able to do this with the A record too.

I just do not find it intuitive in general that by defining any record you
do this implicitly as a domain owner.
At least I personally was not expecting this, but maybe its just me that is
so stupid.

And the question was not about whether you personally are legitimated to
create certs for your university, but whether this should be the case for
any host of every single zone.

On Wed, Dec 16, 2015 at 1:01 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Julian,
>
> On 16/12/15 09:22, Julian Dropmann wrote:
> > If the owners of the domain decide you not to give you write access to
> > their zone, there is probably a reason for that.
> > And this reason is that _they_ want to remain in control.
> >
> > So why do you even assume that you should be able to obtain a certificate
> > for their domain if you do not even have control over that zone?
> > In my opinion that is exactly the definition of what CAs should verify:
> If
> > the requester has control over the zone the CA signs the certificate for.
> > If the CA issues a certificate for the whole zone, it has to check if
> this
> > happens in consent with the people who have control over that entire
> zone,
> > and not just one guy running a service there.
> >
> > You push this discussion in a direction where its all about ease of use
> for
> > the guy running the box to obtain a certificate.
> > But please explain to me then, why the host behind an A record should
> have
> > that legitimization.
>
> I'm sorry but I am not seeing what else there is to explain.
> But I'll try one more time.
>
> I control the hosts in question and have for >10 years, even
> through h/w upgrades. The university don't care that I have
> been using self-signed certs for all that time and now don't
> care that I can finally present a cert that verifies in a
> browser. They are happy enough to trust me to not mess about
> inside the college network. All of that is entirely legitimate.
>
> S.
>
> >
> > On Wed, Dec 16, 2015 at 3:26 AM, Stephen Farrell <
> stephen.farrell@cs.tcd.ie>
> > wrote:
> >
> >>
> >> Hiya,
> >>
> >> On 16/12/15 01:44, Julian Dropmann wrote:
> >>> The target users are server admins right? In order to set up their
> >>> services, they should be familiar with DNS.
> >>
> >> Familiar with != has write access to.
> >>
> >> In my university, I have root on 24U of boxen with zero write
> >> access to the routers, f/w, DNS or mail servers, meaning that
> >> for 13 years I couldn't get the two that are publicly visible
> >> web servers certified by any CA any time I checked, which was
> >> admittedly not that often.
> >
> >
> >> ACME (via LE in that case, but I've no allegiance) fixed that
> >> in a couple of minutes. And those minutes didn't require deep
> >> knowledge of anything - relative ignorance would have worked
> >> just as well, which is fantastic:-)
> >>
> >> And before someone argues, sure there are other situations but
> >> our goal here is to define a protocol that works in the most
> >> common of those cases as easily as possible and that supports
> >> automation.
> >>
> >>> To use the current
> >>> mechanism they already need to configure the A record.
> >>
> >> Not necessarily the same admins. That much is pretty obvious
> >> and unless someone has demographics about how many sysadmins
> >> have what access to what (which would be great!) I think this
> >> is repetitive argument and therefore pointless.
> >>
> >> Cheers,
> >> S.
> >>
> >>
> >>> So whats the
> >>> big difference? Instead of an A record they need to use an SRV
> >>> record. So technically only the record type changes. Nothing else.
> >>> How is that even a higher level of interaction?
> >>>
> >>> There are other services requiring admins to create DNS records
> >>> (Google Apps for example). They are being used.
> >>
> >>
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>

v2.23.0 | Report a Bug | By Email