IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 15 December 2015 23:45 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEDB61B2BCC for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 15:45:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NA-AFbZ4SkoQ for <acme@ietfa.amsl.com>; Tue, 15 Dec 2015 15:45:13 -0800 (PST)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657291A6F11 for <acme@ietf.org>; Tue, 15 Dec 2015 15:45:12 -0800 (PST)
Received: by mail-lf0-x22a.google.com with SMTP id z124so13279789lfa.3 for <acme@ietf.org>; Tue, 15 Dec 2015 15:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=fRgRoBGuLKUdwkiuTB7el2N/17SnBO+Dw3gV9vCfS0c=; b=FL9LlPH3DKvQ899iiM8KcpEUDzsfVt5dXYZlXG8BkYJyO3gwerkXK5hFaXngIpPWCf sOoYUER8Y/BzQy4WX4IoSJyxhmWu3svOLloYPIUpWtbq9lLOYVwL1vzfOA7oBtW4C2QL DUU5RoV+DR2+9tYX0/devIQt9CopxUXykvCRwq093/8o+5l3ZTlI8oa6n6ONodfG6xMe U9ORGKH/haAE8XZv4B5pmey8YmTQjBv2BKrQRyzcRT5GzN6TJoS50P6GM2xGpmGruuV7 3A6EJfSPLUOQ05Jn5EC3RBA415nPznpX6FAFqbYsFGr8qsJPDWhYL9ROJdvvigXh/pnB DNbQ==
MIME-Version: 1.0
X-Received: by 10.25.30.5 with SMTP id e5mr13537103lfe.48.1450223110575; Tue, 15 Dec 2015 15:45:10 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Tue, 15 Dec 2015 15:45:10 -0800 (PST)
In-Reply-To: <CAL02cgSXNLdTU9xWt_qh+Ry5i3Es-3EZT4gkRMxZY55Hp43NrA@mail.gmail.com>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net> <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org> <BF7F8411-3E83-4A1F-B3A1-4C37DC8B4618@coderanger.net> <3CDE1749-3143-49EE-BD66-0AE4A8CC4175@dropmann.org> <566FDAB7.2030403@cs.tcd.ie> <56700F68.3040103@wyraz.de> <56701904.2070009@cs.tcd.ie> <56702EFA.1050008@wyraz.de> <13B5E9A8-E9CE-4018-8A9D-7856CBF06B4F@coderanger.net> <CAMm+Lwhvf+nRVV38q1U1DKm1WStV1UJv4+EJ_zvq0G_Tb25S9w@mail.gmail.com> <2761E0B2-8DCC-4150-813F-8CAB756C0392@coderanger.net> <CAMm+LwicCES0QrZmTDmBo9WX6tsR4ihyvbLG5m=Lxpm_69qY6g@mail.gmail.com> <CAL02cgSXNLdTU9xWt_qh+Ry5i3Es-3EZT4gkRMxZY55Hp43NrA@mail.gmail.com>
Date: Tue, 15 Dec 2015 18:45:10 -0500
X-Google-Sender-Auth: tXKWNSw4SuCqayzhLAn_sXctrs4
Message-ID: <CAMm+LwhCe215wwu4nVfLcuSqque7G+DcOYZmkO48pXQYbHnJ6g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a113fa5d059e2700526f861be"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/uEK7nZL7o-1NHQ3oSP_aWTCgB30>
Cc: "acme@ietf.org" <acme@ietf.org>, Noah Kantrowitz <noah@coderanger.net>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 23:45:15 -0000

Here is a handy list

https://cabforum.org/ipr-exclusion-notices/


On Tue, Dec 15, 2015 at 6:24 PM, Richard Barnes <rlb@ipv.sx> wrote:

> On Tue, Dec 15, 2015 at 4:17 PM, Phillip Hallam-Baker
> <phill@hallambaker.com> wrote:
> >
> >
> > On Tue, Dec 15, 2015 at 2:41 PM, Noah Kantrowitz <noah@coderanger.net>
> > wrote:
> >>
> >>
> >> > On Dec 15, 2015, at 9:48 AM, Phillip Hallam-Baker
> >> > <phill@hallambaker.com> wrote:
> >> >
> >> >
> >> >
> >> > On Tue, Dec 15, 2015 at 12:25 PM, Noah Kantrowitz <
> noah@coderanger.net>
> >> > wrote:
> >> >
> >> > > On Dec 15, 2015, at 7:17 AM, Michael Wyraz <michael@wyraz.de>
> wrote:
> >> > >
> >> > > Stephen,
> >> > >> Yes, I understand that and didn't actually refer to LE at all in my
> >> > >> mail.
> >> > > I'm sorry if I missunderstood you with that.
> >> > >
> >> > >> Basically, IMO only after we first get a "now" that works
> >> > > We have a working HTTP-01 spec, implementation and CA. What's
> missing
> >> > > for "a 'now' that works"?
> >> > >
> >> > >> Personally the optional thing in which I'm much more interested is
> a
> >> > >> simple put-challenge-in-DNS one where the CA pays attention to
> >> > >> DNSSEC,
> >> > >> since that's the use-case I have and that would provide some better
> >> > >> assurance to the certs acquired via acme. I can see that there
> might
> >> > >> also be value for some (other) folks in SRV if it means no need to
> >> > >> dynamically change DNS. But, if someone is saying "we must all do
> >> > >> these more complex things for security reasons" then they are, in
> >> > >> this
> >> > >> context, wrong. And my mail was reacting to just such a statement.
> >> > > Why not just placing a static public key to DNS that is allowed to
> >> > > sign
> >> > > ACME requests for this domain? Simple, no need for dynamic updates
> >> > > (yes,
> >> > > it's standardized for years but AFAIK not seen very often in real
> >> > > world
> >> > > scenarios).
> >> >
> >> > Anything that makes deployment _harder_ than the current LE client is
> a
> >> > move in the wrong direction. UX matters, with security more than just
> about
> >> > anything else. Unless you can propose a user flow to go with this
> change, no
> >> > amount of hypothetical correctness is worth having a tool no one will
> use.
> >> >
> >> > Harder for whom?
> >> >
> >> > The current scheme isn't going to work for any geolocation based
> systems
> >> > and is a terrible fit for enterprise.
> >>
> >> I think this is a bit of a red herring on a few fronts. You can use
> >> http-01 or similar strategies on a widely-replicated system, it is just
> >> annoying because you need to push the challenge response file to a
> bunch of
> >> places. If the geo-distributed piece is a CDN, the system is already
> >> designed to smash caches effectively so that is handled. Still, that is
> >> gross and a lot of work, but fortunately there is already a DNS
> challenge in
> >> the works that will help for some cases.
> >
> >
> > And is likely to be challenged by the IPR holder.
>
> You've mentioned IPR a couple of times.  If you have knowledge of IPR
> in this space, disclosures would be very helpful.  Same goes for
> anyone else here.
>
> Thanks,
> --Richard
>
>
> >
> > Keys in the DNS has prior art. It is also rather simpler to implement.
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>

v2.23.0 | Report a Bug | By Email