[Acme] kinds of proof (was: Re: ACME or EST?)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 28 November 2014 10:20 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 150871A1B0A for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 02:20:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxrc1FX2nnx8 for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 02:20:23 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id F33BF1A1B04 for <acme@ietf.org>; Fri, 28 Nov 2014 02:20:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7C67EBEEC for <acme@ietf.org>; Fri, 28 Nov 2014 10:20:21 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OpSzElcg1hXE for <acme@ietf.org>; Fri, 28 Nov 2014 10:20:21 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5E8FABEFA for <acme@ietf.org>; Fri, 28 Nov 2014 10:20:15 +0000 (GMT)
Message-ID: <54784C61.2080508@cs.tcd.ie>
Date: Fri, 28 Nov 2014 10:20:17 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: acme@ietf.org
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com> <547754C0.9050306@cs.tcd.ie> <20141127211348.GE25114@mournblade.imrryr.org>
In-Reply-To: <20141127211348.GE25114@mournblade.imrryr.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/uIZuCdtsiXK3YxWAhf6U0Nwnn5o
Subject: [Acme] kinds of proof (was: Re: ACME or EST?)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 10:20:28 -0000

changing subject line to the interesting bit...

On 27/11/14 21:13, Viktor Dukhovni wrote:
> I agree that the wire format (syntax) is less important than the
> feature set (semantics).  In particular, there I'd like to see some
> discussion of what kind of "proofs of control" should be acceptable
> with a lights-out DV certification authority.

Yep. Fully agree about DV. But DV isn't the only kind of
validation I'd like to be supported here.

I'd like if it were possible to extend that to include cases
where one has control over the web server, but not the DNS.

Now there are dangers in that so I'm not sure if it's really
doable, but I've controlled web servers below tcd.ie for years
(e.g. [1]), without any control over DNS, and I'd like to be
able to do better than self-signed out of the box there too.

The current spec [2] seems to allow for that via the "provision
a file on the web server" method, but the details of that
("simpleHttps" I guess?) aren't clear. I'm also not sure of
the security implications, which could be a killer (for having
key authorization depend on this mechanism alone) so I'm sure
there's work to be done there.

But I'd very much like to just update apache on my servers
and have that go get certs that work.

S.

[1] https://down.dsg.cs.tcd.ie/yesicanrichard.txt
[2]
https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md