Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)
Warren Kumari <warren@kumari.net> Tue, 01 October 2019 21:45 UTC
Return-Path: <warren@kumari.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFE0120100 for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 14:45:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b551Eefc4rhv for <acme@ietfa.amsl.com>; Tue, 1 Oct 2019 14:45:19 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46080120089 for <acme@ietf.org>; Tue, 1 Oct 2019 14:45:19 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id c3so23611461qtv.10 for <acme@ietf.org>; Tue, 01 Oct 2019 14:45:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=avtvluYVixE+cyzHkWphEVSmLg9zba+JZsxr+84l2VA=; b=rSU+cdkWwy0wzty3do1LjdsWf2/Epz8D5kVXRD3iDebqK4kYs0J0tmBRVX4t9tlU06 0IVR/s/ASYzrYEAJmXvhB9KyuJXdqi0uwG7bP4qX/9ZILiGF0PrUvjGPID/a87PwsLYR wRk93TKUedaB0yVWoQqALcVJTTismW6JX5JTqUpryaNWH1esfLM7ooUCZ6ByGe961U+p K7zsRQLxD/JARH8ulXvs7wFV4ys5kWWsFcy+qbyhtnrTLhl2HrgjK8G8J+iQDXHg9Eey L+Woja7YPq53qrwGdNweYRRwY1uNHiKdS3f4l8smF4raSKZgMxcGfdH91hwqZTW+L194 tHaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=avtvluYVixE+cyzHkWphEVSmLg9zba+JZsxr+84l2VA=; b=mF1wnjCkF9c3I1LWfCqXRPx4Y/GbvEFahD8tJNxJHY63/7dNCso2uyk20YSvwucx16 38z1JZYH12yN/tBOH4Y9GqUISylg7ccTPa1hDNtY2yhs3fvipbuT+d3VwZVYmHr/y4Eh GSXwzDCo5ua9WMywnqfinXwRs3LsgG5a8xtmTqm1aIAvHbgzmPyjrEB3un7Z4/gkmHxd dK84UHTNQySnxdxORw4cUkmXvD/9wBGB1xAjudDMDyUjGi9b1MJPaDRUcXE5RPxGu0hQ ei28TVuePLEcBbv4g51PnWvlTxppc6qKNtWQGlOKvxzJEm+mkT/9uqvBtPe+19Z3beXU 78qQ==
X-Gm-Message-State: APjAAAU41ogubwR/8JT6856V+Snj5Zb2LoszEyIfKwetMxsJrvRwdvZb cqOAuMcaRTodaCCE+fP4ny2W8HDW75BKUYApPw3Gig==
X-Google-Smtp-Source: APXvYqzX2wnvhqm2jMUTu33Y0D/fo4jh26wEqF3CPR1miU7+lCeULwxfgjD1jExw16+NoP/EFOJ8/W0kzPJ3IZJLuAo=
X-Received: by 2002:ac8:6e8b:: with SMTP id c11mr542353qtv.77.1569966317654; Tue, 01 Oct 2019 14:45:17 -0700 (PDT)
MIME-Version: 1.0
References: <156994353133.23716.18054738012405816713.idtracker@ietfa.amsl.com> <797CB1A6-2C78-4BF7-A12E-B3B2DE910E9F@letsencrypt.org> <CAHw9_iLqSqLbmnKQsRuyfos4CFWrw4APovMKGXHLjMXPuXQsGQ@mail.gmail.com> <af476f4f-570e-d620-b003-90f55dd0c234@eff.org>
In-Reply-To: <af476f4f-570e-d620-b003-90f55dd0c234@eff.org>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 01 Oct 2019 17:44:41 -0400
Message-ID: <CAHw9_i+c4TF8+jAUD1YzZ3eCNie1Xx6_h0UgrzmDc-UO5gqFvA@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: Roland Shoemaker <roland@letsencrypt.org>, draft-ietf-acme-ip@ietf.org, Tim Chown <tim.chown@jisc.ac.uk>, acme@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, Joel Jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>, acme-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/uOhj2dnLrRwzU9wz6Fnx5gUn-y4>
Subject: Re: [Acme] Warren Kumari's Discuss on draft-ietf-acme-ip-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 21:45:22 -0000
On Tue, Oct 1, 2019 at 5:20 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote: > > It's important to note that automated validation of IP addresses for > certificates is already a part of the Web PKI, but is not standardized. > This protocol will standardize it, which I believe will make overall > validation of IP addresses more secure, within the threat model that > Roland described. > ACME is sufficiently useful that I think it will cause the proliferation of IP certificates, which to me seems like a bad outcome -- but, as I realized above, this is my own personal view / bias, and so I will be removing the DISCUSS. > We could attempt to ban automated validation of IP address certificates, > or ban IP address certificates entirely, but that wanders into the realm > of policy rather than standards, and would be better suited to browser > root programs IMO. > Yeah - *to me* that seems like that would be a grand outcome... > Overall, given the tradeoffs, I think it is better to have a > standardized method of IP address validation than to have none. True, but making something "dangerous" easier and faster to do doesn't necessarily seem like a win. Shooting myself in the foot used to require checking the bore, pouring in powder, stuffing in some wadding, shoving a ball down the muzzle, tamping everything down, removing the rod, clearing a vent hole, adding powder to a pan, and finally pointing it at my foot - now, with automation I can remove both feet in a hundreth of the time... (Why, yes, I have just been watching a documentary on the Prussian / Danish war, what makes you ask?...) W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [Acme] Warren Kumari's Discuss on draft-ietf-acme… Warren Kumari via Datatracker
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Roland Shoemaker
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Ryan Sleevi
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Jacob Hoffman-Andrews
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Alan Doherty