IETF Logo Mail Archive

Re: [Acme] On multiple CAs and contact-based recovery

Ron <ron@debian.org> Fri, 25 March 2016 03:18 UTC

Return-Path: <ron@debian.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0033812D0F8 for <acme@ietfa.amsl.com>; Thu, 24 Mar 2016 20:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZpzYzlNuKpo for <acme@ietfa.amsl.com>; Thu, 24 Mar 2016 20:18:44 -0700 (PDT)
Received: from ipmail06.adl6.internode.on.net (ipmail06.adl6.internode.on.net [150.101.137.145]) by ietfa.amsl.com (Postfix) with ESMTP id 6F09112D0B3 for <acme@ietf.org>; Thu, 24 Mar 2016 20:18:44 -0700 (PDT)
Received: from ppp14-2-14-167.lns21.adl2.internode.on.net (HELO mailservice.shelbyville.oz) ([14.2.14.167]) by ipmail06.adl6.internode.on.net with ESMTP; 25 Mar 2016 13:48:43 +1030
Received: from localhost (localhost [127.0.0.1]) by mailservice.shelbyville.oz (Postfix) with ESMTP id 64E7DFFD85; Fri, 25 Mar 2016 13:48:43 +1030 (ACDT)
X-Virus-Scanned: Debian amavisd-new at mailservice.shelbyville.oz
Received: from mailservice.shelbyville.oz ([127.0.0.1]) by localhost (mailservice.shelbyville.oz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BXzHt5WxP8N3; Fri, 25 Mar 2016 13:48:42 +1030 (ACDT)
Received: from hex.shelbyville.oz (hex.shelbyville.oz [192.168.1.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mailservice.shelbyville.oz (Postfix) with ESMTPS id ADF91FF81E; Fri, 25 Mar 2016 13:48:42 +1030 (ACDT)
Received: by hex.shelbyville.oz (Postfix, from userid 1000) id 9C56A80470; Fri, 25 Mar 2016 13:48:42 +1030 (ACDT)
Date: Fri, 25 Mar 2016 13:48:42 +1030
From: Ron <ron@debian.org>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20160325031842.GL15641@hex.shelbyville.oz>
References: <B594A7FA-1F8B-489C-8A7D-328BCD60C79A@inria.fr> <CABkgnnVL2z1vR_ii_+0C0jwU9DVW8NWe5FsAbC3P_-o1V2sjEQ@mail.gmail.com> <20160324094240.GJ15641@hex.shelbyville.oz> <CAL02cgTVLQMWWbBpMSeOrFte+bdmDuoQNCUk2akOquFLJ2xFhw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgTVLQMWWbBpMSeOrFte+bdmDuoQNCUk2akOquFLJ2xFhw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/wJSPknH_OcrEALYeuVxbhzD0xRs>
Cc: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, "acme@ietf.org" <acme@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Acme] On multiple CAs and contact-based recovery
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 03:18:46 -0000

On Thu, Mar 24, 2016 at 11:07:08AM -0400, Richard Barnes wrote:
> On Thu, Mar 24, 2016 at 5:42 AM, Ron <ron@debian.org> wrote:
> > On Thu, Mar 24, 2016 at 04:45:06PM +1100, Martin Thomson wrote:
> >
> > > Most operating systems understand how to invoke local software in
> > > response to that and your proposed flow behaves much the same from a
> > > user perspective.
> > >
> > > That isn't *as* good as your proposal, I don't think, but it might
> > > have some usability advantages.
> >
> > The main downside I see to this, is that if I need to fully automate
> > the acme client to perform certificate renewals every few weeks,
> > then it's unlikely to be running on the same machine where I read
> > email.
> >
> 
> I think it's safe to say that any system which is designed to support
> re-validation with any frequency cannot involve email.

Right, what I meant to indicate there was that the acme client with
the key for my CA account was unlikely to be "local software" to the
email client I read mail in.  So being able to click on something in
an email to launch an acme client is of limited use, even for the
case of emergency recovery.

[though 'cannot' might be a bit strong.  Email does have the advantage
of being already resilient to temporary network disruptions, which is
something alternative methods would need to reimplement. This probably
could work quite well with email, but I'm not suggesting we go there
except for emergency out of band recovery. ;]


> However, note that ACME supports renewal of certificates without
> re-validation.

That was one of the nits I pointed out earlier which it would be
nice to fix.  In the current text, the only way to find out if a
server supports that or not is to try it and see if it fails.

Which realistically means, the only 'reliable' thing to automate
without out of band knowledge about the server, is to do a full
new-certificate transaction.

It would be nice if the server did return some indication that it
was prepared to support renewal with a simple GET request that
didn't require access to the account key.  Being able to drop that
privilege for routine renewals does seem like a useful feature if
we want to keep the validity period short.


  Ron

v2.23.0 | Report a Bug | By Email