Re: [Acme] Proposed changes to TLS-SNI, autorenewal removal
Andrew Ayer <agwa@andrewayer.name> Fri, 22 January 2016 18:27 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6516C1B2B7F for <acme@ietfa.amsl.com>; Fri, 22 Jan 2016 10:27:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQFohAIBjuri for <acme@ietfa.amsl.com>; Fri, 22 Jan 2016 10:27:27 -0800 (PST)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2723A1B2B7C for <acme@ietf.org>; Fri, 22 Jan 2016 10:27:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1453487246; bh=f367JdzX26un2N5mIbEJL5++3AiaOCAdNXQ+hy3ofCs=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=HS+5w3XBe3x0+OBinTae6rkMv9TvomTcZwhTlb8Yi5VWVuAECJuVV+DSGJgexCLDG Igu/NWYW9NyhvXKNVuc9hkQrENIf0aHv2459MZHvGjXPeyk66Nn/BecJpJXGpHYClt 1rKK2ZUzsqmyNk7pSCAQTV/AuwexoS8xYdtMT0VspFw0RHgJi5nN1AZjGFzM9l2nV0 2vpN8C2g8sh4f5DzcHPiWklQPsOKg8DzcvnYcxYBf3XWZUZwvyJ8cRDAByuQFPEild i1sGD5i2/B89x81UUJoZuOL7+IC5SM0DycWYL2Z+mhyUypAMsB1/iw3G7AIY3f5nA3 85ucyzKtHjc6Q==
Date: Fri, 22 Jan 2016 10:27:25 -0800
From: Andrew Ayer <agwa@andrewayer.name>
To: Hugo Landau <hlandau@devever.net>
Message-Id: <20160122102725.5f4c2d02825dccf312513a9a@andrewayer.name>
In-Reply-To: <20160122161306.GA19607@andover>
References: <20160122161306.GA19607@andover>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/xy6DYIXHg2JZh29Wa9c6xRIUD2U>
Cc: acme@ietf.org
Subject: Re: [Acme] Proposed changes to TLS-SNI, autorenewal removal
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 18:27:28 -0000
On Fri, 22 Jan 2016 16:13:07 +0000 Hugo Landau <hlandau@devever.net> wrote: > Firstly, I've drafted a specification for tls-sni-02 > which resolves Jehiah's concerns. > <https://github.com/ietf-wg-acme/acme/pull/71> I agree with jehiah's comment on GitHub that for consistency with the http-01 challenge, SAN A (the token) should be used for the SNI request, and SAN B (the keyAuthorization) should be the SAN which the ACME server looks for. Also, it's not necessary for the ACME server to verify that the returned certificate contains SAN A (the token). Seeing the keyAuthorization in a SAN is sufficient. I think these changes should be made because paring the challenges down to their essentials and making them as similar as possible makes them much easier to reason about. For both http-01 and tls-sni-02, the basic procedure would be: 1. Request a resource (file or certificate) at the domain using the token to identify the resource. 2. Verify that the returned resource contains the keyAuthorization. -- Andrew
- [Acme] Proposed changes to TLS-SNI, autorenewal r… Hugo Landau
- Re: [Acme] Proposed changes to TLS-SNI, autorenew… Andrew Ayer
- Re: [Acme] Proposed changes to TLS-SNI, autorenew… Hugo Landau
- Re: [Acme] Proposed changes to TLS-SNI, autorenew… Andrew Ayer
- Re: [Acme] Proposed changes to TLS-SNI, autorenew… Salz, Rich