IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Ted Hardie <ted.ietf@gmail.com> Wed, 02 December 2015 17:57 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9141ACD8B for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ak8VuQ0op80m for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 09:57:03 -0800 (PST)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 262E11ACD8A for <acme@ietf.org>; Wed, 2 Dec 2015 09:57:03 -0800 (PST)
Received: by qkao63 with SMTP id o63so19395692qka.2 for <acme@ietf.org>; Wed, 02 Dec 2015 09:57:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5QEkVvCjqzzuxrkvwit5caT+VkB5eAGMK+gik6/0qSc=; b=Mb45wrVz1PB/ykYH2aFqP3wIugJhlj8iBX5DH+OAZTUIoNOtom3/Yb3xCyygtgcoWx mjAsf9u7CuZUjWT+JAzH3YT1ieOt3cQHAK1kZu4zoL3UyfxyemQP1gDJU5mHYcV7IaP9 PHBEqn3S5lbXv7lhwByikbBXaFuwQZrg2i0/wm8jRynM/+7jOpstEWsHitHvi7A+FI3H Hchnhdd5x10zg1mTB8f0UgZ/FlxJ3OWuDjcMG2OB+FdtHZ8apCYsmI9OQN+ttJLNR+ih s5DQIQ7sOYVAU5+EHKJZv6QOvvRJ+fFRIcKFusJgkouIw0/mZ1/LFh9uD/1y1dW9PfQN 90Bw==
MIME-Version: 1.0
X-Received: by 10.55.75.212 with SMTP id y203mr5405084qka.20.1449079022269; Wed, 02 Dec 2015 09:57:02 -0800 (PST)
Received: by 10.55.14.211 with HTTP; Wed, 2 Dec 2015 09:57:02 -0800 (PST)
In-Reply-To: <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CANUQDChMFShsjVxOP4XfiMuP3PkKTitr5MM3y3AaNjgyPeaFgA@mail.gmail.com> <23dcf9f85a6a400ca76196e096d22da6@usma1ex-dag1mb1.msg.corp.akamai.com>
Date: Wed, 02 Dec 2015 09:57:02 -0800
Message-ID: <CA+9kkMC8uBFufm74fontoCmS2uUq3FgbVpbQWBm92Y=Cq=qNcQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a114a980c5fbbac0525ee007a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/zxmlgF3BQLrIXFlpACbZOybLWpk>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Niklas Keller <me@kelunik.com>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:57:05 -0000

On Wed, Dec 2, 2015 at 8:52 AM, Salz, Rich <rsalz@akamai.com> wrote:

> > Otherwise there's no difference between 443 and any other priviledged
> port.
>
> What's a privileged port? :)  Clearly it's a local construct, at best.
>


Under the name "system port" or "well-known port", it's been defined in
IANA-related RFCs for a long time; the current one is RFC 6335/BCP 165.  ​

The baseline expectation is that both a local system administrator and
remote parties know what service is running on a specific well-known port
because the port number is conventionally bound to that service.
​  If you are the administrator, you can, of course, ignore the
convention.

Speaking personally, I think the bar we're aiming for is that any challenge
should demonstrate effective control of the system currently bound to the
DNS name at issue or  effective control of the DNS.  Dynamic ports clearly
don't do that, and not all system ports do either (the experimental ports
clearly wouldn't).  To get agreement that a specific challenge does do
that, we kind have to have it written down and poked at; trying to reason
about the set in the abstract doesn't appear to me to be worth it.

No hats,

Ted





> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email