On Mon, Nov 23, 2015 at 09:52:07AM -0800, Martin Thomson wrote:
> Could we ask IANA for a reserved system port (<1024)? Then it would
> be possible for an ACME client to operate without disturbing running
> services.
I wrote this on the github issue, but should have posted it here:
It seems like there is a clear roadmap for doing this securely:
- Register a new port <1024 with IANA, exclusively for the purposes of
ACME challenge. The semantics of this port is that control of it is
deemed to constitute control of the system.
- Might want to require that TLS be used on this port; otherwise you
have the possibility that either HTTP or TLS (either for HTTP or
DVSNI) is running on the port. These sorts of ambiguities should be
avoided. It also allows this "hostmaster" port to be extended for
other purposes at a later time via ALPN.
- Allow either port 443 or that port to be used.
- Arguably, one should not even allow the use of port 443 if this port
is open. Note that use of 443 has already proven a problem once with
the vulnerabilities in the dvsni challenge mechanism w.r.t. common
hosting configurations.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
