On Wed, Dec 2, 2015 at 4:52 AM, Paul Millar <[email protected]> wrote:
> Hi all, > > I'm writing just to summarise this thread and check a consensus has been > reached. > > On 25/11/15 11:13, Paul Millar wrote: > >> I was wondering whether people have considered services running on a >> port other than port 443; in particular, ports greater than 1024. >> > > The decision is not to support unprivileged ports (>= 1024) because of two > factors: > > 1. ACME wishes to support deployments where there are untrusted > users have (non-root) access to the same machine that > provides a trusted service. > > 2. There is no supported mechanism for a CA to issue a > certificate that is bound to a specific port. > > Removing either of these points would allow (in principal) ACME to support > issuing certificates to services running on unprivileged ports. > > Is that a fair summary? No. The problem is that the validation process for the cert has nothing to do with the port the cert is going to be used on. The purpose of the validation process is to determine if the request is authorized by the holder of the domain. It has nothing to do with what host or port the certificate is going to be used for. There is a useful rhyme: Want a cert for HTTP? Validate the request on port 443 Want a cert for SMTP? Validate the request on port 443 Want a cert for NTP? Validate the request on port 443 Want a cert for Any other TP? Validate the request on port 443 The DNS only provides a binding between the domain name and the IP address and the IP address identifies a Host that is typically shared between multiple services and the OS can only be assumed to provide disambiguation between domain names on port 443. The only way to fix this would be to require navigation through an SRV record and even that might not be enough. Also note that this is not an area where IETF consensus is sufficient. The IETF can publish an RFC describing a protocol that supports a particular validation process. But that does not mean that the browser providers are going to accept certs that are issued under that process.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
