On Wed, Dec 2, 2015 at 11:52 AM, Salz, Rich <[email protected]> wrote:
> > Otherwise there's no difference between 443 and any other priviledged > port. > > What's a privileged port? :) Clearly it's a local construct, at best. > > That is especially so in the new era of .NET Core and Raspberry Pi Zero. One of the most powerful ways to run .NET Core is on bare metal on a constrained device like a RaPi. I have a few RaPi's in the house that are dedicated to one purpose. If you are developing code for an embedded device there is no separation between the 'root' and 'user' levels whatsoever. The closest you are likely to come is that you may have a co-processor that will allow you to install a public key pair in a secure partition so you can write to the private key store and do private key operations but not a private key read operation. These devices don't have an operating system. They just have the application code running on a core library that is essentially just a BIOS and some commonly used subroutines. Oh and lots of these run Web Sites and you can put ASP on them. So they behave like hosting services. Assigning a well known port for ACME validation is a non starter because there is no way that you are going to get all the half dozen suppliers of sub $30 computers to all implement code to restrict the port. What could work would be to assign a well known port for ACME and allow it to be used PROVIDED THAT there is an indication in the DNS. This could be an SRV record but I would prefer it to leverage CAA because this would be an attribute designed to support certificate issue and CAA is therefore the record to use. So we might have a record of the form: example.com CAA 0 acmedv1 "port=666" I prefer that over SRV because of separation of concerns. There might be really good reasons to allow general access to the SRV record while CAA is obviously a record that should be restricted because it is concerned with cert issue. trying to use SRV would mean giving new semantics to an existing record. If we are going to use CAA however, why not just put a key/fingerprint into a CAA record that specifies a key that can be used to validate requests?
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
