Re: [Acme] Issue: Allow ports other than 443

2015-11-26 Thread Stephen Farrell
On 26/11/15 08:36, Eliot Lear wrote: > Yes. The real issue here is that the cert contains the hostname and not > the port. So one could define a new always-critical certificate extension saying that the cert is only for use with some set of ports. (Or maybe someone's already defined it, I

Re: [Acme] Issue: Allow ports other than 443

2015-11-26 Thread Yoav Nir
> On 26 Nov 2015, at 1:00 PM, Stephen Farrell wrote: > > > > On 26/11/15 08:36, Eliot Lear wrote: >> Yes. The real issue here is that the cert contains the hostname and not >> the port. > > So one could define a new always-critical certificate extension > saying

Re: [Acme] Issue: Allow ports other than 443

2015-11-26 Thread Stephen Farrell
On 26/11/15 11:27, Yoav Nir wrote: > >> On 26 Nov 2015, at 1:00 PM, Stephen Farrell >> wrote: >> >> >> >> On 26/11/15 08:36, Eliot Lear wrote: >>> Yes. The real issue here is that the cert contains the hostname >>> and not the port. >> >> So one could define a

Re: [Acme] Issue: Allow ports other than 443

2015-11-25 Thread Peter Eckersley
The argument for a scan is not that it will be comprehensive. There's a huge amount of software out there that has started using various ports in standard and non-standard ways; the more software happens to use a given port, the more risk of remote attacks on ACME DV via quirks or bugs in that

Re: [Acme] Issue: Allow ports other than 443

2015-11-25 Thread Phillip Hallam-Baker
I am getting really nervous about allowing any port other than 443. I just did a scan of a very recent clean install of Windows and there are a *TON* of Web servers running for apps that didn't mention they had one. The thing is that if I am running a process on any sort of shared host, I can

Re: [Acme] Issue: Allow ports other than 443

2015-11-25 Thread Niklas Keller
It's an issue with shared hosting where users have shell access but no root access. 2015-11-24 17:49 GMT+01:00 Eliot Lear : > Yes, thanks, Yoav. Apologies to Randy and Kathleen for my terseness. > > Eliot > > > On 11/24/15 5:46 PM, Yoav Nir wrote: > > I think Eliot meant RFC

Re: [Acme] Issue: Allow ports other than 443

2015-11-24 Thread Yoav Nir
I think Eliot meant RFC 5785 /.well-known/ locations, rather than well known ports Yoav > On 24 Nov 2015, at 6:37 PM, Kathleen Moriarty > wrote: > > I agree with Eliot, I don't think a scan is needed to make a decision > here. Having managed several

Re: [Acme] Issue: Allow ports other than 443

2015-11-24 Thread Eliot Lear
Yes, thanks, Yoav. Apologies to Randy and Kathleen for my terseness. Eliot On 11/24/15 5:46 PM, Yoav Nir wrote: > I think Eliot meant RFC 5785 /.well-known/ locations, rather than well known > ports > > Yoav > >> On 24 Nov 2015, at 6:37 PM, Kathleen Moriarty >>

Re: [Acme] Issue: Allow ports other than 443

2015-11-24 Thread Hugo Landau
On Mon, Nov 23, 2015 at 09:52:07AM -0800, Martin Thomson wrote: > Could we ask IANA for a reserved system port (<1024)? Then it would > be possible for an ACME client to operate without disturbing running > services. I wrote this on the github issue, but should have posted it here: It seems

Re: [Acme] Issue: Allow ports other than 443

2015-11-24 Thread Randy Bush
> Isn't this precisely what .well-known was meant to address? fun small research project. what percentage of well-known ports can you connect to from the outside to a machine inside cisco? hell, to what percentage of well-known ports outside cisco can you reach from inside? well-known does not

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Douglas Calvert
On Mon, Nov 23, 2015 at 12:52 PM, Martin Thomson wrote: > The problem is that it the ACME server needs some sort of assurance > that the client controls the server. Showing control over the server > on port 443 is probably the best signal possible. > > Showing control

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Martin Thomson
On 23 November 2015 at 10:09, Douglas Calvert wrote: > How does showing control over port 443 convey more information than showing > control over port 22, 80, 487, 1023? Basic information theory: p(control over 443) < p(control over any port under 1024) <

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Randy Bush
which is easier, going through kink on 443 or getting the IT security team to punch a hole for ? randy ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Peter Eckersley
+1 on both Rich's request and the IANA suggestion. I think something that would help for this purpose would be an Internet-wide zmap scan of some plausible ports, to ensure there isn't anything in widespread use on them that could be a relevant attack surface for the challenge protocols. Anyone

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Randy Bush
>> which is easier, going through kink on 443 or getting the IT security >> team to punch a hole for ? > Would it help if you could choose the option that sucked least for > your particular situation? That was what I was thinking. yes, it would help i admit to thinking of it as turning off a

Re: [Acme] Issue: Allow ports other than 443

2015-11-23 Thread Russ Housley
Allowing the Web server to continue running on 443 while validation takes place on another port seems like a straightforward resolution to the issue that is raised. Russ On Nov 21, 2015, at 1:03 PM, Salz, Rich wrote: > Please see here for the background: >