Re: [Acme] Server on >= 1024 port

2015-12-03 Thread Rob Stradling
On 03/12/15 00:48, Niklas Keller wrote: Let's Encrypt is still a future CA, not a current one. Nope, it's not a future CA, it's a current one. It already issues trusted certificates. https://crt.sh/?Identity=%25=7395 -- Rob Stradling Senior Research & Development Scientist COMODO -

Re: [Acme] Server on >= 1024 port

2015-12-03 Thread Ángel González
Ted Hardie wrote: > There was discussion about registering a port specifically for ACME > challenges, so that a running server on 80/443 did not have to be > changed during the challenge.  That would be a privileged port, and > we could define the semantics for the challenges there to be similar >

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Yoav Nir
> On 2 Dec 2015, at 11:52 AM, Paul Millar wrote: > > Hi all, > > I'm writing just to summarise this thread and check a consensus has been > reached. > > On 25/11/15 11:13, Paul Millar wrote: >> I was wondering whether people have considered services running on a >> port

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Phillip Hallam-Baker
On Wed, Dec 2, 2015 at 12:52 PM, Romain Fliedel wrote: > So we might have a record of the form: >> >> example.com CAA 0 acmedv1 "port=666" >> >> > If you have to modify the dns to use a custom port, why not use the dns > validation method ? (once it's available) >

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Phillip Hallam-Baker
On Wed, Dec 2, 2015 at 1:09 PM, Romain Fliedel wrote: > > > 2015-12-02 18:57 GMT+01:00 Phillip Hallam-Baker : > >> >> >> On Wed, Dec 2, 2015 at 12:52 PM, Romain Fliedel > > wrote: >> >>> So we might have a record of the

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Peter Eckersley
On Wed, Dec 02, 2015 at 08:51:54AM -0800, Ted Hardie wrote: > > ​There was discussion about registering a port specifically for ACME > challenges, so that a running server on 80/443 did not have to be changed > during ​the challenge. That would be a privileged port, and we could > define the

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Peter Eckersley
On Wed, Dec 02, 2015 at 12:01:04PM -0500, Phillip Hallam-Baker wrote: > > Again, I think you are missing the real problem here. Let us say we have a > new protocol to run over port 666 that is actually a Web service under the > covers. > > Hosting provider has a host that supports the following

Re: [Acme] Server on >= 1024 port

2015-12-02 Thread Phillip Hallam-Baker
On Wed, Dec 2, 2015 at 4:52 AM, Paul Millar wrote: > Hi all, > > I'm writing just to summarise this thread and check a consensus has been > reached. > > On 25/11/15 11:13, Paul Millar wrote: > >> I was wondering whether people have considered services running on a >> port

Re: [Acme] Server on >= 1024 port

2015-11-26 Thread Yoav Nir
> On 26 Nov 2015, at 11:49 AM, Paul Millar wrote: > > On 25/11/15 19:22, Roland Zink wrote: >> The resolution of a certificate is the domain name, e.g. it is valid for >> all services on the machine. If you get the certificate for a port then >> you may misuse it to

Re: [Acme] Server on >= 1024 port

2015-11-26 Thread Yoav Nir
> On 26 Nov 2015, at 1:16 PM, Randy Bush wrote: > >> The resolution of a certificate is the domain name, e.g. it is valid for >> all services on the machine. > >X509v3 extensions: >X509v3 Key Usage: critical >Digital Signature, Key

Re: [Acme] Server on >= 1024 port

2015-11-26 Thread Rob Stradling
On 26/11/15 11:20, Yoav Nir wrote: Another thing is that I don’t get why some CAs have the web *client* authentication EKU thrown in there. Because a sufficiently large number of customers asked for it. :-) AIUI the use case is server-to-server comms, where server A acts as a TLS client

Re: [Acme] Server on >= 1024 port

2015-11-26 Thread Stephen Farrell
On 26/11/15 11:32, Rob Stradling wrote: > On 26/11/15 11:20, Yoav Nir wrote: > >> Another thing is that I don’t get why some CAs have the web *client* >> authentication EKU thrown in there. > > Because a sufficiently large number of customers asked for it. :-) > > AIUI the use case is

Re: [Acme] Server on >= 1024 port

2015-11-25 Thread moparisthebest
Hello all, On 11/25/2015 05:13 AM, Paul Millar wrote: > I was wondering whether people have considered services running on > a port other than port 443; in particular, ports greater than > 1024. I'm also somewhat concerned about this, I've read statements like this when talking about port 443:

Re: [Acme] Server on >= 1024 port

2015-11-25 Thread Eric Rescorla
On Wed, Nov 25, 2015 at 9:14 AM, moparisthebest wrote: > Hello all, > > On 11/25/2015 05:13 AM, Paul Millar wrote: > > I was wondering whether people have considered services running on > > a port other than port 443; in particular, ports greater than > > 1024. > > I'm

Re: [Acme] Server on >= 1024 port

2015-11-25 Thread Martin Thomson
On 25 November 2015 at 02:13, Paul Millar wrote: > Therefore, there seems no reason to limit ACME to the traditionally secure > port number. I would be OK with having an ACME server validate against any port, but only if it were going to issue a certificate with a

Re: [Acme] Server on >= 1024 port

2015-11-25 Thread Roland Zink
Am 25.11.2015 um 18:28 schrieb moparisthebest: A domain validated certificate doesn't and never has said "This entire machine is controlled solely by the domains specified in this certificate", instead it says "This particular service/port on this server is authorized by this domain to provide

[Acme] Server on >= 1024 port

2015-11-25 Thread Paul Millar
Hi, [apologies if this question duplicates the earlier thread "Issue: Allow ports other than 443"] I was wondering whether people have considered services running on a port other than port 443; in particular, ports greater than 1024. One particular use-case is that some services run on a