Hi Jacob,
To your first point, I was talking specifically of REST endpoints, not
of people accessing web servers from a browser. For such configurations
I think you will agree that HTTPS-only is a valid setup.
Thanks,
Yaron
On 26/06/17 14:59, Jacob Hoffman-Andrews wrote:
On 05/30/2017 08:32 AM, Yaron Sheffer wrote:
- The server only supports HTTPS, and perhaps port 80 is blocked by a
firewall. This situation applies to many REST endpoints.
This is in general a bad configuration. Leaving port 80 open for the
purposes of redirects is safe, and provides a better first-time users
experience (repeat users may take advantage of an HSTS header, which I
would assume to be present in such a config). And keep in mind that
validation in ACME follows redirects.
- I am migrating from a non-ACME to an ACME cert, and so the server
has a perfectly valid HTTPS cert. Or migrating from one ACME CA to a
different one.
This doesn't make it harder to server HTTP on port 80.
- I would like to ensure (using CAA records) that my CA is not
subject to a DNS cache corruption attack - a threat that the ACME
Security Considerations specifically mention.
I think this is the most compelling reason to offer HTTPS
authorization. In particular, I think it may make sense as a special
requirement for "high risk" validations. That is, for certain
validations, the ACME server may choose to require validation over
HTTPS using a certificate that validates to a certain set of roots.
However, requiring validation over HTTPS using a valid certificate
would be too onerous for general-purpose certificates, because it
would mean that server operators who lose their account key and all
certificate private keys could not recover and issue a certificate
without manual intervention.
I think HTTPS-with-valid-certificate is an interesting topic for
future implementation, but is complex enough that we shouldn't try to
squeeze it into the current document.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme