Re: [Acme] ACME -06: HTTPS authorization

Mon, 26 Jun 2017 15:15:02 -0700 

Hi Jacob,
To your first point, I was talking specifically of REST endpoints, not of people accessing web servers from a browser. For such configurations I think you will agree that HTTPS-only is a valid setup. 


Thanks,

    Yaron


On 26/06/17 14:59, Jacob Hoffman-Andrews wrote:

On 05/30/2017 08:32 AM, Yaron Sheffer wrote:
- The server only supports HTTPS, and perhaps port 80 is blocked by a firewall. This situation applies to many REST endpoints.
This is in general a bad configuration. Leaving port 80 open for the purposes of redirects is safe, and provides a better first-time users experience (repeat users may take advantage of an HSTS header, which I would assume to be present in such a config). And keep in mind that validation in ACME follows redirects.
- I am migrating from a non-ACME to an ACME cert, and so the server has a perfectly valid HTTPS cert. Or migrating from one ACME CA to a different one. 
This doesn't make it harder to server HTTP on port 80.
- I would like to ensure (using CAA records) that my CA is not subject to a DNS cache corruption attack - a threat that the ACME Security Considerations specifically mention.
I think this is the most compelling reason to offer HTTPS authorization. In particular, I think it may make sense as a special requirement for "high risk" validations. That is, for certain validations, the ACME server may choose to require validation over HTTPS using a certificate that validates to a certain set of roots.
However, requiring validation over HTTPS using a valid certificate would be too onerous for general-purpose certificates, because it would mean that server operators who lose their account key and all certificate private keys could not recover and issue a certificate without manual intervention.
I think HTTPS-with-valid-certificate is an interesting topic for future implementation, but is complex enough that we shouldn't try to squeeze it into the current document. 

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to