On Wed, Apr 22, 2015 at 06:10:13PM -0400, Richard Barnes wrote: > On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <[email protected]> wrote:
> > I agree that client access to ports below 1024 usually requires more > > privileges and that’s generally safer than allowing any client port. > > > > So would you be OK with the spec saying that the server MUST reject > client-specified ports that are greater than 1023? > I'd support adding a mechanism to ACME to run one of the available challenge types on a non-443 but privileged port, if the client needs it for practical reasons (whether Let's Encrypt should use that mechanism is a different question, of course). It seems to be a bad idea to leave the choice of privileged port up to the client, or even up to the client but constrained by a short blacklist (Martin Thompson's suggestion). The problem is that there is an enormous diversity of software deployed on privileged ports, and it's very hard to tell when some of that software might be trickable by remote attackers into responding in a way that causes a Challenge to succeed. So the CA should have a policy of only allowing validation on perhaps 0-2 of the other ports below 1023, with that choice backed by fairly thorough research, and then the question will be how the client knows the CA's policy, and which port it should try to ask for. Perhaps those policies can be stored out of band, or perhaps we can add a separate REST API endpoint where clients ask what ports the server considers acceptable for DV Challenges. -- Peter Eckersley [email protected] Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
