I think the big reason is there wasn't yet a need for it, and a lesser reason is the security aspect.
It is my understanding that Port 80 works for the CA/B forum, because it proves both (i) the domain owner wants 80/443 traffic routed to the server(s), and (ii) the domain owner is responding to port 80/443 as those ports require Admin/Root privileges on the major computing systems or have general protections already in place that are inherent to shared hosting situations.
This is what I am unsure of: Although all ports under 1024 are considered "well known" or "privileged", I have read that Windows does not (or did not at some point in the past) require admin privileges to bind to all those ports, and only a subset of well-known ports require admin privileges on both unixlike and windows systems.
If that is the case, my suggestion to use DNS records (CAA, TXT) to indicate allowed ports for ACME challenges would fully address those concerns.
I'm willing to collaborate on a draft spec and proof-of-concept. The question is if we can convince ISRG or another CA to back it and present to the CA/B forum.
Anyways, my general idea is:
- define a DNS record to list allowable ports. e.g.:
- TXT:
_acme-service-http02-ports=25 80 115 - CAA:
example.com. CAA 0 http02-ports "80 25 115"
- TXT:
- define a payload for the new challenge trigger that identifies a specific port to query. for example:
"protected": ... "payload": base64url({ "port": [ "25 }), "signature": ... }
The combination of those two would allow for a domain owner to use authoritive DNS records to enable the challenge on an alternate port (only needed on initial setup), and then identify the port on demand.
I still like the idea of a dedicated ACME service port, but I think this framework would handle all the use cases that @orangepizza and I are concerned with.