At IETF102 we had extremely strong consensus to merge this, to address the last
open AD review comment.
As Richard said, if you have concerns or objections, please speak up NOW.
/rich, co-chair
From: Richard Barnes <[email protected]>
Date: Tuesday, July 17, 2018 at 6:00 PM
To: "[email protected]" <[email protected]>
Cc: Rich Salz <[email protected]>, Eric Rescorla <[email protected]>,
"[email protected]" <[email protected]>, Russ Housley <[email protected]>
Subject: Re: [Acme] AD Review: draft-ietf-acme-acme-12
... and based on feedback at the meeting, I went ahead and merged this. I
understand that EKR will be issuing an IETF last call soon, so if you have
concerns about this change, please raise them there. Or on this thread, but in
any case, ASAP.
Thanks,
--Richard
On Tue, Jul 17, 2018 at 4:27 PM Richard Barnes <[email protected]> wrote:
I went ahead and posted a PR implementing EKR's suggestion:
https://github.com/ietf-wg-acme/acme/pull/429<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_429&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=akOT5FNFHauSSc-eXxV1lyXw7wamEL3Ba7HiBjxAjYE&s=IcP4Of7AvUdlhfAyNZMU3gwzGdEK1qFBNhUxpcPkY6w&e=>
On Wed, May 30, 2018 at 4:23 PM Daniel McCarney
<[email protected]<mailto:[email protected]>> wrote:
We have multiple CA’s that support it, and other implementations as well.
Of the multiple CAs that support ACME, which support something resembling the
current draft? When I looked last the non-Let's Encrypt ACME server
implementations all seemed to be targeting Certbot and the "ACMEv1" era of this
draft (e.g. are not using the order based issuance flow at all). There have
been substantial backwards compatibility breaking changes in the draft since
this time.
I second EKR's sentiment that there has been little true ACME inter-op testing
of the protocol as described in draft-12 outside of that done with Let's
Encrypts ACMEv2 endpoint.
- Daniel / cpu
On Wed, May 30, 2018 at 3:56 PM, Salz, Rich
<[email protected]<mailto:[email protected]>>
wrote:
* Well, we have a fair bit of experience of a lot of people talking to
Let's Encrypt. That's not really the same as a lot of servers and a lot of
clients.
We have multiple CA’s that support it, and other implementations as well.
Certainly LE dominates, but it’s not the only usage. And certainly not the
only anticipated future usage.
* I would match the TLS ones: MUST ECDSA with P-256, SHOULD EdDSA with
X25519.
That would make the MTI limited to a subset of the WebPKI supported by the
latest browsers, which seems wrong. But let’s not bikeshed too much and see
what the WG consensus is.
_______________________________________________
Acme mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/acme<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_acme&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=akOT5FNFHauSSc-eXxV1lyXw7wamEL3Ba7HiBjxAjYE&s=cFUtkkykElzuumAcVXyZR--IkB424C8nNbuOvrXeKYM&e=>
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
