Draft minutes attached. Thanks Thomas! Please send corrections to the list.
ACME at IETF 103
# ACME is meeting at IETF 103 in the last session, Thursday II. 16:10-18:10
Agenda is as follows:
## Administrivia, 10 minutes
Note well, jabber, minute-takers
dkg for Jabber,
Thomas Peterson for Minutes
## Brief updates, 10 minutes
ACME, CAA challenge, IP identifier challenge, ALPN challenge
Richard: I am still waiting for my co-worker to read an outstanding PR,
I will probably merge it later tonight
Chair: We will open another 2 week WGLC
Thomas Fossati: ... and we need a document shepherd
Action Item (AI): Chairs to post WGLC to list and ask for a shepherd
STAR, 30 min
- Update as a result of the last-minute ACME changes, etc.
Was already in WGLC; seeking a doc shepherd
AI: Chairs to redo WGLC, seek shepherd, and then send to IESG
- START-delegation; now is an ACME profile, after feedback
Call for adoption
Richard: This is what is set to the Id0 for DNS challenge?
Thomas Fossati: No, the DNS challenge is run just on the value.
Richard: What CNAME is provisioned as a result of this?
Yaron Sheffer: Points from CN0 to NDC
Richard: I'll take a look at the draft and provide feedback
Yaron: This could be used for long
Richard: This could be used for short term use case, but I don't see a
readon to join this with long-term
Chris: If someone finds a solution where they are using them for long term,
more power to them, we should encourage them.
Yoav: What if we don't find such a use case? Right now we don't have any uses
cases
Dan Gilmore: If you are doing to issue to STAR, how are you going to restrict
it? What cut line would you use? Expiration or other?
Yaron Sheffer: It could...
Tim Hollebeek: That makes things more complicated, as this confuses delegation
is for short term, but not for long term. It's more useful in short term.
Chair: Are you requesting this be adopted?
Yaron: That's on the next slide
Richard: If a CNAME has been delegated, the NDC "owns" it can do the
HTTP challenge (maybe not the DNS challenge) just by having the record pointed
at it
Jon Peterson: How does base ACME work when resolving the challenge?
Richard: There are some CDNs today that do this today
Richard: It appeears the CNAME here is confusing, but the rest of the document
is sound. There is a scoping question if the CNAME connection is suitable.
Jon: If you only have an account with the NDC, but not the IdO then yeah, you
wouldn't be able to prove ownership.
Richard: ACME accounts are cheap. Except where CA is imposing
condition. You may, e.g. lock a domain to an account but I'm unsure if that's
being done.
Chris Wendt: Are you locking this to DNS type or open to other identifier types?
Yaron: Once this is a WG document, but I don't see a reason to lock it as
that's a WG decision.
Sanjay Mishra: The CNAME used here, the NDC is asking IdO with that?
Yaron: Yes.
AI: Chairs to issue call for adoption after the draft is updated
## Email TLS certs and EMAIL end-user certs, 15 minutes
Who will read? Ready for WGLC?
Paul Hofman: I don't understand the proposed change
Alexey: At the moment service/port are single. If you wanted to issue multiple
ports (IMAP/IMAPS) it needs to be multiple requests.
Paul: I see no reason not to have multiple services.
Chaair: One array or two?
Alexey: One array
Richard: I'm confused. This document is talking about authenticating
DNS, but what would go into a certificate is a Domain.
Alexey: In theory you could issue SRV based IDs. In the most common use cases
that won't be used.
Richard: I think this should be updated to cover SRV.
DKG: I want to agree with Richard. If it's just on name, this is too complex.
Several steps need including
Alexey: For DNS there will be slightly specific service name.
DKG: If the cert being requested isn't specifically for the service, this
could open an attack to other services for other protocols
AI: Alexey to add some clarifying text, Richard to send some
AI: After next draft, WGLC; READ
Paul Hoffman: These details aren't clear in the current draft.
Richard: We have a copy of layers of indirection, what I am least clear on is
the mapping of service to certificate. CA's may want to include SRV into the
cert if you show control of the domain.
Alexey: I'm hoping they'll issue certs with the port
Richard: I suggest you implement SRV service IDs
Tim: SRV has been discussed but not implemented
Tim: The assumption all zones in a domain are controlled by the same identity
is no longer true.
Alexey: I am developing software that could develop software to validate these,
but first I need CAs to issue certs against this.
Yaron: Are you expecting end user to perform this challenge?
Alexey: Yes, possibly through copy/pasting the challenge.
Chair: Is there any provisiion for multiple clients?
AI: Tim H and dkg said they would review
## TN Authority Token documents, 20 minutes
Updates
AI: Another rev then WGLC
ADJOURN
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
