This looks like a useful addition. Here are a few comments and questions: - Why is the draft informational and not standards track?
- Why does absence turn the feature on? Wouldn't this invite sending spurious requests for ACME information to CAs configured before this draft existed that do not support ACME? - Is a boolean the right type for discovery or should it be a string that indicates the protocol that is the target of auto-discovery? - Do/ought parent domains apply (as they do in CAA)? If not, it might be worth a few words since the usage here is different. - In the next to last example in 3.2, why does EV without priority go first? - In 5.1, you might want to replace the long paragraph with bullets. - In 5.1, what does 3.b mean? Can you add an example? - You should expand QWAC on first use and maybe add an informational reference. On 7/6/23, 10:54 AM, "Acme on behalf of Mike Ounsworth" <[email protected] <mailto:[email protected]> on behalf of [email protected] <mailto:[email protected]>> wrote: Hi ACME! This is new business that we would like to add to the agenda for 117. Thanks, --- Mike Ounsworth & Paul van Brouwershaven -----Original Message----- From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]>> Sent: Thursday, July 6, 2023 9:39 AM To: Mike Ounsworth <[email protected] <mailto:[email protected]>>; Paul van Brouwershaven <[email protected] <mailto:[email protected]>> Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt has been successfully submitted by Paul van Brouwershaven and posted to the IETF repository. Name: draft-vanbrouwershaven-acme-auto-discovery Revision: 00 Title: Auto-discovery mechanism for ACME client configuration Document date: 2023-07-06 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt <https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt> Status: https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/ <https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/> Html: https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html <https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html> Htmlized: https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery <https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery> Abstract: A significant impediment to the widespread adoption of the Automated Certificate Management Environment (ACME) [RFC8555] is that ACME clients need to be pre-configured with the URL of the ACME server to be used. This often leaves domain owners at the mercy of their hosting provider as to which Certification Authorities (CAs) can be used. This specification provides a mechanism to bootstrap ACME client configuration from a domain's DNS CAA Resource Record [RFC8659], thus giving control of which CA(s) to use back to the domain owner. Specifically, this document specifies two new extensions to the DNS CAA Resource Record: the "discovery" and "priority" parameters. Additionally, it registers the URI "/.well-known/acme" at which all compliant ACME servers will host their ACME directory object. By retrieving instructions for the ACME client from the authorized CA(s), this mechanism allows for the domain owner to configure multiple CAs in either load-balanced or fallback prioritizations which improves user preferences and increases diversity in certificate issuers. The IETF Secretariat Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ Acme mailing list [email protected] <mailto:[email protected]> https://www.ietf.org/mailman/listinfo/acme <https://www.ietf.org/mailman/listinfo/acme> _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
