[Acme] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge

2024-11-25 Thread Q Misell
Hi Frank, I'm a little confused as to what this draft attempts to achieve; maybe you can help clarify? My understanding is that this draft attempts to address perceived weaknesses in the ACME protocol relating to proxying. I don't however see the need for this. RFC8555 § 6.2 already provides a bi

[Acme] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge

2024-11-25 Thread Ilari Liusvaara
On Mon, Nov 25, 2024 at 03:11:21AM +, Xialiang(Frank, IP Security Standard) wrote: > Hi ACME experts, > We submitted and presented a new ACME paper at the IETF 121st > meeting -- https://datatracker.ietf.org/doc/draft-geng-acme-public-key/. > > This draft is about ACME Extension for Public Ke

[Acme] Re: [EXTERNAL] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge

2024-11-25 Thread Mike Ounsworth
+1 Ilari --- Mike Ounsworth From: ilariliusva...@welho.com Sent: Monday, November 25, 2024 3:20 AM To: acme@ietf.org Subject: [EXTERNAL] [Acme] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge On Mon, Nov 25, 2024 at 03: 11: 21AM +, Xial

[Acme] Re: [EXTERNAL] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge

2024-11-25 Thread Mike Ounsworth
I have not yet had time to read the draft, but from the description in this email thread, am I to understand that the attack model is an attarker who compromises the ACME client and wants to replace the public key (CSR) with their own, is that correct? In which case, they have the private key, h

[Acme] Re: Dnsdir last call review of draft-ietf-acme-ari-06

2024-11-25 Thread Aaron Gable
Hi Geoff, Thank you for the comments! Specific notes in-line below. On Sat, Nov 23, 2024 at 6:16 PM Geoff Huston via Datatracker < nore...@ietf.org> wrote: > Reviewer: Geoff Huston > Review result: Ready with Nits > > Overall the specification is quite reasonable. I have some nots that I feel >

[Acme] Re: draft-ietf-acme-ari

2024-11-25 Thread Aaron Gable
Hi Deb, You're absolutely right that I should be referencing the 9110 instead of the obsoleted 7231. Thanks for catching that! I've fixed it in the latest commit in the github repo and will publish it along with updates for other comments. Aaron On Fri, Nov 22, 2024 at 10:33 AM Deb Cooley wrote

[Acme] Re: Dnsdir last call review of draft-ietf-acme-ari-06

2024-11-25 Thread Geoff Huston
I'll skip those points where we agree, and just answer your queries: 2. Introductioon: "Allowing issuing CAs to suggest a period in which clients should renew their certificates enables for dynamic time-based load balancing." There is a word missing here - enables WHAT? I believe it's actually