# Technical Summary
The ACME-TLS-ALPN draft extends the Automatic Certificate Management Environment
(ACME) with a new domain validation challenge type (tls-alpn-01) that can be
performed at the TLS layer alone. This challenge type meets the need of users
(hosting providers, CDNs, etc) who wish to prove authorization of a DNS
identifier withoout modifying HTTP handling behaviour or updating DNS zone data.
This is the spiritual successor to the deprecated/removed TLS-SNI-01/02
challenge types from earlier ACME drafts.
# Working Group Summary
Earlier drafts specified a id-pe-acmeIdentifier OID that was already assigned by
IANA. This has been addressed in the latest draft. The ASN.1 format of the
id-pe-acmeIdentifier was also both simplified (removing an unneeded subarc from
the OID) and clarified (to emphasize the SHA-256 digest value).
# Document Quality
Let's Encrypt, a high-volume ACME based CA, has fully implemented the
tls-alpn-01 challenge type and has been issuing certificates in production using
this challenge type since July 12th, 2018. Multiple independent ACME clients
have implemented support for this challenge type.
The overall document quality is high. Developing an implementation based on the
specification text is reasonable. Interoperable client/server implementations
exist and are in use in a production setting.
# Personnel
The document shepard is Daniel McCarney. The responsible area director is Eric
Rescorla.
# IRTF Note
Not applicable
# IESG Note
Not applicable
# IANA Note
There are three IANA considerations in Section 5. The "SMI Security for PKIX
Certificate Extension (1.3.6.1.5.5.7.1)" table requires an update. The
"Application-Layer Protocol Negotiation (ALPN) Protocol IDs" table needs an
update. The "ACME Validation Methods" table requires an update.