Minutes IETF103: acme
minutes-103-acme-00

ACME at IETF 103

# ACME is meeting at IETF 103 in the last session, Thursday II. 16:10-18:10

Agenda is as follows:

## Administrivia, 10 minutes
    Note well, jabber, minute-takers
    dkg for Jabber,
    Thomas Peterson for Minutes

## Brief updates, 10 minutes
    ACME, CAA challenge, IP identifier challenge, ALPN challenge

Richard: I am still waiting for my co-worker to read an outstanding PR,
I will probably merge it later tonight
Chair: We will open another 2 week WGLC
Thomas Fossati: ... and we need a document shepherd
Action Item (AI): Chairs to post WGLC to list and ask for a shepherd

STAR, 30 min
    - Update as a result of the last-minute ACME changes, etc.
      Was already in WGLC; seeking a doc shepherd
AI: Chairs to redo WGLC, seek shepherd, and then send to IESG

    - START-delegation; now is an ACME profile, after feedback
      Call for adoption

Richard: This is what is set to the Id0 for DNS challenge?
Thomas Fossati: No, the DNS challenge is run just on the value.
Richard: What CNAME is provisioned as a result of this?
Yaron Sheffer: Points from CN0 to NDC

Richard: I'll take a look at the draft and provide feedback

Yaron: This could be used for long
Richard: This could be used for short term use case, but I don't see a
readon to join this with long-term
Chris: If someone finds a solution where they are using them for long term,
more power to them, we should encourage them.
Yoav: What if we don't find such a use case? Right now we don't have any uses
cases
Dan Gilmore: If you are doing to issue to STAR, how are you going to restrict
it? What cut line would you use? Expiration or other?
Yaron Sheffer: It could...
Tim Hollebeek: That makes things more complicated, as this confuses delegation
is for short term, but not for long term. It's more useful in short term.

Chair: Are you requesting this be adopted?
Yaron: That's on the next slide

Richard: If a CNAME has been delegated, the NDC "owns" it can do the
HTTP challenge (maybe not the DNS challenge) just by having the record pointed
at it
Jon Peterson: How does base ACME work when resolving the challenge?
Richard: There are some CDNs today that do this today
Richard: It appeears the CNAME here is confusing, but the rest of the document
is sound. There is a scoping question if the CNAME connection is suitable.
Jon: If you only have an account with the NDC, but not the IdO then yeah, you
wouldn't be able to prove ownership.
Richard: ACME accounts are cheap. Except where CA is imposing
condition. You may, e.g. lock a domain to an account but I'm unsure if that's
being done.
Chris Wendt: Are you locking this to DNS type or open to other identifier types?
Yaron: Once this is a WG document, but I don't see a reason to lock it as
that's a WG decision.
Sanjay Mishra: The CNAME used here, the NDC is asking IdO with that?
Yaron: Yes.

AI: Chairs to issue call for adoption after the draft is updated

## Email TLS certs and EMAIL end-user certs, 15 minutes
    Who will read?  Ready for WGLC?

Paul Hofman: I don't understand the proposed change
Alexey: At the moment service/port are single. If you wanted to issue multiple
ports (IMAP/IMAPS) it needs to be multiple requests.
Paul: I see no reason not to have multiple services.
Chaair: One array or two?
Alexey: One array
Richard: I'm confused. This document is talking about authenticating
DNS, but what would go into a certificate is a Domain.
Alexey: In theory you could issue SRV based IDs. In the most common use cases
that won't be used.
Richard: I think this should be updated to cover SRV.
DKG: I want to agree with Richard. If it's just on name, this is too complex.
Several steps need including
Alexey: For DNS there will be slightly specific service name.
DKG: If the cert being requested isn't specifically for the service, this
could open an attack to other services for other protocols
AI: Alexey to add some clarifying text, Richard to send some
AI: After next draft, WGLC; READ

Paul Hoffman: These details aren't clear in the current draft.
Richard: We have a copy of layers of indirection, what I am least clear on is
the mapping of service to certificate. CA's may want to include SRV into the
cert if you show control of the domain.
Alexey: I'm hoping they'll issue certs with the port
Richard: I suggest you implement SRV service IDs
Tim: SRV has been discussed but not implemented
Tim: The assumption all zones in a domain are controlled by the same identity
is no longer true. Alexey: I am developing software that could develop software
to validate these, but first I need CAs to issue certs against this.

Yaron: Are you expecting end user to perform this challenge?
Alexey: Yes, possibly through copy/pasting the challenge.
Chair: Is there any provisiion for multiple clients?
AI: Tim H and dkg said they would review

## TN Authority Token documents, 20 minutes
    Updates

AI: Another rev then WGLC

ADJOURN