Minutes IETF103: acme
minutes-103-acme-00
The information below is for an old version of the document.
Meeting Minutes | Automated Certificate Management Environment (acme) WG Snapshot | |
---|---|---|
Date and time | 2018-11-08 09:10 | |
Title | Minutes IETF103: acme | |
State | Active | |
Other versions | plain text | |
Last updated | 2018-11-08 |
minutes-103-acme-00
ACME at IETF 103 # ACME is meeting at IETF 103 in the last session, Thursday II. 16:10-18:10 Agenda is as follows: ## Administrivia, 10 minutes Note well, jabber, minute-takers dkg for Jabber, Thomas Peterson for Minutes ## Brief updates, 10 minutes ACME, CAA challenge, IP identifier challenge, ALPN challenge Richard: I am still waiting for my co-worker to read an outstanding PR, I will probably merge it later tonight Chair: We will open another 2 week WGLC Thomas Fossati: ... and we need a document shepherd Action Item (AI): Chairs to post WGLC to list and ask for a shepherd STAR, 30 min - Update as a result of the last-minute ACME changes, etc. Was already in WGLC; seeking a doc shepherd AI: Chairs to redo WGLC, seek shepherd, and then send to IESG - START-delegation; now is an ACME profile, after feedback Call for adoption Richard: This is what is set to the Id0 for DNS challenge? Thomas Fossati: No, the DNS challenge is run just on the value. Richard: What CNAME is provisioned as a result of this? Yaron Sheffer: Points from CN0 to NDC Richard: I'll take a look at the draft and provide feedback Yaron: This could be used for long Richard: This could be used for short term use case, but I don't see a readon to join this with long-term Chris: If someone finds a solution where they are using them for long term, more power to them, we should encourage them. Yoav: What if we don't find such a use case? Right now we don't have any uses cases Dan Gilmore: If you are doing to issue to STAR, how are you going to restrict it? What cut line would you use? Expiration or other? Yaron Sheffer: It could... Tim Hollebeek: That makes things more complicated, as this confuses delegation is for short term, but not for long term. It's more useful in short term. Chair: Are you requesting this be adopted? Yaron: That's on the next slide Richard: If a CNAME has been delegated, the NDC "owns" it can do the HTTP challenge (maybe not the DNS challenge) just by having the record pointed at it Jon Peterson: How does base ACME work when resolving the challenge? Richard: There are some CDNs today that do this today Richard: It appeears the CNAME here is confusing, but the rest of the document is sound. There is a scoping question if the CNAME connection is suitable. Jon: If you only have an account with the NDC, but not the IdO then yeah, you wouldn't be able to prove ownership. Richard: ACME accounts are cheap. Except where CA is imposing condition. You may, e.g. lock a domain to an account but I'm unsure if that's being done. Chris Wendt: Are you locking this to DNS type or open to other identifier types? Yaron: Once this is a WG document, but I don't see a reason to lock it as that's a WG decision. Sanjay Mishra: The CNAME used here, the NDC is asking IdO with that? Yaron: Yes. AI: Chairs to issue call for adoption after the draft is updated ## Email TLS certs and EMAIL end-user certs, 15 minutes Who will read? Ready for WGLC? Paul Hofman: I don't understand the proposed change Alexey: At the moment service/port are single. If you wanted to issue multiple ports (IMAP/IMAPS) it needs to be multiple requests. Paul: I see no reason not to have multiple services. Chaair: One array or two? Alexey: One array Richard: I'm confused. This document is talking about authenticating DNS, but what would go into a certificate is a Domain. Alexey: In theory you could issue SRV based IDs. In the most common use cases that won't be used. Richard: I think this should be updated to cover SRV. DKG: I want to agree with Richard. If it's just on name, this is too complex. Several steps need including Alexey: For DNS there will be slightly specific service name. DKG: If the cert being requested isn't specifically for the service, this could open an attack to other services for other protocols AI: Alexey to add some clarifying text, Richard to send some AI: After next draft, WGLC; READ Paul Hoffman: These details aren't clear in the current draft. Richard: We have a copy of layers of indirection, what I am least clear on is the mapping of service to certificate. CA's may want to include SRV into the cert if you show control of the domain. Alexey: I'm hoping they'll issue certs with the port Richard: I suggest you implement SRV service IDs Tim: SRV has been discussed but not implemented Tim: The assumption all zones in a domain are controlled by the same identity is no longer true. Alexey: I am developing software that could develop software to validate these, but first I need CAs to issue certs against this. Yaron: Are you expecting end user to perform this challenge? Alexey: Yes, possibly through copy/pasting the challenge. Chair: Is there any provisiion for multiple clients? AI: Tim H and dkg said they would review ## TN Authority Token documents, 20 minutes Updates AI: Another rev then WGLC ADJOURN