Minutes IETF105: acme
Automated Certificate Management Environment
||Minutes IETF105: acme
ACME at IETF 105
Thanks to Robin Wilton for the minutes.
==>Action items/requests are indicated with this prefix
Telephony update (Jon Peterson):
Telephony drafts revised (during IETF week last year); some dependencies on
STIR WG (e.g. on JWT constraints).
RFC 8226 refers.
==>Chair requested an update from Jon after the STIR meeting.
STAR Delegation (Diego Lopez):
Use case recap:
Name Delegation Client (NDC) might be e.g. a Content Delivery Network may be
the desired termination point of an https connection. Goal is to allow an IdO
(Identity owner) to delegate use of a name, without having to share the
corresponding private key.
==>Jon Peterson: Requests discussion with STIR about use cases, on how to
interoperate between STIR identifier delegation and STAR cert delegation.
E Rescorla: Would like to hear from a potential implementer... as a
precondition to this work continuing.
==>D Lopez: Will ask for a statement from CDNI.
ACME Integrations (Owen Friel)
Use of sub-domains is proposed, to facilitate large-scale issue of
client-device certificates. This seems to offer functionality of benefit to
EST and TEAP, without requiring changes to their respective specifications.
==> If interested, pleaes come to side meeting, Weds 9am, Coller Rm
==>K Moriarty: Please document the functions described, because if they exist
but aren't documented, potential adopters may assume they don't exist.
D Lopez: +1 to this work
R Sleevi: this use of sub-domains is in line with the existing pattern of CA
issuance of public certs. Mild caveat: increased automation in this subject
domain *might*, over a number of years, mean this feature is superseded/
Extensions to ACME for S/MIME (Alexey Melnikov)
Use-case recap: to make it possible for ACME to issue certs for email clients.
==>Some open questions on which feedback is welcomed via the mailing list -
e.g. how to process mail client prefixes in the Subject: line of emails (esp.
bearing in mind they are often language-specific, such as Re: vs AW: etc.)
R Daniliw: any prospective implementers?
D Kahn Gilmor: Note that "implementers" covers a variety of roles - e.g.
implementers of client functionality vs implementers of CA functionality. If
there's a CA planning to implement, that would be of interest.
ACME Client draft (Kathleen Moriarty)
Codesigning Certificates -
Existing EV certificate issue requirements (such as existence of an account;
CA validation; Authorization from 1 of 2 administrators, etc.) would need to
be supplemented for code-signing certificates.
Based on feedback in the room/Jabber, there are at least 4 expressions of
interest in this work.
D Cooley (NSA): will check to see if there's interest in e.g. a PIV-compliant
ACME Overview proposal (K Moriarty)
Awareness of ACME often seems limited to LetsEncrypt and RFC8555.
This proposal is for a document aimed at providing an informational overview
of ACME, interfaces to other cert mgmt protocols (EST/BRSKI, KMIP, etc etc).
E Rescorla: an RFC is an odd way to do this, as opposed to e.g. a FAQ
R Barnes: draft contains useful stuff, but not convinced this needs IETF
consensus or the archival/permanence it would get from being an RFC.
KM: people do need to be able to find the information for it to be useful,
Yoav Nir (hatless): A few years ago an "IPSEC roadmap" was created, and isn't
really used; this work might be similarly underused.
R Daniliw: Aside re: "do we know if anyone's using the IPSEC roadmap?" If we
had web analytics on the IETF site, we'd know. Is there an applicability
statement in this draft?
KM: it's answers to FAQs
Liang Xia: Useful to me as a newcomer to this group; not wedded to publishing
it as an RFC specifically. Does the doc talk about cert issue for network
KM: Evolution is really on the basis of questions asked.
D Cooley: Could it be documented in the form of "use" cases?
KM: not a popular approach
Alexey M: suggests adoption as a WG work item, and think later about what to
do with the resulting artefact.
==>Chairs: path is open to do that as a WG draft or an Individual Draft,
either to be discussed in ACME.
Way forward (Chairs)
Is ACME really needed, when the implementers aren't usually in the room, and
the drafts are poorly reviewed.
R Barnes: WG could be put on the path to closure.
EKR: "Always Be Closing"
K Moriarty: value in getting the client pieces finalised, given that ACME's
work extends beyond just web certs.
R Daniliw: are there any drafts out there that should be in ACME but aren't?
Sean Turner: It took 18 years to shut PKIX down. As long as there's a WG open
doing stuff on PKI, people will keep showing up.
Alexey: whatever you do, don't shut down the mailing list.