Skip to main content

Minutes IETF111: acme

Meeting Minutes Automated Certificate Management Environment (acme) WG
Date and time 2021-07-30 21:30
Title Minutes IETF111: acme
State Active
Other versions plain text
Last updated 2021-08-05

ACME WG at Virtual IETF 111


Note Well, technical difficulties and administrivia – 5 min

        No agenda bashing

Document Status (chairs) – 10 min

Extensions to ACME for End-User S/MIME Certificates
Published in April (RFC 8823)

ACME Profile for Generating Delegated Certificates
- through IETF LC, directorate review, IESG review
- In RFC Editors queue

ACME Challenges Using an Authority Token
- AD review in October 2020
- New version in July
- Some additional comments from the AD, authors stated that they will address.

TNAuthList profile of ACME authorty Token
- Submitted to IESG last August
- waiting for the Challenges drafts to be complete

ACME DTN Node ID Validation Extension
- through WGLC, submitted to IESG, Roman reviewed, changes required

ACME Integration
- -04 posted
- few comments at WGLC needs more review

ACME for Subdomains
- Version -05, not yet adopted
- Will take the adoption call to the list.

ACME Extension for Single Sign On Challenges
- -01 published
- Not much discussion on list

Presentations: (Friel,
Shekh-Yusef, Richardson) - 10 minutes - Owen Friel presented - describes how
ACME can be integrated with multiple existing clients - added  ACME Integration
Considerations Section, consolidated existing id-kp-cmcRA guidance into this
section, in addition to other updates - Didn't get enough review in WGLC;
feedback needed - Russ Housley volunteered to review - Deb: latest version
answers all my comments (Friel, Barnes,
Hollebeek, Richardson) - 10 minutes - Owen Friel presented - single
authentication against Authorized Domain Name, then request multiple certs for
identifiers in the Domain Namespace without having to perform any
authorizations per subdomain - editorial changes, clarified edits - aligned
terminology with CA/B - added information on pre-authorization handling and new
order handling - example protocol enhancements included on slides 4 and 5 -
updates address feedback from last version - asking WG for adoption, as well as
feedback on the protocol changes made in this version - Show of hands: how many
people have read this draft? 7 people, Yoav says that is a good number - Deb
points out that there are 4 authors - Yoav: 3 additional reviewers is nice -
Owen: it's at least 5 reviewers, I did not raise hand and another author isn't
there. - MCR in chat: I did raise my hand - Roman in chat: confirm on list to
make it a working group draft

Where do we go from here? (chairs) – 15 minutes
Yoav: this group is low energy (surely we all are at this point in the week,
but, documents get little review) - unlikely to run out of people who want
tweeks, novel use cases, but there is little adoption/interest beyong the web
use-case covered in the base doc - question to the group: is it worth
continuing as a working group?
    - MCR: you are right, things have been slow. Reluctance to engage because
    things are slow and there are many conflicts. Recommend virtual interims to
    have fewer schedule conflicts. - start asking if small extensions require
    IANA action? If no, might not need to standardize around them, folks can
    just implement them. - leave the working group alone for a year, see how it
Yoav: norm is to close and reopen if there is new work

- Kathleen Moriarty: I asked for my work to go to WGLC, chairs agreed, nothing
happened for a year. It had enough reviews. These actions have to occur to keep
energy up. I would like an answer

- Roman: I like the questions Yoav asked, interested in more feedback. Also
want to ask: are there latent extensions folks would like to do? We can batch
them up, get them listed, bring energy back up.

- Aaron Gable: we at Let's Encrypt have been less active due to turnover. Need
to revoke over 200 M certs at once, which is an issue. This is my first time
here, but I plan to have a draft in progress to present to IETF 112. -Yoav: can
talk about the draft at an iterim meeting? - Aaron: absoloutely

- PHB: tail offs are intrisic to security work, because you are never done with
security. Have to accept that this is the way things are. We should address
this as a Security Area by standing up an maintenance working group. - Yoav:
first ACME draft was the one everyone was interested in, follow up drafts were
more and more niche - PHB: that might stem from a misunderstanding about what
certs are. People think of them as server certs, not
organizational/domain/individual mail certs.

-Roman: lets schedule a virtual interim between now and Nov, figure out what
additional scope might be, no draft required (don't set the bar too high). Do
we stay open to do maintenance, and what is the timer on that? If we have new
work, what will it take to reason about that new scope?

- Deb: will this change when the post quantum algorithms come out?
- Yoav: I think not, we don't consider algorithms in ACME. Use TLS, use
whatever algs are available in TLS. I don't think that is changing, but I could
be wrong. - Roman: we can bring that to the discussion - Deb: we have things to
finish, we can at least work on those things - Roman: definitely won't close
work group out until open drafts are clear

Aaron: energey issue is an IETF-wide thing, not only ACME. I didn't volunteer
to read drafts because I don't know the process. New people like me might need
to better understand how things work, we don't have resources to tell us how
things work at IETF - Yoav: might be a casualty of COVID

Open Mic/AOB
- Roman: providing a date for us to have more ideas would help
- Yoav: late september, early Ocotber is a good time for an interim
- Deb: chairs have actions:
    - Sub domain doc needs to be a working group doc
    - advance Kathleen's draft
    - schedule virtual interim.
- Deb: when we schedule November, we need to be mindful of conflicts
- Yoav: more simultaneous sessions in virtual meetings mean more conflicts
- MCR: you can attend multiple meetings at the same time virtually, though
(maybe mcr can, lol) - MCR: How do we connect to devices on your local LAN that
we need certs for? There is a IOT [which standards body] that thinks acme is
the way to do this.  Maybe it is, maybe it isn't.  We need to look at it.