ACME AT IETF 110 Tuesday, March 9, Session II

Administrivia Note Well Minutes (Russ) Jabber Scribe (not needed, integrated with Meetecho)

Document updates from the chairs (see

DTN Networking (Brian Sipos) (see

DTN Store-and-forward of Bundles, which is similar to email. Proposed DTN Convergence Layers and Bundle Security, so the document defines a PKIX certificate authentication mechanism. Aimed at Experimental RFC. Some DTN folks have looked at this. Want feedback about validating URI claims. Few people have read the document. Will do to WG Last Call to try and get more eyes on the document.

ACME Integrations Draft (Owen Friel) (see

Two open items have been addressed. The RA will not be able to have an ACME server issue the certificate; which seems fine. Ready for WG Last Call.

ACME Subdomains Draft (Owen Friel) (see

Proposal: Include an optional “parentDomainAuthorization” boolean flag with newOrder/newAuthz “identifiers” indicating if the client has control over all parent domain names. If true, the server may issue a challenge against the identifier FQDN or any parent domain name. If false, the server must only issue a challenge against the identifier FQDN. Is this granular enough? Russ: singular bit not granular enough because in different parts of the tree you don't know where to stop (i.e., a DNS "cut")

Proposal: No provision in the I-D for provide a choice of identifiers. Clarifying statements added that if client indicates “parentDomainAuthorization” true, then server policy controls which identifier to issue challenge against. No one raised concerns with this approach. Will issue a call for adoption after IETF 110.

Many thanks to Rich for years of service a ACME WG Chair!