Automated Certificate Management Environment (acme)
IETF 113, Monday, 21 March 2022 1300-1400 CET (1200-1300 UTC
Notes: https://notes.ietf.org/notes-ietf-113-acme
Minutes: https://datatracker.ietf.org/doc/minutes-113-acme/
MeetEcho: https://meetings.conf.meetecho.com/IETF113-ACME-20220321-1200
YouTube: https://www.youtube.com/watch?v=g11bCfSfmIU
Jabber: xmpp:acme@jabber.ietf.org
https://jabber.ietf.org/jabber/logs/acme/2022-03-21.html
Agenda
- Note Well, technical difficulties and administrivia (chairs) – 5 min
- Document Status (chairs) – 10 min
- Work items
- AOB - 10 min
Minutes
-
Document Status
- ACME Authority Token + ACME Authority Token TNAuthlist
- Still waiting on the "Revised ID Needed"
- No authors online (Mary is online, but no audio)
- Deb will ping Jon after the meeting
- DTN Node ID
- New version posted recently
- presentation today
- ACME Client
- No updates since IETF 112
- Supply chain security, SBOMs, and Sigstore are driving some upcoming updates
- ACME Renewal Information
- Some conversations on list since last IETF
- No new draft yet, not yet a WG document, presentation today
- ACME Integrations
- New version (-06) in December
- Ready for last call?
- ACME Subdomains
- New version (-02) in March
- Ready for last call?
-
DTN Node ID
- Presenter: Brian Sipos
- Latest draft (-09) published recently
- Referenced DTN documents are now published RFCs
- Changes since -06:
- Separates tokens from challenge identifiers, now very similar to RFC 8823
- Added key authorization digest algorithm agility
- Various typos and editorial comments
- The COSE Hash Algorithms document referenced for digest agility is not yet published
- Requesting WG read and review prior to April 1. Several people in the room agreed to review.
-
ACME ARI Extension
- Presenter: Aaron Gable
- Draft -02 is not yet published, will publish shortly after IETF 113 adjourns.
- Path construction:
- Base path is still contained in directory
- Remainder is now base64url-encoding of DER-encoding of CertID ASN.1, strip trailing "=" (Similar to how OCSP cert request is constructed, but without extensions)
- Server responses haven't changed since the previous version.
- New functionality for updating Renewal Information.
- POST-as-GET to the renewalInfo base URL
- Body contains base64url-encoding of DER-encoding of CertID
- Similar to how ACME revocation requests are sent
- Also contains metadata (see question below)
- Request MUST be signed by the original Subscriber's key
- No choices of keys as in ACME revocation
- Allows ACME server to:
- Revoke replaced certs early if necessary
- Avoid sending unnecessary renewal reminder notifications
- Send empty renewalInfo responses for replaced certs
- MR: Might need to have information about which new certificate replaced an old one? So not an empty body HTTP response then?
- Yes, considering including serial (or CertID?) of replacement cert in POST-as-GET metadata
- The could include Serial of replacement cert
- Open question: ExplanationURI in renewalInfo response?
- Might provide value for certificate status monitoring services
- Likely to be included in future draft
- YN: Do you want to standardize ExplanationURI content type?
- No, it is supposed to be human readable
- YN (as chair): what are you plans in regards to the document? Do you want WG adoption?
- (Yoav explains the process, giving up change control, etc)
- YN: we will do adoption after the IETF week
- DC: let's do this once you publish -02
-
ACME Integrations
- Presenter: Rifaat Shekh-Yusef
- Just editorial since version -05:
- Use DNS terminology consistently
- Added mising acronyms
- Clarified protocol vs server vs CA terminology
- Some minor edits still upcoming
- Asking for WG last call
-
ACME Subdomains
- Presenter: Michael Richardson
- This document is new-ish, but was split out of the Integrations doc
- Edits since version -02:
- Fixed DNS and CA terminology
- Updated JSON field names
- Added clarifying text in examples
- "domainNamespace" --> "subdomains"
- Some minor edits still upcoming
- Asking for WG last call