# Automated Certificate Management Environment (acme)

IETF 113, Monday, 21 March 2022 1300-1400 CET (1200-1300 UTC

Notes: https://notes.ietf.org/notes-ietf-113-acme

Minutes: https://datatracker.ietf.org/doc/minutes-113-acme/

MeetEcho: https://meetings.conf.meetecho.com/IETF113-ACME-20220321-1200

YouTube: https://www.youtube.com/watch?v=g11bCfSfmIU

Jabber: xmpp:acme@jabber.ietf.org
https://jabber.ietf.org/jabber/logs/acme/2022-03-21.html

## Agenda

- Note Well, technical difficulties and administrivia (chairs) – 5 min
- Document Status (chairs) – 10 min
- Work items
     - draft-ietf-acme-dtnnodeid-09 (Sipos) - 10 min
     - draft-aaron-acme-ari-01 (Gable) - 15min
     - draft-ietf-acme-integrations-06 (Shekh-Yusef) - 5 minutes
     - draft-ietf-acme-subdomains-02 (Richardson) - 5 minutes
- AOB - 10 min

## Minutes

- Document Status
    - ACME Authority Token + ACME Authority Token TNAuthlist
        - Still waiting on the "Revised ID Needed"
        - No authors online (Mary is online, but no audio)
        - Deb will ping Jon after the meeting
    - DTN Node ID
        - New version posted recently
        - presentation today
    - ACME Client
        - No updates since IETF 112
        - Supply chain security, SBOMs, and Sigstore are driving some upcoming updates
    - ACME Renewal Information
        - Some conversations on list since last IETF
        - No new draft yet, not yet a WG document, presentation today
    - ACME Integrations
        - New version (-06) in December
        - Ready for last call?
    - ACME Subdomains
        - New version (-02) in March
        - Ready for last call?

- DTN Node ID
    - Presenter: Brian Sipos
    - Latest draft (-09) published recently
    - Referenced DTN documents are now published RFCs
    - Changes since -06:
        - Separates tokens from challenge identifiers, now very similar to RFC 8823
        - Added key authorization digest algorithm agility
        - Various typos and editorial comments
    - The COSE Hash Algorithms document referenced for digest agility is not yet published
    - Requesting WG read and review prior to April 1.  Several people in the room agreed to review.

- ACME ARI Extension
    - Presenter: Aaron Gable
    - Draft -02 is not yet published, will publish shortly after IETF 113 adjourns.
    - Path construction:
        - Base path is still contained in directory
        - Remainder is now base64url-encoding of DER-encoding of CertID ASN.1, strip trailing "=" (Similar to how OCSP cert request is constructed, but without extensions)
        - Server responses haven't changed since the previous version.
    - New functionality for updating Renewal Information.
        - POST-as-GET to the renewalInfo base URL
        - Body contains base64url-encoding of DER-encoding of CertID
            - Similar to how ACME revocation requests are sent
        - Also contains metadata (see question below)
        - Request MUST be signed by the original Subscriber's key
            - No choices of keys as in ACME revocation
        - Allows ACME server to:
            - Revoke replaced certs early if necessary
            - Avoid sending unnecessary renewal reminder notifications
            - Send empty renewalInfo responses for replaced certs
    - MR: Might need to have information about which new certificate replaced an old one? So not an empty body HTTP response then?
        - Yes, considering including serial (or CertID?) of replacement cert in POST-as-GET metadata
        - The could include Serial of replacement cert
    - Open question: ExplanationURI in renewalInfo response?
        - Might provide value for certificate status monitoring services
        - Likely to be included in future draft
    - YN: Do you want to standardize ExplanationURI content type?
        - No, it is supposed to be human readable
    - YN (as chair): what are you plans in regards to the document? Do you want WG adoption?
        - (Yoav explains the process, giving up change control, etc)
        - YN: we will do adoption after the IETF week
        - DC: let's do this once you publish -02
    

- ACME Integrations
    - Presenter: Rifaat Shekh-Yusef
    - Just editorial since version -05:
        - Use DNS terminology consistently
        - Added mising acronyms
        - Clarified protocol vs server vs CA terminology
    - Some minor edits still upcoming
    - Asking for WG last call

- ACME Subdomains
    - Presenter: Michael Richardson
    - This document is new-ish, but was split out of the Integrations doc
    - Edits since version -02:
        - Fixed DNS and CA terminology
        - Updated JSON field names
        - Added clarifying text in examples
    - "domainNamespace" --> "subdomains"
    - Some minor edits still upcoming
    - Asking for WG last call