Automated Certificate Management Environment (acme)
IETF 115, Thursday, 10 Nov 2022 1530-1630 UTC, Room: Mezzanine 10-11
(East Wing, First Floor)
Agenda
Note Well, technical difficulties and administrivia (chairs) – 5 min
Document Status (chairs) – 10 min
- No new RFCs (third meeting in a row).
- Some recently published drafts.
- The authority-token draft may be published as RFC before next
meeting.
- The tnauthlist draft has DISCUSSes open. Jon Peterson notes the
tnauthlist issues should be resolve in about a month.
- The acme-integrations draft needs revision following AD evaluation.
- The acme-subdomains draft is in IETF LC.
Work items
draft-ietf-acme-dtnnodeid-09 (Sipos) - 10 min
- The draft -10 version fixed typos and adding some clarification re:
the experimental nature of the draft.
- Draft is waiting on an update to the IANA registry for Bundle
Protocol (draft to handle the update is up for DTN WG adoption).
Brian suggests this draft wait in an approval cluster. Roman
affirmed plan to park the draft until depenency progresses (AD
follow-up/external review required).
New work
draft-bweeks-acme-device-attest (Weeks) - 10 min
- Changes since IETF 114. Clarifying that verification procedures are
out of scope.
- Affirming new IANA registry will be created (in tandem with similar
draft in LAMPS).
- All discussion so far has been about wrapping attestation formats.
Three drafts take vendor-specific attestation and include it in a
cert request or TLS handshake. Goal is to use same encapsulation
format. The latest TLS draft has moved away from same format. Yaron
notes that the divergence with TLS draft goes beyond format and into
use cases.
- Two implementations: iOS/tvOS; step-ca certification authority. They
are thought to interoperate.
- Richard Barnes thought approach in draft was clear and ready for
adoption call. No one voiced opinion against adoption. A call for
adoption will be sent to the list.
draft-todo-chariton-dns-account-01 (Omidi, Chariton) - 15 min
- Antonios gave a summary of the relevant existing mechanism and
motivation for the draft (use cases, things to avoid, etc).
- New mechanism is not intended to replace dns-01 but to be an
additional mechanism.
- A summary of the proposed mechanism was provided. Intent is to make
sure the mechanism would work well with Web PKI, but Web PKI is not
the only target.
- CAB/Forum procedures were reviewed to affirm compatibility with Web
PKI practices. Richard asked if any adjustments would be required to
align with CAB/Forum. Antonios indicated no changes necessary. Tim
Hollebeek notes he thinks there may be some CAB/Forum issues due to
CAB/Forum reference to ACME RFC. Tim offered to help research and
work out any issues.
- Antonios shared some additional resources that may be useful for
reviewers.
- Richard Barnes noted he thought the draft was ready for an adoption
call. Several people indicated they have read the draft. The chair
asked for more review and comment on list. No one voiced opinion
against adoption. A call for adoption will be sent to the list.
AOB - 10 min
No other business.