ACME WG, IETF 119, 2024-03-21

Agenda

Minutes

Administrivia

Notes by Russ Housley Mike Ounsworth, and Aaron Gable

Document Status (chairs)

ACME-Client was allowed to expire by the author, and it is presumed to
be "dead".

DTN NodeId Validation (Brian Sipos)

Draft -13 will be posted later this week. Ready for WGLC.

ACME Renewal Information (ARI) (Aaron Gable)

Draft -04 will be posted when IETF 119 is over. Open question is what to
do when a "replaces" requests the replacement of a previously issued
certificate that has already been replaced by another one. Perhaps
requiring a 409 response is appropriate.

Expect WGLC when this last open issue is resolved.

Device Attestation (Brandon Weeks)

First time presenting since London.

Mike Ounsworth (MikeO): there is overlap between this and
draft-ietf-lamps-csr-attestation. We had some discussion on-list and
decided that there is enough implementor momentum on this to proceed
with both in parallel.
https://mailarchive.ietf.org/arch/msg/acme/5v422PrkjO340FyOaqiIyEcihdo/

Evgeny Shatokhin: Open source implementation by Google is in the works.

Charles Eckel: Is this intended for physical devices, or also virtual
workloads?

Brandon: We are envisioning physical devices (webauthn), but virtual
TPMs appear shockingly similar to physical ones.

Yoav: Is this ready for WGLC?

MikeO: Yes.

ACME-Onion (Q Misell)

Author thinks that the document is done, but the WGLC was too quiet.
Please review!

ACME-based provisioning of IoT devices (Mike Sweet)

Aaron: This document does not really make extensions to ACME. Does this
belong in this WG or somewhere else?

Mike Sweet (MikeS): It is important that ACME knows this work is going
on, and there is a need for review the security considerations.

Andy: Please look at DANCE.

MikeO: This draft is dealing with the same problem as Tiru's
presentation from earlier this week:
https://datatracker.ietf.org/meeting/119/materials/slides-119-add-why-host-encrypted-dns-forwarders-on-managed-cpes-00

Dave Robin: Building system have this problem too. Without the DNS, it
is not clear how the ACME challenge gets handled at all.

MikeS: In the printer industry, the domain name is based on the vendor
and the MAC address.

Dave Robin: Self-assigned names seems to be incompatible with ACME.
There is no way for the ACME server to reach out to a human user.

Evgeny Shatokhin: Not all networks have HTTP over IP.

Aaron Gable (on behalf of David Benjamin): it's not just about browsers
updating their local CA trust stores per subnet, but also the whole
concept of browser SameOrigin would need a complex re-work to accomodate
that printer.local will be a different origin if your laptop changes
to a different network.

MikeO: There is a real problem to be solved here. Let's figure out how
to dispatch it.

Yoav: Running out of time; need to move on...

ACME Auto Discovery (Mike Ounsworth)

In Prague, a design team was formed. It has solved all of the issues
that were raiesed in Prague. The result is two I-Ds. The auto-discovery
is ready for adoption call. The acme-client-discovery may need more
work.

Aaron: There is a one-to-one binding between accounturi and public key.
Can't we just use that to solve part of the client key discovery
problem?

MikeO: What about the situation where the CA has not dealt with a
particular client yet?

Rich: Don't delay adoption of auto-discovery.

Any Other Business

Aaron: dns-account-01 draft has has significant updates since Prague.
Please review.