Work items
AOB - 10 min
Notes by Russ Housley Mike Ounsworth, and Aaron Gable
ACME-Client was allowed to expire by the author, and it is presumed to
be "dead".
Draft -13 will be posted later this week. Ready for WGLC.
Draft -04 will be posted when IETF 119 is over. Open question is what to
do when a "replaces" requests the replacement of a previously issued
certificate that has already been replaced by another one. Perhaps
requiring a 409 response is appropriate.
Expect WGLC when this last open issue is resolved.
First time presenting since London.
Mike Ounsworth (MikeO): there is overlap between this and
draft-ietf-lamps-csr-attestation. We had some discussion on-list and
decided that there is enough implementor momentum on this to proceed
with both in parallel.
https://mailarchive.ietf.org/arch/msg/acme/5v422PrkjO340FyOaqiIyEcihdo/
Evgeny Shatokhin: Open source implementation by Google is in the works.
Charles Eckel: Is this intended for physical devices, or also virtual
workloads?
Brandon: We are envisioning physical devices (webauthn), but virtual
TPMs appear shockingly similar to physical ones.
Yoav: Is this ready for WGLC?
MikeO: Yes.
Author thinks that the document is done, but the WGLC was too quiet.
Please review!
Aaron: This document does not really make extensions to ACME. Does this
belong in this WG or somewhere else?
Mike Sweet (MikeS): It is important that ACME knows this work is going
on, and there is a need for review the security considerations.
Andy: Please look at DANCE.
MikeO: This draft is dealing with the same problem as Tiru's
presentation from earlier this week:
https://datatracker.ietf.org/meeting/119/materials/slides-119-add-why-host-encrypted-dns-forwarders-on-managed-cpes-00
Dave Robin: Building system have this problem too. Without the DNS, it
is not clear how the ACME challenge gets handled at all.
MikeS: In the printer industry, the domain name is based on the vendor
and the MAC address.
Dave Robin: Self-assigned names seems to be incompatible with ACME.
There is no way for the ACME server to reach out to a human user.
Evgeny Shatokhin: Not all networks have HTTP over IP.
Aaron Gable (on behalf of David Benjamin): it's not just about browsers
updating their local CA trust stores per subnet, but also the whole
concept of browser SameOrigin would need a complex re-work to accomodate
that printer.local
will be a different origin if your laptop changes
to a different network.
MikeO: There is a real problem to be solved here. Let's figure out how
to dispatch it.
Yoav: Running out of time; need to move on...
In Prague, a design team was formed. It has solved all of the issues
that were raiesed in Prague. The result is two I-Ds. The auto-discovery
is ready for adoption call. The acme-client-discovery may need more
work.
Aaron: There is a one-to-one binding between accounturi and public key.
Can't we just use that to solve part of the client key discovery
problem?
MikeO: What about the situation where the CA has not dealt with a
particular client yet?
Rich: Don't delay adoption of auto-discovery.
Aaron: dns-account-01 draft has has significant updates since Prague.
Please review.