ACME IETF 97

Chairs: Rich Salz, Ted Hardie

Scribe: Martin Thomson

Meetecho recording: http://recs.conf.meetecho.com/Playout/watch.jsp?recording=IETF97_ACME&chapter=chapter_1

After Administrivia, the Richard Barnes led the group in a review of the closed and open issues of version 4 of the draft ( https://datatracker.ietf.org/doc/draft-ietf-acme-acme/). His slides are here: https://www.ietf.org/proceedings/97/slides/slides-97-acme-acme-protocol-spec-01.pdf

The discussion was captured by Martin in MEME form:

&

Richard noted that most of the issues were closed late in the cycle:

There was no discussion of the typos, or clarifications, in the developer friendliness-related updates, content negotiation was added:

and PEM with chain made the default:

The ToS of service flow has also been simplified:

even in the case where re-agreement is not required:

The group agreed to replace the current Agreement with Action Required

to better align the two.

The group then reviewed the simplifications related to Key Rollover:





The group then reviewed open issues.

Account Management

#170 & #172 address this.



We may need security considerations recommending counter signing, to avoid UKS-like risks.



Clint Wilson from digicert confirmed that this was useable for their needs. They need to include a field that allows them specify the ACME key. Martin noted that you need to prove that you hold the private key for that ACME key--possibly a jws field. Martin and Richard will work together to get a solution proposed, possibly based on Mozilla’s push.

From the floor, Rich Salz noted that it’s an API key, so the security considerations are basically those of any other API key; we likely don’t need to say more than that.

Additional CA Account Data

How to provide additional data



Working group polled on what to do?

Martin: this is just another form of the x- thing; this is bucket of things that might be useful. If useful for one, likely generally useful. Accepted wisdom is that we define these in the free form text fields that we already have. We don’t need a special bucket. Required extensions are a special problem that CAs create for themselves--we do have a mechanism for protecting the semantics (the version). [Toss these in the top level, in other words, don’t make these extensions]. Clint agreed.



We can avoid collision by creating a registry with very simple addition rules.



&

Object Model

#195 Combine “requirements” and “authorizations”.



This proposal removes requirements and oob, and use only authorization.