Re: [Acme] Survey of draft-07 implementations

Daniel McCarney <cpu@letsencrypt.org> Wed, 08 November 2017 13:48 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2A4126CD8 for <acme@ietfa.amsl.com>; Wed, 8 Nov 2017 05:48:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_hNXB7mDKUP for <acme@ietfa.amsl.com>; Wed, 8 Nov 2017 05:48:56 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32821201F2 for <acme@ietf.org>; Wed, 8 Nov 2017 05:48:56 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id m81so5978461ioi.13 for <acme@ietf.org>; Wed, 08 Nov 2017 05:48:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=2XrFQHtIvM5fEhdzsj94kAJ89rovOFFd2eQ76iHGAXA=; b=K1NfVfJXyJ0P3OYBpVSA34fXBM2xhGsJenDPeOAjaqb3I8wjepf/Qs260yii9cQKOu qwO4wxXM4Fw4mFQwRSQbwHZmAvFlGckSnv12zHS2GHdcunbai8uahLraSIavJPiGvehC mLWQloo58KpjRqXZxfnmKoSTcdA5Qq429mXRo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=2XrFQHtIvM5fEhdzsj94kAJ89rovOFFd2eQ76iHGAXA=; b=BZdroN5A/EmypCP0MNOITrwVLy3ljnTNb1QUqDuRvRmGoQEfnzktoo5TrgM8b2aVJw VIqjpvWkcCPCe6r4RxJqZYMknEZ9SCPby2akyOhyLvGVBGycmygVilmaRRIXfoVjnl8W FX/Y+AhkePUlNZA36HSQ1/pKTggocsGuVLJ3V/8XCUJIpMzRURFORA62PdJKLI1PjO9m 2Ob8rHNmj750cND9z61uF+X2dI0kIhNUQ91DX0/vmARtyqMr228NPq5gsECf5GIEzOxb bTWd5Lrtb2bXmQSrIwrM+O1n249ykVnaEV3sXvv6UIW2UsZu7W+HLyZ+D1ajhDXLgA5T SLcw==
X-Gm-Message-State: AJaThX55x1JDZ1OOxNz8o+xJOidHNUKD3BE+It7jlUTHuIdpTU+Gk6MU 8/OLBy/HkDlXiWasB5fqmYs+Fx2DyT+0MISD+giEcvV8C4M=
X-Google-Smtp-Source: AGs4zMZNkNwLRTW1zk51T/m1sjHR5ViesUjgP+xFRt3+EicpbaZJgWKzbHRaxVmdBpR/NdTcYwr+lKyECyjbGwi4sFQ=
X-Received: by 10.107.33.18 with SMTP id h18mr648820ioh.167.1510148935968; Wed, 08 Nov 2017 05:48:55 -0800 (PST)
MIME-Version: 1.0
Reply-To: cpu@letsencrypt.org
Received: by 10.107.88.21 with HTTP; Wed, 8 Nov 2017 05:48:55 -0800 (PST)
In-Reply-To: <8cdc021953fa48ea83e104cb412b5368@Buyp-gvk-ex01.intra.buypass.no>
References: <CAKnbcLgmmH3aM=Ko2qCvHQLAdo0jw+dumYj4kRxBOkjwm+UOhg@mail.gmail.com> <e81bedc777c340f58c1f43205129a6f2@Buyp-gvk-ex01.intra.buypass.no> <CAKnbcLheXqu78-=1ne2ZP2JGjEvd5vS-totDLfNx5FqQBEGPrQ@mail.gmail.com> <8cdc021953fa48ea83e104cb412b5368@Buyp-gvk-ex01.intra.buypass.no>
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Wed, 08 Nov 2017 08:48:55 -0500
Message-ID: <CAKnbcLhES7WPkdCDq-EzfgMyxW_gaZg43qN2XC41YhQcPmFKtA@mail.gmail.com>
To: Mads Egil Henriksveen <Mads.Henriksveen@buypass.no>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141bbf6e2fa83055d78f2a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2A4b_ZGzY7pubpmrJrNXAC_m3zc>
Subject: Re: [Acme] Survey of draft-07 implementations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 13:48:59 -0000

Hi Mads,


The testing will be based on our own test clients and client software
> developed by our partners. If you know about any other clients supporting
> draft-07, please let me know.


I'm only aware of ACME4j's draft branch that I linked to in my original
post. Note: of course it's presently based on proactive issuance which is
likely to be removed shortly.
Are any of Buypass' (or your partner's) test clients available open source?


We are currently working with a specification for the next phase including
> OOB and according to our current plan this will be completed in Q4 2017


Can you expand on your use-case for the OOB challenge and perhaps address
areas where external account binding isn't sufficient?

Thanks!

- Daniel / cpu

On Tue, Nov 7, 2017 at 12:17 PM, Mads Egil Henriksveen <
Mads.Henriksveen@buypass.no> wrote:

> Hi Daniel
>
>
>
> The testing will be based on our own test clients and client software
> developed by our partners. If you know about any other clients supporting
> draft-07, please let me know.
>
>
>
> We are currently working with a specification for the next phase including
> OOB and according to our current plan this will be completed in Q4 2017. We
> hope to begin the implementation in Q1 2018, but right now I am not able to
> say when this will be finished.
>
>
>
> Regards
>
> Mads
>
>
>
> *From:* Daniel McCarney [mailto:cpu@letsencrypt.org]
> *Sent:* torsdag 2. november 2017 15:02
> *To:* Mads Egil Henriksveen <Mads.Henriksveen@buypass.no>
> *Cc:* IETF ACME <acme@ietf.org>
> *Subject:* Re: [Acme] Survey of draft-07 implementations
>
>
>
> Hi Mads,
>
> Happy to hear about another implementation! Thanks for replying.
>
> We are also running a constrained pilot in our production environment
> (supporting CertBot) and this will be upgraded to the ACME draft-07 version
> shortly.
>
>
> What is your plan for testing your draft-07 pilot? It sounds like you only
> target Certbot and there is no order based issuance support in Certbot
> presently (among other divergences with draft-07/08).
>
>  However, we are considering to use the Out-of-Band Challenge type and
> possibly also External Account Binding in a next phase where the idea is to
> exploit how the ACME protocol may be used to support issuance and
> administration of other types of TLS certificates than DV.
>
>
> Can you speak to when this phase may begin/end? I worry that it will be
> too late for any implementation experience to be able to influence the
> draft if this phase of your project won't be complete for some time.
>
> - Daniel / cpu
>
>
>
> On Sat, Oct 21, 2017 at 2:56 AM, Mads Egil Henriksveen <
> Mads.Henriksveen@buypass.no> wrote:
>
> Hi
>
>
>
> Buypass has implemented an ACME server based on ACME draft-07 which use
> order based issuance, this version is currently available in a test
> environment only. We are also running a constrained pilot in our production
> environment (supporting CertBot) and this will be upgraded to the ACME
> draft-07 version shortly.
>
>
>
> We have included support for Pre-Authorization, but we are not using
> neither External Account Binding nor the Out-of-Band Challenge in our
> current version. However, we are considering to use the Out-of-Band
> Challenge type and possibly also External Account Binding in a next phase
> where the idea is to exploit how the ACME protocol may be used to support
> issuance and administration of other types of TLS certificates than DV.
>
>
>
> Regards
>
> Mads
>
>
>
> *From:* Acme [mailto:acme-bounces@ietf.org] *On Behalf Of *Daniel McCarney
> *Sent:* fredag 20. oktober 2017 22:36
> *To:* IETF ACME <acme@ietf.org>
> *Subject:* [Acme] Survey of draft-07 implementations
>
>
>
> Hi folks,
>
>
>
> As the WG approaches last-call on ACME draft-07[0] I wanted to get a sense
> of which portions of the spec have been implemented and which haven't.
>
>
>
> In particular I'd like to hear if anyone has implemented:
>
> * External Account Binding (Section 7.3.5)
>
> * Pre-Authorization for Order based issuance (Section 7.4.1)
>
> * The Out-of-Band Challenge type (Section 8.6)
>
>
>
> Let's Encrypt has made good progress on draft-07 server implementation but
> has no plans to implement the above three features. It would be nice to
> hear someone has running code for these protions of spec.
>
>
>
> Ignoring the above three items Let's Encrypt has implemented the core
> portions of draft-07 in Pebble[1]. It's presently using the pro-active
> issuance method described in draft-07. It does not support key change or
> revocation but is ready to be used by clients. There is an integration test
> client[2] based on Certbot's ACME python module and ACME4j has an
> experimental branch[3] capable of issuing certificates from Pebble.
>
>
>
> Let's Encrypt has also made significant progress implementing draft-07 in
> Boulder[4], the production Let's Encrypt CA software, but it is not yet
> ready for use by clients. This implementation does include key change and
> revocation but does **not** use pro-active issuance. I began a separate
> thread[5] for the order finalization approach that we have started to
> implement for Boulder. Pebble will be updated to use this issuance approach
> in place of pro-active issuance shortly.
>
>
>
> Are there any other servers or clients out there that are speaking
> draft-07 ACME and using order based issuance?
>
>
>
> - Daniel / cpu
>
>
>
> [0]: https://tools.ietf.org/html/draft-ietf-acme-acme-07
>
> [1]: https://github.com/letsencrypt/pebble
>
> [2]: https://github.com/letsencrypt/boulder/blob/
> e2cc6fbe682dd5d49da32c2357838b0cc831f10f/test/chisel2.py
>
> [3]: https://github.com/shred/acme4j/tree/draft
>
> [4]: https://github.com/letsencrypt/boulder
>
> [5]: https://mailarchive.ietf.org/arch/msg/acme/
> DIjJEB06J5cFyuOlGPVcY2I51vg
>
>
>