IETF Logo Mail Archive

Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Wed, 12 July 2023 19:06 UTC

Return-Path: <Paul.vanBrouwershaven@entrust.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46538C14CE4A; Wed, 12 Jul 2023 12:06:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPNffFCFNNKr; Wed, 12 Jul 2023 12:06:14 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B54E4C151551; Wed, 12 Jul 2023 12:05:14 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 36CIQj6B014573; Wed, 12 Jul 2023 14:05:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=WpoKCcg7cNIBKwujq5aDLl3A NykX0Okt+jOTaPKbaeU=; b=eVJbG8VyCykXmdibABJ2OBhdeT4emYYiss1M/hQs lo/MSkkODeFGHUYOLWy6lo8FY8/nDqPtQZotOqxnxSoOt0v4IOVBEdhD7EZ5minP c1W8juhYmLoPWxRM2Cl8j160gLsz8/lFNHN0wk5cfJRSMWmWlSdwJbiXmYzm/ZPY DjdapbdBNDIOQMwytV9dvfBnk76tx1CDx3pcMy0PWmNV1wIEVFTc0PsTxaY1Q4VA cuNb43hEtL/yqX3HbX3lzlBHLOXZdbh2/eSndcsCHUBN+EWSsvQS5JgdqbiBeqT+ cWPgsRBy3NDB8tUoMi1hiWAUTIRb4Bt/Op5eZjNgRg8J4g==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3rrtmhfkjh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jul 2023 14:05:12 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQrIA0Sw8xos3kFbhHUoQdHDeMk9PhWl0ARHvdT5GeIb0DwP3EDwZBFPNm9FFbZDSTIXCzsj4KuekqE3zDjLQ6dfG3i0HcP0U7mOQ9vYDpzKfhsLFRLjLPGl15lxaQf4Da7jS71gxjCulU6CKbemyN73FiryMdoUHTphUCH1Y63RuGO1LAVL/hIaavpVQWp2ypxGsbnveY+T1BDIMYGb/OlDXLXPz2G4iLk/+O0VJ2LH0omhraCxezB1XHhoQZbHP0w9TAoYUQQlIfOcMHmm0vt/yixlwlFePPsHzBw2E8wikxQVNzPUCFNlcQ9JcGyWWDnEkTV6stDGZXL+HAh8tQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WpoKCcg7cNIBKwujq5aDLl3ANykX0Okt+jOTaPKbaeU=; b=P7dcm2Yyik3PynFXrDKC7wondIUDCPoNary2zpq3zGipOYktX7n0on/hoikexiLEjAvMlXhaapZYEgU2srPcwggPiQoZ5X0tTAG53aguTMs8/1wKyKP7rVhT4wVFeuQUUcpl1lmG9NjcyK4lFPULB07JDYgQVuomB7YnAbzlLKdaR60LgWgINsPgKJvca0XfvaU2btJ0PaGleoocu7mLABbTL0LTxTYd4O91YWM38c3iRrfCmedaTwe6zH1lcgyBdrr6sc8d7aHgXgdetXwf6S73u47/zEYsNPPRU7sOvVKTX4zNpxkQ0fl6lgcK7oDdI5y5xHTbNwbYBZ4SUPumnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from LV2PR11MB5975.namprd11.prod.outlook.com (2603:10b6:408:17d::6) by DS0PR11MB7358.namprd11.prod.outlook.com (2603:10b6:8:135::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.20; Wed, 12 Jul 2023 19:05:09 +0000
Received: from LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6]) by LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6%7]) with mapi id 15.20.6588.022; Wed, 12 Jul 2023 19:05:08 +0000
From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
To: Q Misell <q=40as207960.net@dmarc.ietf.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Thread-Index: AQHZsBerC3uY6kYm2E+UdbTaxF5c/6+s00KAgADCJYCAAFiO0YAABf6AgAAAkYKAAAKalYAACL4AgAABPLiACIWvOw==
Date: Wed, 12 Jul 2023 19:05:08 +0000
Message-ID: <LV2PR11MB5975B4767F98EC2CD648CCCBF836A@LV2PR11MB5975.namprd11.prod.outlook.com>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <c940e1f9-8dde-f116-fa7b-d7519c1b3cc7@gmail.com> <LV2PR11MB5975448E7C35FC1335F8B474F82DA@LV2PR11MB5975.namprd11.prod.outlook.com> <6628ae69-f61b-3165-3efa-7d4768e19b62@gmail.com> <LV2PR11MB5975827314D8E2EFC3DDD731F82DA@LV2PR11MB5975.namprd11.prod.outlook.com> <LV2PR11MB5975C2D6F276523939E9F41BF82DA@LV2PR11MB5975.namprd11.prod.outlook.com> <CAMEWqGtUmdAK8xtLaeRJrkSA_ph1TBk0R3EapQFD4x-rByJ5YA@mail.gmail.com> <LV2PR11MB5975B021897C7E913DDB8BEDF82DA@LV2PR11MB5975.namprd11.prod.outlook.com>
In-Reply-To: <LV2PR11MB5975B021897C7E913DDB8BEDF82DA@LV2PR11MB5975.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV2PR11MB5975:EE_|DS0PR11MB7358:EE_
x-ms-office365-filtering-correlation-id: 0ee05b9a-1441-4ffa-79e1-08db830ae936
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T9hp57/9d2H8phEOcVafg1ouI62Xx/Dky+gRvtJjEbMDcXHZ7s3EalEqHZICJUREFJru3Iw/1RiF0Ov2F5nkZuhm5jQcPsijK/y9Cxub519ZwTmxNFdve6VAuHYoOiUCrCWY3dwcsJJrvQyySAk2jb29SnSLpFi2uiDQeTFSXLtk7oALx1GVj2+WyCbrW8GyottcTT4xNmyrusns7wCrF2v1leMXYuTFc9Hb+Ukal0FIpZevStcWYAvTU9zI09RrPUJQc5CnId8rNbeCc0Wi8nFjkXJxYiQ+ZtrfZ3qRfElrNlMQZS0Za6YTvkL58He/1qBPyVHZueKJV12A+0YdGO1hxJBKEB7Wlx2AcLQDEKyTnzD82Mb/Wn0XGvyqiYV8024EVFAWCpOIpjoAedVSFJs//VTQzB5yR+qWWeIqLJDS/BdSJ1mnv5DmliHRhM3kzL/AWcNVuFfpP6GdcVC6Uts7B3c7fuKuh8BMuIuRoC7Uy84fdMOw7lNu7z5Z3gFfZmCROxVhNlzd0U8/G80dz1ov9FherFoxaO6ScxCoYKInMQ450GlBirbqKejFj/SKwaS/YnWxsx2u9KQWnGcNMhVXxgL7hSJUbf5hypyq42M=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV2PR11MB5975.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(136003)(39860400002)(376002)(366004)(346002)(451199021)(41300700001)(2906002)(186003)(55016003)(53546011)(9686003)(6506007)(8936002)(8676002)(26005)(7696005)(316002)(166002)(38070700005)(33656002)(71200400001)(30864003)(966005)(15650500001)(38100700002)(66446008)(122000001)(76116006)(66946007)(64756008)(66556008)(4326008)(66476007)(478600001)(19627405001)(91956017)(5660300002)(66574015)(83380400001)(86362001)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qesXPexHbohhoY4A+5fdjs0uvcKbHiF3tBMP97QBP9rRHF88PnIbUjJqf2u9uLoqz1KBSWzqbDXWJQdHX0q1UB7ol79RCTaIYKvFBUphWjwMTRBtGmcd6XsY8thjuJ+m6qI+qQDlCUpCfFHTuCBT7HDz2zNMMPQyd/7YzjW3+PGi9Y6EeFN0wQHg8cclFJF3qUu9G5DY+kqjoZhi/jzrFiHRdJjz62+BE/qGsBKOjKpjQ+iOCpXCrZjof/feB5YWjDkjO581aBCqAAsTNhqnOcmVZRpX8DCVNjxtd3IqEYNih28YL6vTW2XN1hcVkz7FYiW9zVdG9ttaQPgZGVcV4zKAIIhXxYCt1hyqN88Cl1Rvs1YoNEpZusOHQDXn8fvZfHI783Yad9l/qbDEBM1E71pAy3F0Juo7bfslzH/fFmakmoeiUUeepN9FdpVnCIW2+CZAXmz4rRQ09PmveXtLs4FSt1YNALGTSssuVQsJmwT5kvbxVbEwsB7Y4pGABi+ZrqXaYoOIZdGcgZ/TyoLFHTbeEQzzJO5Oy/+82M5A0uy0C6SdLn5hRB8x4DIvhMXtuI7djj0Z6PT/qsX1PII8eDDligZZpicZJv2dl3zYHgp+8tLFM7XHNyx1CvoWH8SvYARyG6nsPRqwTnTCGQRVFvG1ejxog1ncacJuExOvBKObMAaAorBCpsW93ufDKLw7YoQnql9vHpDpiTZHwrqZKCZQM5FcwbOfAJ0kh3Q7S9+RfZAvk5E0F1N6PE+a6iFOvT+HF3NNBNMlKeevO8AwOCyuQrFbSqYXK9pc/zkCV2ll7/7nwp6taj6bypxsaagZPE5mW061pLflRETnyDJRg3eBCMBItrgEcNGlZjTEzoXPeW8BcZr+5d0ZdrFiTyG1u0Nkxz99SdgRdmsXHPBzyFaiZI/DDR6YBv9o13ginwYwbiUnPDIYsCdZt0mh58ekghvDATYtV8zGCjoK1X4h//eNmZorE0RatPxajqjCGHYY3jM7lQU9niryijfMtXLqA9nbf543IkxGjGgtYNAJcS7nKlBIyU0e9uXCFEKW9nN5Ma35ZPQl88L7MBISsuI28Yen3W6bZaaPLHA5lMkLtc+ho3V5FNxPKw5/xobeFwa7WMjW6h6FZWzbqvPo0GDywfgOOjH4SjuvF1Qro0WO98j6wvG/72sutYsjbVy8sKc3NfzmPaEFmVVL5Yo4tTYh/jj6ThJSNLPmnXSoVUwXbpsIu77fjTeMXCDHR145vtXBX+Wyp4vxaK67pA1Wq9VVxKDcjwC8QqTH5C3IEcEGA4KpICe139Wh/vMAA7MdafCcFmvfqaZpYdejC/r+SX6T/ZG+qH4cVSXbA1cxBaSX9uRFCe7A/e9KycXnBFf81YLyKVElxwWcqAeM7UzMgsvTTTBl6INS98SzvCGvMose+f7qy+wQCJdSWoAYLrviXl/OCjnsN5IZgOQDC/ElT41G/yvuWpeZNffuDMPfWoCBghmHyFroH0ma24PnaNlQ6yDzRtvBjEvSE776/rnjoOFN7+4HSucm6BawoQIPmXkV4JT1sLVsRcxiM1NnJA0AIjf+Z7TROtOeeKKrneimuOoPVMndbEG/V+OFtKzwoSr5Jw==
Content-Type: multipart/alternative; boundary="_000_LV2PR11MB5975B4767F98EC2CD648CCCBF836ALV2PR11MB5975namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV2PR11MB5975.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ee05b9a-1441-4ffa-79e1-08db830ae936
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2023 19:05:08.8631 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QGBA0+7RjfJ7rZ7UvOyMawjF6KXW2EM3v1v7WBOBtv5N1Vgq4ArZ99au5nMARe/sTIWdpiG1G+YCZ/dyM0tKnLSY2Pj8zft2r2Ae5010obDB5PaVmSKNsdpMF8bG3194
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7358
X-Proofpoint-GUID: RU1qY6K3zSIXgNG2-JAoNIDuiMPsTrvd
X-Proofpoint-ORIG-GUID: RU1qY6K3zSIXgNG2-JAoNIDuiMPsTrvd
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-12_13,2023-07-11_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 clxscore=1015 impostorscore=0 mlxlogscore=999 suspectscore=0 lowpriorityscore=0 mlxscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2305260000 definitions=main-2307120172
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AW1IoSmOTEqpLgxQ_h7Bn9_5nm4>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2023 19:06:19 -0000

>>You are correct, to facilitate account binding it's important that each customer is using its own ACME key.

> I will create an issue to spell this out more clearly in the document.

I have added the need for unique ACME key to the security considerations:
https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html#name-acme-keys
________________________________
From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Sent: Friday, July 7, 2023 10:56
To: Q Misell <q=40as207960.net@dmarc.ietf.org>
Cc: acme@ietf.org <acme@ietf.org>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Hi Q,

You are correct, to facilitate account binding it's important that each customer is using its own ACME key.

I will create an issue to spell this out more clearly in the document.

Paul

________________________________
From: Q Misell <q=40as207960.net@dmarc.ietf.org>
Sent: Friday, July 7, 2023 10:50:04 AM
To: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Cc: acme@ietf.org <acme@ietf.org>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Hi,

Reading the draft I think it is the author's intention (correct me if wrong) that each customer of a hosting provider would have a new ACME account created for them, and for the contact details on the ACME account to be that of the customer, not the hosting provider.

I know it is common with hosting providers at the present time to have one ACME account for all customers, and for the contact details to be that of the hosting provider. Might it be worth spelling out in the I-D the author's intentions about who is the holder of the account. This would also help clarify who is actually agreeing to the CA ToS.

Thanks,
Q
________________________________

Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://urldefense.com/v3/__https://find-and-update.company-information.service.gov.uk/company/12417574__;!!FJ-Y8qCqXTj2!c7XYcqfuEqSdOdkjQ0F2h1p8h_jBL5-aD8KCIDGefelG2Ug4epJsYVUuNkPdJ81OO-sYR_6f8adUvZCApdYEAbi1LdzfL9owygcfPGBKLQ$>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://urldefense.com/v3/__https://ico.org.uk/ESDWebPages/Entry/ZA782876__;!!FJ-Y8qCqXTj2!c7XYcqfuEqSdOdkjQ0F2h1p8h_jBL5-aD8KCIDGefelG2Ug4epJsYVUuNkPdJ81OO-sYR_6f8adUvZCApdYEAbi1LdzfL9owygfUo261AA$>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively.


On Fri, 7 Jul 2023 at 09:23, Paul van Brouwershaven <Paul.vanBrouwershaven=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote:
Adding, that I agree that it would be great if service providers would all provide an option to configure ACME clients with a custom server and account binding, but I do not see how this would solve the problem of rate limiting.

________________________________
From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com<mailto:Paul.vanBrouwershaven@entrust.com>>
Sent: Friday, July 7, 2023 10:16:55 AM
To: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org<mailto:acme@ietf.org>>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

I expect that rate limiting is main the problem for a CA that is configured as default. If there would be thousands of users setting the same CAA records this CA would need to identify that the rate limit is hit and adjust accordingly if these requests seem to be legit.

This would be less of a problem for a commercial CA who would be bound by service level agreements and can identify the customers through the account binding so apply a rate limit per customer instead of per IP address/block.

Paul
________________________________
From: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>
Sent: Friday, July 7, 2023 10:07:27 AM
To: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com<mailto:Paul.vanBrouwershaven@entrust.com>>; acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org<mailto:acme@ietf.org>>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt


how about ratelimit? for large hosting they will hit CA's default API ratelimit fast, so they contract with a specific CA for ratelimit increase. feels like entire automatic CA loadbearing doesn't work without hosting provider having eab/acme account from domain holder: if it already have menu for upload such that menu could have a box for acme directory Uri too.



2023-07-07 오후 4:54에 Paul van Brouwershaven 이(가) 쓴 글:
Hi Seo,
a. ) CAs may want to put list of acme endpoints at well-known, for
example one each for DV/OV/EV like sectigo did with https://acme.sectigo.com/v2/EV<https://urldefense.com/v3/__https://acme.sectigo.com/v2/EV__;!!FJ-Y8qCqXTj2!fOwwhASnPzBhTF0h_VK_hIwZsD3TU3aktKzTejf2fcZQY8dC5SasEv0izXw6vrG49jAHmrONh9Hn2QpK64AdFctM2w$>
This could be solved by setting a CAA record to for example "ev.sectigo.com<https://urldefense.com/v3/__http://ev.sectigo.com__;!!FJ-Y8qCqXTj2!c7XYcqfuEqSdOdkjQ0F2h1p8h_jBL5-aD8KCIDGefelG2Ug4epJsYVUuNkPdJ81OO-sYR_6f8adUvZCApdYEAbi1LdzfL9owygdTqdC2zg$>" who could have its own ACME server.
b. ) I think hosting provider wouldn't want to visit a random CA without human intervention, not only due to potential Malicious one but an open acme endpoint may not allowed to use, for example CA having noncommercial use only limit on that endpoint, and likely stick to CA they know even if it's low priority from CAA.
If the terms of service limit usage to non-commercial use, the domain owner should not set the CAA record if they run a commercial service, the domain owner is the entity giving the instruction to the ACME client and thus requests the certificate from the CA and be bound to the terms of service.

Paul


________________________________
From: Acme <acme-bounces@ietf.org><mailto:acme-bounces@ietf.org> on behalf of Seo Suchan <tjtncks@gmail.com><mailto:tjtncks@gmail.com>
Sent: Friday, July 7, 2023 04:29
To: acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org><mailto:acme@ietf.org>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

a. ) CAs may want to put list of acme endpoints at well-known, for
example one each for DV/OV/EV like sectigo did with
https://urldefense.com/v3/__https://acme.sectigo.com/v2/EV__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTvjUpZ_0A$

b. ) I think hosting provider wouldn't want to visit a random CA without
human intervention, not only due to potential Malicious one but an open
acme endpoint may not allowed to use, for example CA having
noncommercial use only limit on that endpoint, and likely stick to CA
they know even if it's low priority from CAA.

2023-07-06 오후 11:54에 Mike Ounsworth 이(가) 쓴 글:
> Hi ACME!
>
> This is new business that we would like to add to the agenda for 117.
>
> Thanks,
> ---
> Mike Ounsworth & Paul van Brouwershaven
>
> -----Original Message-----
> From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org><mailto:internet-drafts@ietf.org>
> Sent: Thursday, July 6, 2023 9:39 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com><mailto:Mike.Ounsworth@entrust.com>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com><mailto:Paul.vanBrouwershaven@entrust.com>
> Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>
> ______________________________________________________________________
>
> A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
> has been successfully submitted by Paul van Brouwershaven and posted to the IETF repository.
>
> Name:           draft-vanbrouwershaven-acme-auto-discovery
> Revision:       00
> Title:          Auto-discovery mechanism for ACME client configuration
> Document date:  2023-07-06
> Group:          Individual Submission
> Pages:          16
> URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTtFe7gh7Q$
> Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTuBIoUWfg$
> Html:           https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTvXjxu71A$
> Htmlized:    https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTt9chylcg$
>
>
> Abstract:
>     A significant impediment to the widespread adoption of the Automated
>     Certificate Management Environment (ACME) [RFC8555] is that ACME
>     clients need to be pre-configured with the URL of the ACME server to
>     be used.  This often leaves domain owners at the mercy of their
>     hosting provider as to which Certification Authorities (CAs) can be
>     used.  This specification provides a mechanism to bootstrap ACME
>     client configuration from a domain's DNS CAA Resource Record
>     [RFC8659], thus giving control of which CA(s) to use back to the
>     domain owner.
>
>     Specifically, this document specifies two new extensions to the DNS
>     CAA Resource Record: the "discovery" and "priority" parameters.
>     Additionally, it registers the URI "/.well-known/acme" at which all
>     compliant ACME servers will host their ACME directory object.  By
>     retrieving instructions for the ACME client from the authorized
>     CA(s), this mechanism allows for the domain owner to configure
>     multiple CAs in either load-balanced or fallback prioritizations
>     which improves user preferences and increases diversity in
>     certificate issuers.
>
>
>
>
> The IETF Secretariat
>
>
> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org<mailto:Acme@ietf.org>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTsRXrENiw$

_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTsRXrENiw$
_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme<https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!c7XYcqfuEqSdOdkjQ0F2h1p8h_jBL5-aD8KCIDGefelG2Ug4epJsYVUuNkPdJ81OO-sYR_6f8adUvZCApdYEAbi1LdzfL9owygdRgZjgiw$>

v2.23.0 | Report a Bug | By Email