IETF Logo Mail Archive

Re: [Acme] [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Thu, 13 July 2023 07:47 UTC

Return-Path: <Paul.vanBrouwershaven@entrust.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D758C151069; Thu, 13 Jul 2023 00:47:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPnLX6xUYH6K; Thu, 13 Jul 2023 00:47:20 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E40F8C151AED; Thu, 13 Jul 2023 00:47:19 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 36CJuSXw014609; Thu, 13 Jul 2023 02:47:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=w5a/O0UFDWKrZqLUh9g3HMDN uM5BrLd0LiWhCIpTl/k=; b=eryDTiodnC4Jqf+rJRw+UHSOC3zePm+mnH/+mXO0 mHagd44a6gwQE9uUNhUnymXV6n6Cq5GZ34iTUXqahtJ027fSug3xL1MkYYoS9fej rJIlGkwxOuXD2n7N3xVbTe85MkouCy4HwXb59nVCtI4XVQSd4lO1pnUWrQuo3Bov XMi1L1EgymfDZCZ5LUWLpalpcaIRpZvRI8wDJMnsRDJneqNDWMRwY4n3aLmmT6KP rb5Oe/IZX4VZHP3sDV99o0RYYzoiPTf1PbXdCn9vkCBzTTP+CLhAiUGXasvJDRrr MKlP2GSq8rxzr36P1K2J50D1b02fksU1vr7B2SrHZdzQqg==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3rrtmhhah7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 13 Jul 2023 02:47:14 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G37GcOYyAPtwDBe+eddUC+0Gfb8eeDddgOtN+K0+LnSZuqkA2GT2j14g7khFvRoivcrKJ1rU9KmFZWgieiphvWvjM2GIwy4wxv8GlnLjldsD101P6+jzvWU/peG3rTiK29k6hwJgtox0wgKzzPwzjIiEvkTINkt1A1sSGS+cH0+hFUFnVH1JcMIk4h0RYR452nFhaKuyX7ZK5IlfLgj726SN9qiJjSX4jLpZL+nS5JgW8T6vRkdw2xnbaG7QhCbJIZWlFU25deU9h7sFYg9+/mpqCu4lfzibd2LHjVqo7yDEvUFCmnFz1aCyAUt0b5UjXTXl9K7L8+andooK/Myfzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=w5a/O0UFDWKrZqLUh9g3HMDNuM5BrLd0LiWhCIpTl/k=; b=m5KK1TdGjhS/+9ynYpuXNqFiV5+Tnyf8qRAEpNaK639u5BRMFotj1hp1SXNlbkuCid3csc+uj/A5qrWIYh3DaTosrFd0VgnDojK1PgFunhJ0OFYo0SuZ33pb/KqkhneyaVSYsWyh7rkp7mKhz9Gj8+b1UKiHHlGFbkl0K44pnpGc80CHIu0xtXyCpsz4+c9sxVihaG1GRdf0dpKvBVXOI5VO1dYZq07Xj72HiMyBpIUBkAea79VlqFLG1AXXyjRXIw/s7bJsmdYgj7tpnzWGKLfRqCMBzJY7TIGoO4c7APMCzcFTqBYnb2pe8D2aupirBbEMJ9OeX0cGthAqqsyrnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from LV2PR11MB5975.namprd11.prod.outlook.com (2603:10b6:408:17d::6) by BN9PR11MB5242.namprd11.prod.outlook.com (2603:10b6:408:133::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.22; Thu, 13 Jul 2023 07:47:11 +0000
Received: from LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6]) by LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6%7]) with mapi id 15.20.6588.022; Thu, 13 Jul 2023 07:47:10 +0000
From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Thread-Index: AQHZsBerC3uY6kYm2E+UdbTaxF5c/6+s00KAgAnMbACAAAPDAIAAqzbZ
Date: Thu, 13 Jul 2023 07:47:10 +0000
Message-ID: <LV2PR11MB5975CCBAEB1E8BA525CA033CF837A@LV2PR11MB5975.namprd11.prod.outlook.com>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <SN7PR14MB6492304F09384DB611AF389C8336A@SN7PR14MB6492.namprd14.prod.outlook.com> <SN7PR14MB6492DCF6E68B8C489E5E76BE8336A@SN7PR14MB6492.namprd14.prod.outlook.com>
In-Reply-To: <SN7PR14MB6492DCF6E68B8C489E5E76BE8336A@SN7PR14MB6492.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV2PR11MB5975:EE_|BN9PR11MB5242:EE_
x-ms-office365-filtering-correlation-id: 3bbd0572-bf91-4e5e-0d5b-08db83755d53
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /jQrQZuO6SXoG78AUb7Llly5dyPIOK7OGFSA19BDfp0Q/aTv+jUItH9+c/5q2f3NameXvN+mCd56QaRG13xlq0lYEh+o/WvVlhGWehatP4XItpEhCzAwAKeoxar+DRBl61twI6cobNUuh5V3a+gXb8XRhWhacDJvgpZrlWzr463G5mvC6w2K7YT2tngq8bVJSyQNOcGRzLizSM2pE8S7/wVTktcoYTJ2me6jbOnn7ZQJTC/TemKUokHgxOW/vqagF/qyS8DaV4OB9TOLaYmhvf2S89SsF4ixVIXf/vN2r4h2sJaVdt9xHlHTRFIxGmI98n6v5fM7IdKEg5rXl9hXfP6aBSo61KWkGF6o2Xt/7kTjTxsfmnwGwlPAZU0D/aZDFWvPF/9rpok7fPO9HYh+ZW0y7jnkyzC0rG0nUpaUQy1QJlOqqrwyT9KUa29oDJw2xPexeMl4nvN7ayO2Mabb7+1b98dlcTuVuoPjdAQNTRM8TGizWysgEbHsGFjkCO9AOB/yqc0w496mnWsC09blwQH5GPvCGnOXc1BjrGBFmFlyUam8O5lXrtWj5aRD6vzhcdFnyemUD1BTJF9brW6YJ3bANmY7tamI6ZxQcpO4RXM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV2PR11MB5975.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(136003)(376002)(39860400002)(366004)(451199021)(38100700002)(38070700005)(478600001)(122000001)(166002)(86362001)(71200400001)(7696005)(110136005)(66476007)(76116006)(91956017)(64756008)(66556008)(66946007)(66446008)(966005)(316002)(19627405001)(33656002)(83380400001)(41300700001)(53546011)(55016003)(15650500001)(66574015)(30864003)(2906002)(8676002)(8936002)(26005)(6506007)(9686003)(5660300002)(52536014)(186003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qwcqYr2nH43gm8z10PrTvZHy6teZK9wX9v2ivZjuWs7DLD1Il+JDnnSpF+3OVsOUoKvUi4ty9emnlQ4GN8gCGvOLVxJCPx/idwovi6Z66C91lTmubvKbPQeNvvz4zXzkQsND4xOfpC9+4zx92J1kLVFia63sgTAWUYB8vOjUIKNPf3RdsO3BOWEDhAKQ+Qdq7Da0JG4354BLmpiDdeozJVU5YWPvxFCKS9axA89sRvWzSmCCUEhrDMvoceOv7XbKrDL2vevT7znxN1p5g/0unFptKKNuBwAGvlHMFr8dS3AUgtgG5u1hMRIlmPS2hiWpOZAzAOxmH+4K3H9ZWVHFja9VFhNRmelN0QLCfjaKsrM70uDS4p+8M7QBfnFrVdp9YrkRofylxkLeXXWolkyPz236RScVer2ANy0HxlpIKVY6y4AwlqExtV45ifuoQ0zOWRjPkHCM6UguCFccCn6NTc7PqL49LMFvllY1tzMEgNMHaUGhcrGtzhrRGK17/OTsbhIqyUgMtIgyAL0eQbxzx186QpOS37DHF/MFcipNrd0RcrARkVapfZ5LC9Nb1pkOX1s4cJuSCVsvYpMOe1gmYwcQM/Jcl1txiginXTC3TeoDt8Lh/c+ylyjE4hDebW7qKMSSGVFR7iPUyUOGxF1hgTB6HunOT9IyM+DEW402LagJ3kjAbtCQo+kJ7ElQMhNt1zCIZMHsh+94Cg3AlLC1YW0A1tjOCUxUR72+b4mhMvowwFQYnf9K1O9KZOo6g5ccI7PPYrHu7PrB/vv4pv80IEzYmyZmDcb7v5PU13ibyHlZvya2b/+2jZA6EOlQQgdgBHZ9sxQWIb6KhhXJ04scNGh+cMY9x3dHeoRL8lmuylu+s705q1dNZwW7r7FEiamUSUv7xmqEOlA5XKhIeop7W9MKz9FChQVDMz3GclLcYIBq/SRk33N1Xckelz9G8x3pNsp8vpBE0kPSmbqdDfGOUtIzn3ltEnkddvIApuQN4O1vdkCJP/4geSQfla/zG95jNTVXwWpLkDpAH/vlDZfIYdCVpg3FXWbhsTlgMbyXzq7jqnL/0g2d3vAGlGmKWGcSIpGa4VRL/zp9HCwonMXRqH1hPchp7ADbskj3xrHjLtBlmPxbZPhRKS0VpIpG1fpkN7DxqipqfjsGER8M8ClqJjxcBAsKe5HbtwEHn6vZfMlRGP8BtZMwC4NwvzHa4pnZi0UqDvR4zHfrrTb91mjqmZz1y9wH+hTEDxBAoJyJxIlA39/YyFuwX1QY320fBg9uQBAp3T/YgWkNL5e6tRtzKVlyrBndruJB5yxeB7JYsBQIrBPnKH2jSCYaLXjgDOrKUxJ6PBHWkdH8DusQcqgxPeH1BZN+gS12cQJYx1GioBhRBu/O+Wt69WLb42CGhunv6iy/xxR/ygSUNkTrEDhV6S+cbr6R9rz+bPoK7M3LcL3Zco26svzxpACVVfUqqIsCdhairTbTe+9Ua+Ok7GZkC+bTBuGSuSe1e4BCtUQCMzy3CFeCPBBqtP13bsaizapEUv2i3ArfADmIGpXIf6y+7wcGONFgu5YU4XuAdeOf/Tt3QZMdrcHkex/HoOIh4xBkjK9UXaAP5F4/Y1YHSXvbaw==
Content-Type: multipart/alternative; boundary="_000_LV2PR11MB5975CCBAEB1E8BA525CA033CF837ALV2PR11MB5975namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV2PR11MB5975.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bbd0572-bf91-4e5e-0d5b-08db83755d53
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2023 07:47:10.2830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JrUYUT0ZLTe3OYbvZN0uDGcPhPlL/tdvj5IuXQndCzAuBu+FEBwXO9lu+hzOexxHvHYSbD6usF3s8LhBFAy3ss7eVrYHDePhyud1XPCM1Fd+0ylzsImlKDmBOa+RMFb+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5242
X-Proofpoint-GUID: zdaQpErAzYRYDgnL_GK-5d-rqt77x8bM
X-Proofpoint-ORIG-GUID: zdaQpErAzYRYDgnL_GK-5d-rqt77x8bM
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-13_04,2023-07-11_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 clxscore=1015 impostorscore=0 mlxlogscore=999 suspectscore=0 lowpriorityscore=0 mlxscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2305260000 definitions=main-2307130066
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EJLfMvwpvkjOcQrdhhepnidKUQQ>
Subject: Re: [Acme] [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2023 07:47:25 -0000

First, I think this is pretty clearly standards track, especially since I expect
the authors are willing to work together with the IETF community and
respond to feedback, and it includes normative requirements that are
intended to be used with a major ecosystem, the WebPKI.
I have updated the draft from informational to standards track.
3.1.1. recommend clarifying the extent to which case matters.  How should
"TRUE" or "True" be handled?
The document now specifies that this must be a lower-case Boolean
4-5. This is WAY in the weeds, and possibly should just be ignored, but
there's actually no requirement that the CA is able to host content at
the domain specified in the CAA tag.  At a minimum, they're only required
to have permission from the domain owner (RFC 8659, first paragraph,
item 2, second clause).  This might actually even happen due to
acquisitions.  In such situations, a CA might actually be unable to host
content on a .well-known URL for a tag it uses.
CAs could instruct the user to use a new CAA issuer-domain and they probably would prefer users to update their CAA record anyway. If an acquisition happens after this document is adopted, and the discovery information/redirect is already in place, this could be covered by contractual arrangements.
I don't think 8.4.1/2 is in scope or makes the document better.  There are a
wide variety of contractual solutions here, and how a user agrees to a
particular CA's terms of service is not a relevant topic for IETF.
This consideration is included because RFC 8659 section 7.3.3.<https://www.rfc-editor.org/rfc/rfc8555#section-7.3.3> describes the acceptance of the terms of service, while section 10.5 is also clear that CAs need to keep in mind that ACME clients can automate this agreement, possibly not involving a human user.

I'm ok to remove or replace this with a more generic comment, any thoughts from anyone on this?
Oops, I forgot the most important one.  The draft ignores the existence of the
"issuewild" tag.  This won't work, because both issue and issuewild work together
in RFC 8659.  See, for example, section 4.3, third paragraph.  There's a requirement
to ignore "issue" records in certain circumstances, and it's not clear how that would
interact with the "issue" tags specified in this draft.  I think explicit consideration of
issuewild and how it would work together with this draft and RFC 8659 is needed.

This is especially important because ACME can be used in conjunction with the
 issuance of wildcard certificates, and this draft probably needs to specify how
things work for that, too.
I don't think that the draft doesn't ignores this, section 5 item 1 starts with:

1. The ACME client initiates a DNS lookup to retrieve the CAA record(s) according to [RFC8659]

where RFC8659 specifies the details on how CAA records must be checked. But I agree that this could be made more explicit, I added an example to describe this scenario in more detail.

Do you think that is sufficient or should we add in introduction to section 5 or update item 2 with a normative requirement that the ACME MUST follow RFC8659 when selecting the valid CAA records for the domain.

________________________________
From: Tim Hollebeek <tim.hollebeek@digicert.com>
Sent: Wednesday, July 12, 2023 22:45
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>; Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; acme@ietf.org <acme@ietf.org>
Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Subject: RE: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Oops, I forgot the most important one.  The draft ignores the existence of the
"issuewild" tag.  This won't work, because both issue and issuewild work together
in RFC 8659.  See, for example, section 4.3, third paragraph.  There's a requirement
to ignore "issue" records in certain circumstances, and it's not clear how that would
interact with the "issue" tags specified in this draft.  I think explicit consideration of
issuewild and how it would work together with this draft and RFC 8659 is needed.

This is especially important because ACME can be used in conjunction with the
 issuance of wildcard certificates, and this draft probably needs to specify how
things work for that, too.

-Tim

> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Tim Hollebeek
> Sent: Wednesday, July 12, 2023 4:32 PM
> To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>;
> acme@ietf.org
> Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> Subject: Re: [Acme] [EXTERNAL] New Version Notification for draft-
> vanbrouwershaven-acme-auto-discovery-00.txt
>
> Some REALLY quick comments from a brief read:
>
> First, I think this is pretty clearly standards track, especially since I expect the
> authors are willing to work together with the IETF community and respond to
> feedback, and it includes normative requirements that are intended to be
> used with a major ecosystem, the WebPKI.
>
> 3.1.1. recommend clarifying the extent to which case matters.  How should
> "TRUE" or "True" be handled?
>
> 4-5. This is WAY in the weeds, and possibly should just be ignored, but there's
> actually no requirement that the CA is able to host content at the domain
> specified in the CAA tag.  At a minimum, they're only required to have
> permission from the domain owner (RFC 8659, first paragraph, item 2, second
> clause).  This might actually even happen due to acquisitions.  In such
> situations, a CA might actually be unable to host content on a .well-known
> URL for a tag it uses.
>
> I don't think 8.4.1/2 is in scope or makes the document better.  There are a
> wide variety of contractual solutions here, and how a user agrees to a
> particular CA's terms of service is not a relevant topic for IETF.
>
> -Tim
>
> > -----Original Message-----
> > From: Acme <acme-bounces@ietf.org> On Behalf Of Mike Ounsworth
> > Sent: Thursday, July 6, 2023 10:54 AM
> > To: acme@ietf.org
> > Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> > Subject: [Acme] FW: [EXTERNAL] New Version Notification for draft-
> > vanbrouwershaven-acme-auto-discovery-00.txt
> >
> > Hi ACME!
> >
> > This is new business that we would like to add to the agenda for 117.
> >
> > Thanks,
> > ---
> > Mike Ounsworth & Paul van Brouwershaven
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> > Sent: Thursday, July 6, 2023 9:39 AM
> > To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Paul van
> > Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> > Subject: [EXTERNAL] New Version Notification for
> > draft-vanbrouwershaven- acme-auto-discovery-00.txt
> >
> > WARNING: This email originated outside of Entrust.
> > DO NOT CLICK links or attachments unless you trust the sender and know
> > the content is safe.
> >
> >
> ________________________________________________________________
> > ______
> >
> > A new version of I-D,
> > draft-vanbrouwershaven-acme-auto-discovery-00.txt
> > has been successfully submitted by Paul van Brouwershaven and posted
> > to the IETF repository.
> >
> > Name:           draft-vanbrouwershaven-acme-auto-discovery
> > Revision:       00
> > Title:          Auto-discovery mechanism for ACME client configuration
> > Document date:  2023-07-06
> > Group:          Individual Submission
> > Pages:          16
> > URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYMpK1C_d$
> > auto-discovery-00.txt
> > Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYHCjiNIC$
> > auto-discovery/
> > Html:           https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYMpK1C_d$
> > auto-discovery-00.html
> > Htmlized:    https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYDiIankS$
> > acme-auto-discovery
> >
> >
> > Abstract:
> >    A significant impediment to the widespread adoption of the Automated
> >    Certificate Management Environment (ACME) [RFC8555] is that ACME
> >    clients need to be pre-configured with the URL of the ACME server to
> >    be used.  This often leaves domain owners at the mercy of their
> >    hosting provider as to which Certification Authorities (CAs) can be
> >    used.  This specification provides a mechanism to bootstrap ACME
> >    client configuration from a domain's DNS CAA Resource Record
> >    [RFC8659], thus giving control of which CA(s) to use back to the
> >    domain owner.
> >
> >    Specifically, this document specifies two new extensions to the DNS
> >    CAA Resource Record: the "discovery" and "priority" parameters.
> >    Additionally, it registers the URI "/.well-known/acme" at which all
> >    compliant ACME servers will host their ACME directory object.  By
> >    retrieving instructions for the ACME client from the authorized
> >    CA(s), this mechanism allows for the domain owner to configure
> >    multiple CAs in either load-balanced or fallback prioritizations
> >    which improves user preferences and increases diversity in
> >    certificate issuers.
> >
> >
> >
> >
> > The IETF Secretariat
> >
> >
> > Any email and files/attachments transmitted with it are intended
> > solely for the use of the individual or entity to whom they are
> > addressed. If this message has been sent to you in error, you must not
> > copy, distribute or disclose of the information it contains. Please
> > notify Entrust immediately and delete the message from your system.
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYC0DZKw9$
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!YiOqUhneydT1UxAan18BJQISEVf09TG69JKkNp5s_Vnr4Csm8QG788nMci3vob2EJesLVZb32pi-ePmpsgadKWsHNQbnYC0DZKw9$
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email