IETF Logo Mail Archive

Re: [Acme] [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 12 July 2023 20:32 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F57C151077 for <acme@ietfa.amsl.com>; Wed, 12 Jul 2023 13:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R26AltvstvFE for <acme@ietfa.amsl.com>; Wed, 12 Jul 2023 13:32:13 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2093.outbound.protection.outlook.com [40.107.92.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9851EC1519B1 for <acme@ietf.org>; Wed, 12 Jul 2023 13:32:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cg5+3tSDKhGtn7TddIu/di4o0GBimvm95M5osfnOxlZJsVewASDC9gI8uEUvs0GyiFDtHr657rGZ+/9YvkhH/bHdoWidROwLJHOtr4j6EAwEsw+rcFW6rrNVRVguePNxjZ0E1Kq4a6+5T40ENb536zy+cA8kp3VHvuCrLKhtBcBoV08P53WAffuXU7kbXQ1pqfd82XXa8+nxA5KM2cBPPcaylz7CFu5dCv3BARgUkqs3TPxJ2dqzIFjTHkoq1YtnBE/Bw/RHaGX3K4T760IIhjaRnV4mzIphbtjRzHqsg93010ow3IemH30jYI1BRNZrfLqkr7EbR984WP30DDvKTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=paejUo6LF69AA1Vh+5UEUYiGlQQnDoCzO1bGjGDjlE0=; b=RukaX0BfWdYNp7+l2B3qzMuCNKVhSWu2A+4SIX3eTMYaDLHlyZsJZXZsQ5XQgNj6boFVk4ZOIqwyLpA+gyTjVBwQFSdZne7722SyWzauqTw0mGuoOiTNmp3XPUL8CidfGNE7SJi4KR4EMM/9OOqkJFnjWAU+rIp/buNSORtOdp6fv0nmY2T+pcx5uIvJAUqiLUPlnSzE7gGVfHNO3lv7BTMJ55A6pNsZ8Jwk7+8ml0uFBMQKi92N4gB/9xD7yF1sntS4BLXOCfvpuXJQ0SkZBUn9Z6+SRfaUDab4SCUaH7yh1Ed2joDAUBaIVpzEvVfoZOovrP3ILGYPuj3DpXQV9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=paejUo6LF69AA1Vh+5UEUYiGlQQnDoCzO1bGjGDjlE0=; b=rYYxKOlza+fqWJ+ooc+W+QcKeCgV8gF5tnlzgB7aTgx6PJSux/f7qcs3QK4zf90DWkqbrKu4sRRb2Euez+S+u5pmplNhFN07GerV6fhWTS/DqHgJH6BwervH0hN6vi2H06vNymXjkkPIPOZ5HZYJBMCdEIKlUYOqtpHXnnx3wkt1sh3+yGZKhriyrrW74WjkdsF2sbZXMvEPT5OhpLZuscDLZ5NA2rTAjPs4SoUmmrAiS0Xaujbk4GmfzBjKiNalXLRcASOK7OTTO4k9TuEgNUDyOipz5GFlKWkTXZcCFKFOF0oLUbVgIq0dby6zh4xFzEkpPOoMG/K10FE3D7Mvcg==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by SA3PR14MB7123.namprd14.prod.outlook.com (2603:10b6:806:2f3::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.20; Wed, 12 Jul 2023 20:32:10 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7949:5d68:8e14:bded]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7949:5d68:8e14:bded%4]) with mapi id 15.20.6588.022; Wed, 12 Jul 2023 20:32:10 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
CC: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Thread-Topic: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Thread-Index: AQHZsBeqgO/Qy8UW2EKh0oZ3cvLhkK+s0GpwgAnIuGA=
Date: Wed, 12 Jul 2023 20:32:10 +0000
Message-ID: <SN7PR14MB6492304F09384DB611AF389C8336A@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|SA3PR14MB7123:EE_
x-ms-office365-filtering-correlation-id: 32564bb5-d46e-4769-d308-08db83171154
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4mA9HDNKKjTeOop/JoWL0wiWLdcwaYZ7SqAZMwyyBfdgYgt+ucAPOGc24v2BeoIYbBGBzu2B62EtvV2pwSBx3tP4U/iCdKkoNkFIp3Q8nnEy9g9E/jrNY11p5QPSpIfpAo2zzRqASXfSq56l7O7+0+502b9i7pfCaSMe0cYv7/lXzxXjcflT47cbFqfLX432VT8CqQBf7VS2RUjNu9VbGrqWmUAuu97YOI/rq6CJME5Q9DkoeruDWiSUbJIVP4D3TorgWQtuTyAJpUMVk3PjnBN0KppLWyzQDXOhg/jMSRQcDqTluqwolXpeOHsYCN63NmKylPzmBPW8GWolYJgGV12puka2tJCmTmXBo5+dyQC50VCl7r56kOzcMebx9hGk3CXdWIDS5OaPT36ZCpqsP5yYA0yNkNXXNGo7opVvFkjteCQzeZzOYJzkY+aQrGhh7TfqEom/D5s03JXQsyfvRjpp0sOEwt/Km7sQeKxnzgYFITybrMPSxjRZfw07J/wLye0yC7TgOZhS+cyGjihPsFkOuqvS4GFDyE/TiPfCj0f4OKyC9c1ZK58zRMhlPeRCV9JUUQmvjN3A6kX1VkREUAlHgzDdKJZuGovdXSRh1iA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(136003)(366004)(376002)(396003)(39860400002)(451199021)(38070700005)(66946007)(76116006)(64756008)(66556008)(66446008)(4326008)(66476007)(110136005)(55016003)(478600001)(86362001)(26005)(6506007)(186003)(53546011)(71200400001)(33656002)(966005)(9686003)(7696005)(83380400001)(66574015)(122000001)(41300700001)(38100700002)(8936002)(8676002)(44832011)(15650500001)(52536014)(316002)(2906002)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: r0o8lLw4Z/N/Pn4foFXQb11vsrdFas2M+2ZOjymCBO+8nxxbVOuBGreojOvJ7SXjKVT3NsYIdeAi1ZEETid5vyq43UuKj4X4PCpbSibB4Obdyr7FRYQf8X9jWn2JAOqzcmM/wXySa1QoqfhRpOp8jJc2JFPBA6QLdFT6ZGoLL5iuctrMqBix45pW//39HItf7mWlxePBF5FK2pBITYKsKaCgsFj5AJ+aW5BDtZ0pm423q7Z6M6Q9i06ZR06mhxsD/cIcPPQVIijK9Gpgw3FC1pILCXseeh0jdfLLM5b8ihhYuyPTvenOjWwQlZ/9uO+GsFzTMxL/kfg+4OA2BA4s3+WznSdsAgBI0gicu7I4Q0Z5hvTukgbv64qmKUIfkIb1k+R11BmXLt/zCodX4+pPYlr/bFBYV0CG8f82s5ADusB7XZdceNFg9Kn8Jef5O+bwkuvKCrShmhpC3TTLkrBAHuv8ZybXZW1bDXacf8/U7DRVbp94FC5LepCmoTXbJcV/uGzTs3hDCfqQ8CufABwAM79cOkSBTh5PdPkr/btP/Fnui9LGe6uHklVhOqkarkxLJqzeA7B3ns2kgB6VoZDHQuiyYqeiKDUt7Ikz5HLfjrGy+LoWyofE5qxrL1UJb8kR+7/4KkM8CSi6tS6eMfONsPTWCqzbLUV3f6fPmy7hZrq+9LpoFhXKJN98/b0YkJIrpI+JRgM1wZZ36hKclg8e/1X2ZNHN1qmTek6P0E1F0FQT8AqC1F5j1LWHGXESYQ0FD7OlBqHCB1pUEb94czrTB50qEv90q/KON/23MKNZAd89Y/cl9v2crPQgvDQWrWAjQ9PdsM0JkjGbmkdjubKmBH71gSO+qd8jPnTJq3MtL7XyJnb66Jsui4Hgbw7C1odbVbyGSs++FnrzTRUow/RwMgKbWG2sJzUiSRpTTN8nAJE2NeyvWJ6MEgoKWBvQJFl2L9g8k5Ts/NjzCkMDq67qd/IFqZGTzILGYdZA4ykh3Sh+M2nQFmSXAHnfk6GQgU2HFMWv3aBbbqHbc+eE18kvu/eoAMrdu+zDrY0FcMk/5j+B7ahZWl0qMS5lsX/bIcFba12K7Tqm/CGoAY4X7dWh4AA7QzycBkoWvxg0m5TPU9P6V3t0j1/rES3knRN5yLo9M0mkqTXkMN55znIfqelt9EgZHlZM/ZuqSWx8DFjM8onowZqKJHzlHjeuCGj6d7Wj94ZCgdVbDyHJ4EIBeH6yvQvDKCsDmLXKv6AmsewPRUqRK8LYw7YPD8N6XR8ilQNNeNlYjYiyNDrtW1yNoT6AgQJ4ROhDgPIhwLhdSx/x5iIlR/F9172Rzc9Dqw532oaCWmeU5mcglHcva9vx75WRxGbZfYrVWNfZyKOSISsvKKgVj6m6P61ryjOxLKWNcRGWuPYqhHPXBODRh63AEkr/pfRhFhdLuokUgpgRjzV5JF61Gni8s8kC8/3CnOw1rQOBVgsSGzih2NnYYdUlCtNsX/VPfDdZXyWTZrBVz3e8BSk/XkUKj1TagAIjomCIZ/eRSb1OLb/BvmLXlbE9W638fx8H5+gbrDoeSt8bRWmaACnefOGAUfMma3pO92iGT3h/O87g9l1NiPy/swnZPdeGGA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 32564bb5-d46e-4769-d308-08db83171154
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2023 20:32:10.1153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6aiA6sOT6KJItkRvamL7oDCB5Lnkq0t4TDa84QSJLzC6hV9F/EfBvY5P8WiRuvBbW0LFYp02AHiJrlqbytSvWy8GZsrtY4Yppu5AZgPOerc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR14MB7123
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Iq1RZHQe7fZK_gMPYl6pwEJTiQM>
Subject: Re: [Acme] [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2023 20:32:17 -0000

Some REALLY quick comments from a brief read:

First, I think this is pretty clearly standards track, especially since I expect
the authors are willing to work together with the IETF community and
respond to feedback, and it includes normative requirements that are
intended to be used with a major ecosystem, the WebPKI.

3.1.1. recommend clarifying the extent to which case matters.  How should
"TRUE" or "True" be handled?

4-5. This is WAY in the weeds, and possibly should just be ignored, but
there's actually no requirement that the CA is able to host content at
the domain specified in the CAA tag.  At a minimum, they're only required
to have permission from the domain owner (RFC 8659, first paragraph,
item 2, second clause).  This might actually even happen due to 
acquisitions.  In such situations, a CA might actually be unable to host
content on a .well-known URL for a tag it uses.

I don't think 8.4.1/2 is in scope or makes the document better.  There are a
wide variety of contractual solutions here, and how a user agrees to a
particular CA's terms of service is not a relevant topic for IETF.

-Tim

> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Mike Ounsworth
> Sent: Thursday, July 6, 2023 10:54 AM
> To: acme@ietf.org
> Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> Subject: [Acme] FW: [EXTERNAL] New Version Notification for draft-
> vanbrouwershaven-acme-auto-discovery-00.txt
> 
> Hi ACME!
> 
> This is new business that we would like to add to the agenda for 117.
> 
> Thanks,
> ---
> Mike Ounsworth & Paul van Brouwershaven
> 
> -----Original Message-----
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: Thursday, July 6, 2023 9:39 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Paul van
> Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-
> acme-auto-discovery-00.txt
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> 
> ________________________________________________________________
> ______
> 
> A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
> has been successfully submitted by Paul van Brouwershaven and posted to
> the IETF repository.
> 
> Name:           draft-vanbrouwershaven-acme-auto-discovery
> Revision:       00
> Title:          Auto-discovery mechanism for ACME client configuration
> Document date:  2023-07-06
> Group:          Individual Submission
> Pages:          16
> URL:            https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-
> auto-discovery-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-
> auto-discovery/
> Html:           https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-
> auto-discovery-00.html
> Htmlized:    https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-
> acme-auto-discovery
> 
> 
> Abstract:
>    A significant impediment to the widespread adoption of the Automated
>    Certificate Management Environment (ACME) [RFC8555] is that ACME
>    clients need to be pre-configured with the URL of the ACME server to
>    be used.  This often leaves domain owners at the mercy of their
>    hosting provider as to which Certification Authorities (CAs) can be
>    used.  This specification provides a mechanism to bootstrap ACME
>    client configuration from a domain's DNS CAA Resource Record
>    [RFC8659], thus giving control of which CA(s) to use back to the
>    domain owner.
> 
>    Specifically, this document specifies two new extensions to the DNS
>    CAA Resource Record: the "discovery" and "priority" parameters.
>    Additionally, it registers the URI "/.well-known/acme" at which all
>    compliant ACME servers will host their ACME directory object.  By
>    retrieving instructions for the ACME client from the authorized
>    CA(s), this mechanism allows for the domain owner to configure
>    multiple CAs in either load-balanced or fallback prioritizations
>    which improves user preferences and increases diversity in
>    certificate issuers.
> 
> 
> 
> 
> The IETF Secretariat
> 
> 
> Any email and files/attachments transmitted with it are intended solely for
> the use of the individual or entity to whom they are addressed. If this
> message has been sent to you in error, you must not copy, distribute or
> disclose of the information it contains. Please notify Entrust immediately and
> delete the message from your system.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email