[Acme] Proposed changes to TLS-SNI, autorenewal removal

Hugo Landau <hlandau@devever.net> Fri, 22 January 2016 16:13 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471A61AD333 for <acme@ietfa.amsl.com>; Fri, 22 Jan 2016 08:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpD4hBLTihTD for <acme@ietfa.amsl.com>; Fri, 22 Jan 2016 08:13:08 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 77F4C1AD338 for <acme@ietf.org>; Fri, 22 Jan 2016 08:13:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 5E8601C38D for <acme@ietf.org>; Fri, 22 Jan 2016 17:13:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:content-disposition:content-type:content-type :mime-version:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1453479187; x=1471668548; bh=/s1l TxKi4tWH1Xqprjgsf62M3Hq3HBklMVJQ7w0CWW8=; b=eyc+yK7bH8+FnoSxSTwu A3uuWjtMtp5rZrW/eWZbmiUPO3HTHMhz5XyZTAox80vpJuhDtOWoyawqAOmbqEEV aG1Z+3vt2twntLJGRtWUapLGlL3Pb9qsC3ihRa3hmKdsMIBf4k2B3Arzvm1wZRPF wh2Vh4Q3KwCg+xg7uikYfHmae/bVa9Ms4dl7/gEvSMsHKgtnjLWjAnMQwmQ5qDBy LY9SHZOJl91cOZOIrKi7GDgVpmnutEz5iftrwTOzlX6iPOubhhwXRSv33Bbz3VSZ C57DoJIj6E5D+AC2vXWL4Bk0zhCCpRObAKmLE0c8ztbThiVN7VXCkGQh7GfWOygf Jg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 6bcpNurcoMa1 for <acme@ietf.org>; Fri, 22 Jan 2016 17:13:07 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id 2E08C1C38B for <acme@ietf.org>; Fri, 22 Jan 2016 17:13:07 +0100 (CET)
Date: Fri, 22 Jan 2016 16:13:07 +0000
From: Hugo Landau <hlandau@devever.net>
To: acme@ietf.org
Message-ID: <20160122161306.GA19607@andover>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/OnLEcxUa_K30ERLIZl5kAreyyh8>
Subject: [Acme] Proposed changes to TLS-SNI, autorenewal removal
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 16:13:10 -0000

I've submitted various pull requests for discussion here.

Firstly, I've drafted a specification for tls-sni-02
which resolves Jehiah's concerns.
  <https://github.com/ietf-wg-acme/acme/pull/71>

Secondly, I've added operational guidance for the use
of DNSSEC by ACME CAs.
  https://github.com/ietf-wg-acme/acme/pull/69

Thirdly, I propose the removal of autorenewal, which
complicates the protocol, introduces a number of concerns
and risks, and doesn't really enable anything that couldn't
be done without it. I'm also not aware of any current implementations of
it.
  <https://github.com/ietf-wg-acme/acme/pull/67>

Fourthly, I think the expiry of authorizations should be a timestamp,
not merely a date. This also fixes some examples with incorrect RFC3339
timestamps.
  <https://github.com/ietf-wg-acme/acme/pull/68>

Hugo Landau