[Acme] Update: draft-geng-acme-public-key-05
吴攀雨 <wupanyuuu@gmail.com> Thu, 02 April 2026 14:16 UTC
Return-Path: <wupanyuuu@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5487DD590A43 for <acme@mail2.ietf.org>; Thu, 2 Apr 2026 07:16:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775139363; bh=VGlI5snJHILird4Fe1W9geAIls6z9Vv+MkDW6zp+EWU=; h=From:Date:Subject:To:Cc; b=ltcsyRv6wmb8z37k4kigCHPVHwKeNdBQkZHaW0IQ+QPpPhZmPweTpa8IprNvimXND EF/qb1jqjF0xS7PRFijKMevtw5jFhU64HYMxvCC2h6YojYQXNRBdZa4VCf1hekgfUk HVk/ctPQoFvoUFmtus3Wfas7Qi7mKSzYPjeyZffQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lI2BDyhG77c for <acme@mail2.ietf.org>; Thu, 2 Apr 2026 07:16:02 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C251FD590A37 for <acme@ietf.org>; Thu, 2 Apr 2026 07:16:02 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-66e07d6bba5so1202140a12.0 for <acme@ietf.org>; Thu, 02 Apr 2026 07:16:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775139361; cv=none; d=google.com; s=arc-20240605; b=I6cENDU/8eSTJOUYgcv7ldk5IyQ89zur9ATDhbNXGSpTvkQlQ3/0ZImuSQsDxWNTUz /bLzZ8kjspOwmwgYlWSvSupIa23FEUFDCqnJEogLd/MjvBpigiQ5/HoUZk6mv2ztPVNU SyAbwlwBc6jTtpQS9ffo9RmElIh347ykBeWz8tlAzSl/q++8YfXK1UYyhTMfVwkJMpvG gIJ1DC4wy9dYDDnzTrFTEhWleaFY3nD70cp1/sLA4MdkTca5gA2dD6/2qj3AY9ss6+th VSigOm/LOg8NGGs30b66LtkePsJs3tC5EmC4WeNoYdF0cNg6TY5QcPRIW9WnrojeDzSF QXsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=WOGtMswmwVRbLgcbIEsLKyVjXUWIu0IgmcdAqPr6CLY=; fh=p9FUVf/wnST6p8hR3oMoUb+maWnRtoJA+mXMfgfVSY0=; b=W1NrtFS3zLWn0uAKLOqw3m/O1srHa5VZa9IlruZ2XdixatcvWQt/nZDGL+fO5Xn+Fr C1O3re7fodJ8kkktHKUIp+lj8ktgUFPEb7eauSRjqPAFpufm79oNZW/THNWHE2Y1V3Jw JT8gtr0G49JwSUPXYVVN3NyZeADGK7bjqzlRS5Y9iJCbZCw/d5NLO8X7/8cDely9dEP+ rfiwMMKuIbT5j4xR4P6SpBm0ZfyI4LBpJcFj6WdyH84VLiYZrZVK9vp7djP1tQAC/GCE Z+ncVvCGI3feBxPotO+uIP0QgRV7fhz9PIihQE5W2Rdk9uPZEFyh0ZclLVdfNMljImaQ /3Ug==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775139361; x=1775744161; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=WOGtMswmwVRbLgcbIEsLKyVjXUWIu0IgmcdAqPr6CLY=; b=UhANqmLImC4tC3KtVF2Dkk+ngO9Ws9J9EB8AYY7j0AnPP4Y/mrpWth71b0W/r/R/Yf UqdPed3aDuI1AO6xsDiZTeZduJqlh8791aW3/vpouqfuKcPWM1lblnZ9kMmU1xul9mhx xqAC4eTp2Zk1ej5TmkhhZNh78BhO4TvR+5lmZjRhTOz7FwdMJ1u1KLSJGWXr/1iiVdYo RvOr/NZGGv2hFTMnGpqSgdXEkBUylU/1r36leXZBRT6Y8iOWCtzUuec+xQuRsT6KyMbb atr6rCf1OsZ5hzr9UZcEr1GEfBNzZ281MzE8S5xZEUup1rVj7SjCxKSoRxz+jiQqQtmA ovPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775139361; x=1775744161; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WOGtMswmwVRbLgcbIEsLKyVjXUWIu0IgmcdAqPr6CLY=; b=CUpBikkz9tBLPT90Gg2mW4ApwMW3R2Yt3Yn4f0aM8XDLTuz6SiiqpsTL210XNcXTt7 E4LXpYfF0JAMieepySuERavz4vYxcKcVCMX0C27ZH6hcPia0CEDrlmgZ6Ozm7dDKn2sy 4pUfYKrM6+rf9Zx2IJrD5ItwAyjVP3+GDzVHhLpBCPnvI/xaNnVycmH/cbrhRuqB5+rK FA20Gjey/LW6Jaw+uCWku4mlc/FJyK/4/8/3A8AkGPQEBLoljl+rqtHxD3vz0ZeGt0v3 1R5jf0XChyW3ScRdz3wV1SOIDCpjgts5ypt8LWe0UyGwwi5NqfMJOKmpcaVj2sEYZo5K qxBg==
X-Gm-Message-State: AOJu0YyEBQzNcF6uy/Gigr2HztAIOlGlYHg+OIBQQY4VnxmGJIgTu7uL 2g5YhycRLT7zfV8nQFXEkp6XY9lMdEfopNdkYssq/JaxVM1xxRTdYWPIHswWPG6seXYhKbhcVJ8 WzbSZNAmqtHwip22lCUaaiRR4O/3mYIid6ac50Zk=
X-Gm-Gg: ATEYQzzW7aFXAFVxY0VP0Kzf4IuQSn7F6J1wglkwogekRGtibxBFEeDqMNTjs83pf+F dm7Kbpv68CCTzjR3bte2sThy9/GLJf8YNDav6TzJzhWHFoJT1TIDrLGFwMxXda3iaXem5uy2o4U 05xyVYrrCcJqHwJQxo+oGKNvSXj7Uq0oRv5dBpM7d1sJW5wCgld3VNy1jI/p51oT0QPq+xg44qO np66qxwcJTM4PJRt3R5zDDNhOYslygRqAAw5AI/eGIkIGj0vWEiZ6tqkxn96EzRdBPEI2MWWrLV yHU8vU/Y
X-Received: by 2002:a05:6402:20c9:b0:66c:ecdd:9cac with SMTP id 4fb4d7f45d1cf-66db09e75cdmr3964515a12.17.1775139361179; Thu, 02 Apr 2026 07:16:01 -0700 (PDT)
MIME-Version: 1.0
From: 吴攀雨 <wupanyuuu@gmail.com>
Date: Thu, 02 Apr 2026 22:15:48 +0800
X-Gm-Features: AQROBzCTZLbqgAytwMv11OsxHe3Pp08fSZO3LQE1PWUkWC3mVWqlSxiaAiozufc
Message-ID: <CAB=Y13dw+m7Oc4JPi+dk77tNZ=xJf05WRefd2fjRdOvz_qJjyA@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000cca92064e7ad76e"
Message-ID-Hash: SPJWU67COQOFQSMN5GMWODVXFXN7C72W
X-Message-ID-Hash: SPJWU67COQOFQSMN5GMWODVXFXN7C72W
X-MailFrom: wupanyuuu@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-geng-acme-public-key.authors@ietf.org" <draft-geng-acme-public-key.authors@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Update: draft-geng-acme-public-key-05
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/StO3UFg7oTMXhDTH_wUZtznhtek>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi all, We’ve just published an updated version of the draft: https://www.ietf.org/archive/id/draft-geng-acme-public-key-05.html Thanks again for all the valuable feedback and discussions during IETF 125 — especially thanks to Aaron Gable, Ilari Liusvaara, David Benjamin, Richard Barnes, and others for the insightful comments. Here’s a summary of the main changes from -04 to -05: *1. Challenge type consolidation* The six challenge types in -04 (pk-dns-01, pk-http-01, pk-tls-alpn-01, pk-email-01, pk-csr-01, pk-cert-01) are now unified into a single pk-01 challenge. Delivery is negotiated via supported_delivery / delivery fields in the challenge object. *2. newOrder restructuring* The pk_binding object has been split into three top-level fields: public_key (SPKI), pop_mode ("async" / "sync"), and csr_less. *3. Unified PoP signing formula* All delivery methods now use a consistent signature construction with domain separation and identifier binding: to_sign = "ACME-pk-01\x00" || keyAuthorization || "." || identifier *4. New ALPN identifier “acme-pk/1”* Defined a new TLS ALPN protocol identifier independent of RFC 8737 (“acme-tls/1”). In sync mode, the TLS handshake directly returns the raw proof bytes as application data, without requiring a self-signed X.509 certificate with the acmeValidation extension. An IANA registration has been requested per RFC 7301. *5. Security enhancements* Added defenses against: •Unknown Key Share (UKS) via identifier binding •Cross-protocol attacks via “ACME-pk-01\x00” domain separation •Authorization reuse via SPKI-level binding checks *6. Post-quantum (PQC) considerations* Added motivation for PQC transition. Noted that PQ signatures may exceed DNS TXT limits, and recommend using sync mode (pop_mode: "sync", TLS-ALPN delivery) for PQ scenarios. *7. Removal of IdP-based authentication mode* Removed non-Web PKI IdP-based authentication (pk-csr-01, pk-cert-01) and related WebAuthn/OPAQUE integration. These will be addressed in a separate document following prior feedback. As always, comments and feedback are very welcome! Best regards, Grace
- [Acme] Update: draft-geng-acme-public-key-05 吴攀雨
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 吴攀雨
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 palos.chen
- [Acme] Re: Update: draft-geng-acme-public-key-05 Mike Ounsworth
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Ilari Liusvaara
- [Acme] Re: Update: draft-geng-acme-public-key-05 Mike Ounsworth
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪
- [Acme] Re: Update: draft-geng-acme-public-key-05 Tim Hollebeek
- [Acme] Re: Update: draft-geng-acme-public-key-05 皮皮猪