Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 July 2023 12:52 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AA33C15198B for <acme@ietfa.amsl.com>; Tue, 25 Jul 2023 05:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOUK_saVVJaZ for <acme@ietfa.amsl.com>; Tue, 25 Jul 2023 05:51:58 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34083C151989 for <acme@ietf.org>; Tue, 25 Jul 2023 05:51:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 60B8538993 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:54 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BYwlxpnA6c22 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:52 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id E922C38991 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1690289511; bh=hIsE2ERUm1zWfcXbvC+Wev/GlQifN4t7g2BLw0pvhD8=; h=From:To:Subject:In-Reply-To:References:Date:From; b=hERDqIKwad3/jZBjJxFLGWSLhDg+GrafrAS148Gxk4pIlUzO62+NhltlXYP7UDuWF PXXd8ValnQfHXzYUSN8VI2LJgootgnOSGvqbwwqUQKXwCcivpnPi6fNs2K8kmy6/kQ oolrYtsLVO6u6dP/kiRxtzD2jgSEaNDcsFUBC/ZxEu9xxII1OHvCd1CUTmYWVJRPvD fEuWpIJmdvBcHyOythzKKsm6bW7ttV+Ix74JPax5A7ivnc79go/0hrxabvfO+I4xjo QY9nJbnJDmYiHjXUolc2UUPxgiR+PL2PGb+Xmhks6lM0NmOwiJh8ArJuqUf+XSwwQv TYNn9j+KJIUbQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B7F7D479 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: IETF ACME <acme@ietf.org>
In-Reply-To: <CAOG=JUJRCNfU2XHnGwOSD4Z1szEVsHe3nqFr1iwAV=G05xzLnA@mail.gmail.com>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739CFA5EE0E13AD390D2EC89F38A@CH0PR11MB5739.namprd11.prod.outlook.com> <CAGgd1OdMwyR76RqjvfQV6V=+2o0y_0D1P429tAzq0y-2-M4SoQ@mail.gmail.com> <CH0PR11MB57397BE3A0399A3E014ED80D9F3EA@CH0PR11MB5739.namprd11.prod.outlook.com> <CAOG=JUJRCNfU2XHnGwOSD4Z1szEVsHe3nqFr1iwAV=G05xzLnA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 25 Jul 2023 08:51:51 -0400
Message-ID: <29814.1690289511@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TnRL4kz5hb7IHXD6v50GCn_RleI>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2023 12:52:03 -0000
tl;dr> I haven't read the document yet, but based upon the presentation, it looks like it fits into the ACME charter, and we should work on it. Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org> wrote: > CAA > has so far been a ACME server side value, rather than client side. If "Well actually," It's not specific to ACME, but to any CA. > that is the case, does it make sense to extend CAA to handle client > side behavior as well? I want to avoid a situation where CAA is a > hammer and everything is a nail. I think that this is a concern, and I hope DNSOP will weigh in here as to the value of a new RR vs using this one. So far, I'm not seeing nails. > There is also the situation to > consider that some providers that also take control of the DNS > automatically set a temporary CAA record to get the certificate they > need. For example, I believe cloudflare will just override any > existing CAA record to get a certificate from the various providers > they use. override... remove and replace, or just extend? I know many semi-technical managers like one-stop shopping, but it scares me, and there are many services where I remain a product rather than a customer > #4, the user is supposed to be notified for failures. If the public > provider is already implementing this notification pipeline, why > wouldn't they be able to implement a drop down of "Pick your own CA" in > the UI exposed to the user. I think because the provider wants to be able to try the backups in an orderly (intime) fashion. Many small sites are basically on auto-pilot for the durations (<30 days) involved. While some round-the-world blogger might be able to get emails while travelling, they might not be able to do HTTPS safely to reach the "drop-down" > would have more difficulty implementing this correctly, and handling > all the edge cases in the client compared to exposing a "Pick your own > CA" in the UI. If the goal was ultimate flexibility, I think it would > be easier for me to implement a pick your own CA with a textbox for the > directory of that CA than it would be to change my client to get that > information through CAA. - Exposing this information in the UI also > avoids the subscriber agreement issue and the rate limit issue. These > large providers can establish the relationships with the CAs they want > to use, and use them in the issuance pipeline. All good points. I think that there should be some more applicability scope. I think there is a difference between hosting-providers-at-scale vs foo.com who has 37 horizontally scaled micro-services that they have automated. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Richard Barnes
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Deb Cooley
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Michael Richardson
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Aaron Gable
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth