IETF Logo Mail Archive

Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 July 2023 12:52 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AA33C15198B for <acme@ietfa.amsl.com>; Tue, 25 Jul 2023 05:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOUK_saVVJaZ for <acme@ietfa.amsl.com>; Tue, 25 Jul 2023 05:51:58 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34083C151989 for <acme@ietf.org>; Tue, 25 Jul 2023 05:51:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 60B8538993 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:54 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BYwlxpnA6c22 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:52 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id E922C38991 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1690289511; bh=hIsE2ERUm1zWfcXbvC+Wev/GlQifN4t7g2BLw0pvhD8=; h=From:To:Subject:In-Reply-To:References:Date:From; b=hERDqIKwad3/jZBjJxFLGWSLhDg+GrafrAS148Gxk4pIlUzO62+NhltlXYP7UDuWF PXXd8ValnQfHXzYUSN8VI2LJgootgnOSGvqbwwqUQKXwCcivpnPi6fNs2K8kmy6/kQ oolrYtsLVO6u6dP/kiRxtzD2jgSEaNDcsFUBC/ZxEu9xxII1OHvCd1CUTmYWVJRPvD fEuWpIJmdvBcHyOythzKKsm6bW7ttV+Ix74JPax5A7ivnc79go/0hrxabvfO+I4xjo QY9nJbnJDmYiHjXUolc2UUPxgiR+PL2PGb+Xmhks6lM0NmOwiJh8ArJuqUf+XSwwQv TYNn9j+KJIUbQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B7F7D479 for <acme@ietf.org>; Tue, 25 Jul 2023 08:51:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: IETF ACME <acme@ietf.org>
In-Reply-To: <CAOG=JUJRCNfU2XHnGwOSD4Z1szEVsHe3nqFr1iwAV=G05xzLnA@mail.gmail.com>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739CFA5EE0E13AD390D2EC89F38A@CH0PR11MB5739.namprd11.prod.outlook.com> <CAGgd1OdMwyR76RqjvfQV6V=+2o0y_0D1P429tAzq0y-2-M4SoQ@mail.gmail.com> <CH0PR11MB57397BE3A0399A3E014ED80D9F3EA@CH0PR11MB5739.namprd11.prod.outlook.com> <CAOG=JUJRCNfU2XHnGwOSD4Z1szEVsHe3nqFr1iwAV=G05xzLnA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 25 Jul 2023 08:51:51 -0400
Message-ID: <29814.1690289511@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TnRL4kz5hb7IHXD6v50GCn_RleI>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2023 12:52:03 -0000

tl;dr> I haven't read the document yet, but based upon the presentation, it
       looks like it fits into the ACME charter, and we should work on it.

Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org> wrote:
    > CAA
    > has so far been a ACME server side value, rather than client side. If

"Well actually,"
It's not specific to ACME, but to any CA.

    > that is the case, does it make sense to extend CAA to handle client
    > side behavior as well? I want to avoid a situation where CAA is a
    > hammer and everything is a nail.

I think that this is a concern, and I hope DNSOP will weigh in here as to the
value of a new RR vs using this one.  So far, I'm not seeing nails.

    > There is also the situation to
    > consider that some providers that also take control of the DNS
    > automatically set a temporary CAA record to get the certificate they
    > need.  For example, I believe cloudflare will just override any
    > existing CAA record to get a certificate from the various providers
    > they use.

override... remove and replace, or just extend?
I know many semi-technical managers like one-stop shopping, but it scares me,
and there are many services where I remain a product rather than a customer

    > #4, the user is supposed to be notified for failures. If the public
    > provider is already implementing this notification pipeline, why
    > wouldn't they be able to implement a drop down of "Pick your own CA" in
    > the UI exposed to the user.

I think because the provider wants to be able to try the backups in an
orderly (intime) fashion.   Many small sites are basically on auto-pilot for
the durations (<30 days) involved.   While some round-the-world blogger might
be able to get emails while travelling, they might not be able to do HTTPS
safely to reach the "drop-down"

    > would have more difficulty implementing this correctly, and handling
    > all the edge cases in the client compared to exposing a "Pick your own
    > CA" in the UI. If the goal was ultimate flexibility, I think it would
    > be easier for me to implement a pick your own CA with a textbox for the
    > directory of that CA than it would be to change my client to get that
    > information through CAA.  - Exposing this information in the UI also
    > avoids the subscriber agreement issue and the rate limit issue. These
    > large providers can establish the relationships with the CAs they want
    > to use, and use them in the issuance pipeline.

All good points.
I think that there should be some more applicability scope.

I think there is a difference between hosting-providers-at-scale vs foo.com
who has 37 horizontally scaled micro-services that they have automated.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email