IETF Logo Mail Archive

[Acme] Re: Call for adoption: draft-davidben-acme-profile-sets-00 (Ends 2026-01-21)

David Benjamin <davidben@chromium.org> Thu, 08 January 2026 17:31 UTC

Return-Path: <davidben@google.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1A87DA4E564E for <acme@mail2.ietf.org>; Thu, 8 Jan 2026 09:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.483
X-Spam-Level:
X-Spam-Status: No, score=-9.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIO6SZnKJZp2 for <acme@mail2.ietf.org>; Thu, 8 Jan 2026 09:31:05 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3EE3FA4E5612 for <acme@ietf.org>; Thu, 8 Jan 2026 09:31:00 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-64b7318f1b0so4726445a12.2 for <acme@ietf.org>; Thu, 08 Jan 2026 09:31:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1767893453; x=1768498253; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XHBh293jZWwb31W0eiCme5HDjREWVNqz/W4RPjB8gpU=; b=RdQ04GH2wCTSpKJIxXWv77kSHV3cFpE8J0KR6cTJjdL28i/GkV+JwVvauzqjsSZYrd DrtGjnqriAKuqo1HCJNwKGsJwvxMhPHMtLJiAmLds0IiMrahyWkCXXIEOAc0YH/rWWQn QDqZxAALalRQE0j8lxBzw1IpMqim6mG70Y33o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767893453; x=1768498253; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XHBh293jZWwb31W0eiCme5HDjREWVNqz/W4RPjB8gpU=; b=gusJkaoMSIfgYXHyMrmbuQbxOUCtvu7e2vwoS0eb/ZBnUuW9Sl0gKHVxL36HHeZTNZ hWv13mxFVOzvWfdzBZviRaWcdNOQq/d3dBopp6fkSzgMsog4Xr5B0P3LqTditIfj6s8j fZoAz6z52ScC0AJwl40sDxdnkREKMteSNJKH/KrijTtX1GuBqtmkHZKnkjveGnuD++B/ +8NMXqz2fIXFsxF/d/EL2UBpYivmtwxKUixvpA9yfUhcqw8cpAqqAyunDR+slKapnFFs cu4ZeHH4lnlHONuaswaom1G9X8kelatBF+WE6KiySUN6j4YtyhTYPbrk8dxwSDnlc+74 Kksg==
X-Gm-Message-State: AOJu0YyA0ipQlMKR9hYOWk4TSKWJgdk8TDJfUXYKHpHSN1zThzGPw3Ay tZKPB+pUA+007pL2fBJL+9PN/U/t0O77Y74pq/Hiff144aQcTVKxV98fB1VynaBj8myIv2VHlb9 7atVm52ELqJe49hzpiNPz1J/jbfexA9t5/VzUygAuWmEcVclmZ2W/iwQ=
X-Gm-Gg: AY/fxX6H3PC1FWcqWREEihD3LabAOVWNmt8gDoxfKXntP+WLeT0xfXG6DWsXRYfCry3 b+fpNLmj23Fc3BCvLyRO/za1yRSnEXbCtssBBcm/U8V6gaKXovVeqxO+Y4m/yAN+7jACoOrBFc9 57nZg5KRwz04u2307YtG+rX4hWL/SC7qHaxClaglb/CC0Hzms87aw2Ri9JOkqf59XeDGumk8GCO zf28ST//hbl1KXl+VSq8XSF0KV5/khw17YToMDZgyna74zjvB0HUScAj1PgRfvsLxjHzplf8vZ9 CQfE
X-Google-Smtp-Source: AGHT+IEr3FsjV7qfHRSSWip9sZWIm1cDH+sJ218S1ZhExpAGkEEsubKQXsZp0SqHz0A2kIvHBwQ5xl6M4q18dFR7HkM=
X-Received: by 2002:a17:907:94c2:b0:b73:7184:b7d3 with SMTP id a640c23a62f3a-b84453e2967mr639430966b.58.1767893452521; Thu, 08 Jan 2026 09:30:52 -0800 (PST)
MIME-Version: 1.0
References: <176782035446.3829944.17475670312912489816@dt-datatracker-5656579b89-p6k4r> <CO6PR22MB2497CA58FFFB043F2D984166FA84A@CO6PR22MB2497.namprd22.prod.outlook.com> <CAKZgXHrp93y4D9Z4BRFfjTU9ga3h2HYxmA=o43EJY4XwBCR-JA@mail.gmail.com> <CAF8qwaAUSVdBtMmFE0iWfoVyigiEZtnSL+5TpmoS7phYOb2SbA@mail.gmail.com> <27089.1767892353@obiwan.sandelman.ca>
In-Reply-To: <27089.1767892353@obiwan.sandelman.ca>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 08 Jan 2026 12:30:34 -0500
X-Gm-Features: AQt7F2qO-wLWBmDYBmbJ_QeuCbqJFsOtlXe4AEBSRLlXu9BpOb8sUIy59qwqpNs
Message-ID: <CAF8qwaDp=3bvqaLkyNQJXyXT7HQ+V7PovCEybDV=td9kq0BZRg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="0000000000003dbdb20647e3c518"
Message-ID-Hash: JKNFDIODBG2LETID57BDQW5YRDPKT7OS
X-Message-ID-Hash: JKNFDIODBG2LETID57BDQW5YRDPKT7OS
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "acme@ietf.org" <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Call for adoption: draft-davidben-acme-profile-sets-00 (Ends 2026-01-21)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/_PMr6WQoayWmAasir1pmd-phpio>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

On Thu, Jan 8, 2026 at 12:12 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> David Benjamin <davidben=40google.com@dmarc.ietf.org> wrote:
>     > For folks who missed it, I talked a bit about the motivation in both
> the
>     > draft and 124, so here are the links to what happened in 124. This
> is a
>     > pretty tiny mechanism, so there's not a lot to skim through there:
>     >
> https://datatracker.ietf.org/meeting/124/materials/slides-124-acme-acme-profile-sets-00
>
> I looked again at the slides.
> The motivation is good.  I think some of the context is wrong,... like if
> "Old Clients" live forever, then they aren't going to get new certificates.
>
> Maybe you don't mean old ACME clients, but old TLS clients?
> (PS: they also don't do TLS 1.3, often not TLS 1.1.  Try connecting to a
> 2010-era BMC.)
>

Er, yes, sorry, those were referring to older TLS clients, or whoever the
relying party was. Those slides were presented in the context of how to run
a TLS server, but it did make the slides harder to read without the voice
track. :-(

I can't fix the slides after the fact, but if you prepend "Running a TLS
server is easy, right?" to the first slide, I think it then flows. (And of
course there's an analogous situation for any authenticating/relying party
pair when there's a wide range of relying parties. The draft itself is
hopefully written with more precise and general language.)


> I don't think ACME Profile Sets completely solves the problem described in
> the slides.   We need more.  Maybe a connection to RFC9908 (just issued,
> but
> not announced yet.. weird)... a CSR/CSR-attributes redo in JSON/JOSE/COSE
> could be part of an RFC7030bis.  Worth further discussion, I hope.
>

The aim is to specifically solve the case where the subject information in
all the variants is the same, as that seems to be where this kind of
automation most naturally fits. It's true there are a bunch of other, more
complex, cases where folks might need multiple certificates. Those seem
hard to automate because they require the ACME client to have knowledge of
the variations, but happy to be proven wrong. :-)

Not to say those aren't also interesting problems, but this subset seems
both useful, fairly easily achievable, and fit within a clear "subject
decisions vs PKI decisions" model, so that seemed a good place to draw a
box.


>     > But older relying parties still have the old behavior, and ACME
> clients
>
> Yes, older relying, or corresponding parties.
>

v2.36.0 | Report a Bug | By Email | System Status