From nobody Thu Jun 22 02:53:34 2023 Return-Path: X-Original-To: acme@ietfa.amsl.com Delivered-To: acme@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F47DC14CE2E; Thu, 22 Jun 2023 02:53:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.844 X-Spam-Level: X-Spam-Status: No, score=-6.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMQsGW70tuGi; Thu, 22 Jun 2023 02:53:32 -0700 (PDT) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADEACC14CF09; Thu, 22 Jun 2023 02:53:32 -0700 (PDT) Received: by mail-io1-xd31.google.com with SMTP id ca18e2360f4ac-77b00bb3fd6so9227839f.1; Thu, 22 Jun 2023 02:53:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687427611; x=1690019611; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EjrGGpxDY5YVxGvs+fMSfVN/PiI+8E7O0zQPjdpcjOc=; b=g80NcHQDFxtcksUeeCdviMDcpEZ1Z8mONtNQZ4HzFt3917N1PFMqselgGitghkv+G9 J1jvzhFyDxevz3Eq38u6jrXoOqsHluDy/jAM46lZVMaNSQ5hHcfFDrTujHPxBPTYnvze T5VA2RgLmwZV2nbSB96U56vaS2Q9VBmpxcL78d+5hgx7w5W6sHHfV/hSr65EsHDw6IsP wY3vEn1j7XM9UYNYqE/rx5t1yI6hQPgI5qyAr/foSO4XhE1xu98czCefpnq+094SZ0+P +y0HolIh/I5PwxVODPQLc7Qlt9t/sMIWP94YP5Svx8a4fYD3p3oz8+CWX3q7npRKP19a ldUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687427611; x=1690019611; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EjrGGpxDY5YVxGvs+fMSfVN/PiI+8E7O0zQPjdpcjOc=; b=YCG8IFOe/cUNOcpWIxA2I+kNWYsnoBeUJnN8F+nHt+vM0J7o7eW5iaNYwY7L+fz8Dq vBhSV55Am6Ihq7vNQ27MmW7O46Xmm/oIs4x2vn41j288RNV7B1sDNh07GlHjpTpWgtN+ 9v8LAflbAN2BCJ9OzIBDdYDohw6QDDCany7DcrMdc23n8Jkh86+1fRIsZraHCPZtkGJg itzYkRBzEPegmZsLeV1ymDzbfCi9vgnzBOYBRy5kmaGEoHuqM2eZkR7nCHsvgDfxFCgC 7y2Ag7QE3W5DLb9h74COAMd+HkefRggUyXy8iPVSMJNJzYYJXAVNufJuNBqcKaoUKPJ4 n+yQ== X-Gm-Message-State: AC+VfDyfXggeGTteJdCGbpbFY/YQppMWFqdxW/oRm1I4JqZeH2ln9zCm UD3PH6WbSvXCaSfKUZp59DRUtiX1r9UN3KPMpkdC0wk= X-Google-Smtp-Source: ACHHUZ55Ua6TJ89B3kG9BdbuG+75gudc9pjvy4L2qFQrkx5Hqd1Xcq4Eq4SwWBFar4ys28mKNRLoQoLfQygLiOQYnoE= X-Received: by 2002:a05:6e02:d48:b0:343:ef5e:8286 with SMTP id h8-20020a056e020d4800b00343ef5e8286mr2682831ilj.7.1687427611481; Thu, 22 Jun 2023 02:53:31 -0700 (PDT) MIME-Version: 1.0 References: <4916e0e2-ec04-8172-e84d-145543c3e34c@gmail.com> In-Reply-To: <4916e0e2-ec04-8172-e84d-145543c3e34c@gmail.com> From: Deb Cooley Date: Thu, 22 Jun 2023 05:53:20 -0400 Message-ID: To: acme@ietf.org, Q Misell Cc: acme-chairs@ietf.org Content-Type: multipart/alternative; boundary="0000000000005dddc905feb4db04" Archived-At: Subject: Re: [Acme] Call for adoption of draft-misell-acme-onion-02 X-BeenThere: acme@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Automated Certificate Management Environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2023 09:53:33 -0000 --0000000000005dddc905feb4db04 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable There is sufficient interest to adopt this draft. Thank you, Deb On Fri, Jun 9, 2023 at 5:06=E2=80=AFPM Seo Suchan wrote= : > for CAA mechanism for tor, I'm don't think acme working group is right > place to talk about it: as they effect non-acme CA that sign certificate > for onion, shouldn't it need to be handled on lamps subject (as there is > where CAA rfc was discussed) > 2023-06-10 =EC=98=A4=EC=A0=84 1:55=EC=97=90 Aaron Gable =EC=9D=B4(=EA=B0= =80) =EC=93=B4 =EA=B8=80: > > Hi all, > > I support the draft for adoption. Specifically, I think it's a good thing > to standardize the onion-csr-01 challenge type. I have two classes of > comments that I look forward to discussing in-depth after adoption: > 1) Obviously it's valuable for this draft to standardize a method that is > already accepted by the CA/BF. But in the long term there's no need to us= e > a CSR as the transport mechanism for a random token, a public key, and a > signature -- moving away from x509 for this would be nice in the long ter= m. > Probably out-of-scope for this document, but worth discussing. > 2) The primary benefit of the onion-csr-01 method is that it allows the C= A > to perform domain control validation without operating a Tor client. > However, this benefit is obviated entirely by the need to operate a Tor > client to check for CAA in the hidden service descriptor. It seems likely > that there are CAs which have avoided implementing HTTP-01 and TLS-ALPN-0= 1 > for .onion due to the need to operate a Tor client; these same CAs may ha= ve > been willing to implement ONION-CSR-01, but now will not due to the CAA > mechanism. > > Thanks, > Aaron > > On Sun, Jun 4, 2023 at 4:07=E2=80=AFAM Deb Cooley = wrote: > >> This will be a two week call for adoption ending on 16 June. Please >> speak up either for or against adopting this draft. >> >> Thanks, >> Deb >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > > _______________________________________________ > Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > --0000000000005dddc905feb4db04 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
There is sufficient interest to adopt this draft.

Thank you,
Deb

On Fri, Jun 9,= 2023 at 5:06=E2=80=AFPM Seo Suchan <tjtncks@gmail.com> wrote:
=20 =20 =20

for CAA mechanism for tor, I'm don't think acme working grou= p is right place to talk about it: as they effect non-acme CA that sign certificate for onion, shouldn't it need to be handled on lamps subject (as there is where CAA rfc was discussed)

2023-06-10 =EC=98=A4=EC=A0=84 1:55=EC=97=90 Aaron Gable =EC=9D=B4(= =EA=B0=80) =EC=93=B4 =EA=B8=80:
=20
Hi all,

I support the draft for adoption. Specifically, I think it's a good thing to standardize the onion-csr-01 challenge type. I have two classes of comments that I look forward to discussing in-depth after adoption:
1) Obviously it's valuable for this draft to standardize a method that is already accepted by the CA/BF. But in the long term there's no need to use a CSR as the transport mechanism for a random token, a public key, and a signature -- moving away from x509 for this would be nice in the long term. Probably out-of-scope for this document, but worth discussing.
2) The primary benefit of the onion-csr-01 method is that it allows the CA to perform domain control validation without operating a Tor client. However, this benefit is obviated entirely by the need to operate a Tor client to check for CAA in the hidden service descriptor. It seems likely that there are CAs which have avoided implementing HTTP-01 and TLS-ALPN-01 for .onion due to the need to operate a Tor client; these same CAs may have been willing to implement ONION-CSR-01, but now will not due to the CAA mechanism.

Thanks,
Aaron

On Sun, Jun 4, 2023 at 4:07= =E2=80=AFAM Deb Cooley <debcooley1@gmail.com> wrote:
This will be a two week call for adoption ending on 16 June. =C2=A0 Please speak up either for or against adopting this draft.=C2=A0

Thanks,
Deb=C2=A0
_______________________________________________
Acme mailing list
Acme@ietf.org<= /a>
https://www.ietf.org/mailman/listinfo/acme 

_______________________________________________
Acme mailing list
Acme@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
--0000000000005dddc905feb4db04--