Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Fraser Tweedale <frase@frase.id.au> Fri, 07 July 2023 03:24 UTC
Return-Path: <frase@frase.id.au>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D063C14CE24 for <acme@ietfa.amsl.com>; Thu, 6 Jul 2023 20:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yr8y500nIjUK for <acme@ietfa.amsl.com>; Thu, 6 Jul 2023 20:24:12 -0700 (PDT)
Received: from smtp02.aussiebb.com.au (smtp02.aussiebb.com.au [121.200.0.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6519EC13AE2D for <acme@ietf.org>; Thu, 6 Jul 2023 20:23:53 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp02.aussiebb.com.au (Postfix) with ESMTP id 91DA31028C4 for <acme@ietf.org>; Fri, 7 Jul 2023 13:23:51 +1000 (AEST)
X-Virus-Scanned: Debian amavisd-new at smtp02.aussiebb.com.au
Received: from smtp02.aussiebb.com.au ([127.0.0.1]) by localhost (smtp02.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSubg4jOuJLv for <acme@ietf.org>; Fri, 7 Jul 2023 13:23:51 +1000 (AEST)
Received: by smtp02.aussiebb.com.au (Postfix, from userid 116) id 895081017FF; Fri, 7 Jul 2023 13:23:51 +1000 (AEST)
Received: from bacardi.hollandpark.frase.id.au (unknown [100.103.3.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp02.aussiebb.com.au (Postfix) with ESMTPS id 56EBB102867; Fri, 7 Jul 2023 13:23:50 +1000 (AEST)
Received: from bacardi.hollandpark.frase.id.au (localhost [127.0.0.1]) by bacardi.hollandpark.frase.id.au (8.17.1/8.17.1) with ESMTPS id 3673NnA8008893 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 7 Jul 2023 13:23:49 +1000 (AEST) (envelope-from frase@frase.id.au)
Received: (from fraser@localhost) by bacardi.hollandpark.frase.id.au (8.17.1/8.17.1/Submit) id 3673Nn50008892; Fri, 7 Jul 2023 13:23:49 +1000 (AEST) (envelope-from frase@frase.id.au)
Date: Fri, 07 Jul 2023 13:23:48 +1000
From: Fraser Tweedale <frase@frase.id.au>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>, Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <ZKeFRKXMXVSlt5GQ@bacardi.hollandpark.frase.id.au>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <CAL02cgSH1XM0krpYuCVP1VNpZ8EpprHog1+-oeQkN0a5bX8vHA@mail.gmail.com> <LV2PR11MB5975C3F165D41FBA2BEED912F82CA@LV2PR11MB5975.namprd11.prod.outlook.com> <ZKdW965KnS_C1P6n@bacardi.hollandpark.frase.id.au> <ZKde4llTB-dpA3Kj@bacardi.hollandpark.frase.id.au> <CH0PR11MB57398336D760C6FEA94E21169F2DA@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CH0PR11MB57398336D760C6FEA94E21169F2DA@CH0PR11MB5739.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ixz66mutEQusdHJUIsTuKpfzAjA>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2023 03:24:14 -0000
On Fri, Jul 07, 2023 at 01:55:52AM +0000, Mike Ounsworth wrote: > Thanks for the comments Fraser. > > Guilty as charged -- we were not thinking about private enterprise > environments when we wrote it; we were thinking about > publicly-reachable servers on public clouds getting certs from > public CAs. In that context, the quote from the abstract "at the > mercy of their hosting provider as to which Certification > Authorities (CAs) can be used" is less about the ACME server being > reachable in a network sense, and more about public hosting > providers -- quite reasonably -- not wanting to maintain a > dropdown menu of every ACME server on the internet. Typically if > you want to use a CA other than the single one that your hosting > provider knows how to ACME to, then your only option is to > manually upload a PEM file. Yuck. The other assumption here is > that this draft is really for domain owners who care enough about > where their certs come from to have a "favourite CA" because > people who don't care will be happy to use whatever default ACME > server. > > That said, it's interesting to think about how this could apply to > your enterprise problem of "find me /some/ ACME server that I can > reach/use in this network zone". Assuming a private network with > multiple DNS zones, you could configure your private DNS to slap > on a constant CAA record across a DNS zone, and that gives you > your "give me an ACME server, any one will do", right? > > Out of curiosity, what happened to draft-tweedale-acme-discovery? > Did it just not have enough momentum to proceed? Searching on the > ACME list archive did not turn up very much discussion. I presented it at IETF 109. There was broard agreement that it was a problem that should be solved, but no appetite for the WG to adopt it at that time. I'm happy with the content of the proposal and even implemented a working POC in certbot. For context, I work at Red Hat and helped develop the ACME server support in Red Hat Certificate System (upstream: Dogtag Certificate System) and Identity Management in RHEL (upstream: FreeIPA). So I was thinking about how to further enable customers to use cert automation within their environments. We haven't implemented the proposed DNS-SD records yet, because there is no client support (due to lack of a standard to follow - a "chicken/egg" situation). Can CAA be used? Yes, but the number of CAA records to manage grows with the number of domains for which certs must be issued. This could be a headache for some orgs. Per published RFCs only the "dns" identifier type could be use with the CAA approach. "ip" identifiers are important for many orgs, particuarly those managing their own cloud infrastructure. But how to use CAA for ipAddress SAN is not defined. (Perhaps use the existing CAA attributes in _.in-addr.arpa and _.ip6.arpa zones). There is a draft that defines how it would work for the "email" identifier type[1]. [1] https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-issuemail/ However, I think that the CAA approach is likely to get more traction. It uses DNS RR types that PKI people are already familiar with. It *can* be used in enterprise environments, albeit with more administrative burden in scenarios that involve a lot of domain names. The gap of how CAA can be applied to ipAddress SAN names should be dealt with in a separate document. Such work will no doubt attract interest from other groups (CAB Forum in particular). The approaches are not mutually exclusive but I really can't imagine clients would want to implement support for more than one mechanism. Let's see where this new proposal leads! Cheers, Fraser
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Richard Barnes
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Deb Cooley
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Michael Richardson
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Aaron Gable
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth