[Acme] Re: ACME and PLANTS

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 13 March 2026 06:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DEB36C9419F3 for <acme@mail2.ietf.org>; Thu, 12 Mar 2026 23:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhmaVBwzyY-3 for <acme@mail2.ietf.org>; Thu, 12 Mar 2026 23:11:05 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C84A4C9419DF for <acme@ietf.org>; Thu, 12 Mar 2026 23:11:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 1701F18015; Fri, 13 Mar 2026 02:11:04 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id 70EWQ7Y4B9Z8; Fri, 13 Mar 2026 02:11:01 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1773382260; bh=wubiJmftDEmhT8CaH9LXa5aP6R2fEcFCu3M5nti7gJU=; h=From:To:Subject:In-Reply-To:References:Date:From; b=WLTwGoLVuKRqQXsxspi7Fr7mg1b4w2130TwM1IaPLry8X0XzpWkqoDnTbmff/IDb/ ZLdiOIz3H+i+JpOyLkZ2ac/e3jMlYWc1ZwH4Lz32UOw5eNXbjnPaId8t4YYC7J4D4C TK8PPMWOMW4AuhrkSbIygbDaAwx8oJ2433G/TsVLQX3tL2NLXzOeyLrc2m+TK0fshg 1yQ5GhsMejtps06HuA22geQd/HxY8Ig/Qna0OsuPUP/Zg/xA5ripsIF34UD9sDNKBZ dUlBd/1/lbAIMqs7+XVfGhg2Fub8K+iuo9EaRr3j9tIptPA92uPQzDSXY5oOVhnOwk fYyJ3bPiYmwKA==
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id D43EA18014; Fri, 13 Mar 2026 02:11:00 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7BD6817A; Fri, 13 Mar 2026 02:11:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Mike Ounsworth <ounsworth+ietf@gmail.com>, IETF ACME <acme@ietf.org>
In-Reply-To: <CAKZgXHp3_EhLRQkwn79JK0p=cAC_816RYzmU=Y-sFQer16WCcg@mail.gmail.com>
References: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com> <abMdm49TFzXz5K4H@LK-Perkele-VII2.locald> <CAF8qwaCfV8G52oGMbuktBZ_-mvmaPghD5Zi_eZpdrad_+E3R4Q@mail.gmail.com> <CAKZgXHp3_EhLRQkwn79JK0p=cAC_816RYzmU=Y-sFQer16WCcg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 13 Mar 2026 02:11:00 -0400
Message-ID: <574.1773382260@obiwan.sandelman.ca>
Message-ID-Hash: 5D47UDDOIJH742LTTDUB5FYKS5VY53FD
X-Message-ID-Hash: 5D47UDDOIJH742LTTDUB5FYKS5VY53FD
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME and PLANTS
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mMxmEau0qqVlh4wQiim7Dd2BNu0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Mike Ounsworth <ounsworth+ietf@gmail.com> wrote:
    > Thanks for the discussion. Stepping back a bit, I think there are two
    > possible outcomes of the interaction between MTC and ACME: either a
    > draft-mtc-acme-00 is needed, or it's not. Given that this still seems

Yes, we need a document to collect options/discussion.
(Ask me in 12-ish days if I want to volunteer to start it)

    > in the "Large design space, needs to be narrowed down" stage, and that the
    > right experts already seem to be engaged, I'm inclined to not put this on
    > the ACME agenda this go-around but please keep discussion on the list. Is
    > that reasonable?

I think that's exactly the right thing right now.

1. Sometime in early May, decide if a (joint) virtual-interim meeting would help.
2. Make sure IETF126's conflict lists ACME<->PLANTS<->LAMPS as conflicts.
3. EST will need to solve the same problem.  It may be similiar, or
   completely different.

I think David wrote:
    >> Then the server operator would glue it all together by arranging for the
    >> ACME client to run on a cron job. And since that cron job both has access
    >> to authentication and ACME state, the fact that ACME authenticates all its
    >> URLs is not a huge deal. A separate unauthenticated URL would suggest a
    >> world where the server operator has a *separate* scheduled job that's
    >> have the ACME account key, but does have read/write access to certificate
    >> state. I assumed that doesn't currently exist and we may as well piggy-back
    >> off the existing job schedulingn.

My understanding is that some operators of many tenanted web-hosting systems
run their ACME client on a management system.  This discussion previously
informed the design of the renewal-info (RFC9773).

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide