Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Aaron Gable <aaron@letsencrypt.org> Mon, 31 July 2023 22:34 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D977C15154C for <acme@ietfa.amsl.com>; Mon, 31 Jul 2023 15:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgeAbWU5MbKy for <acme@ietfa.amsl.com>; Mon, 31 Jul 2023 15:34:32 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC69C14F73E for <acme@ietf.org>; Mon, 31 Jul 2023 15:34:32 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-7672073e7b9so312325385a.0 for <acme@ietf.org>; Mon, 31 Jul 2023 15:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1690842871; x=1691447671; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ub3ChEH3otGkbVXgt5snJ9kZNSAQ8RrUbWyDXFd/CAA=; b=NrvqJ4LXY2WQfRjuZidnZ4sqPUGLbyMMQr0ZrGQ4kWaa4L18xlX5/yIzg4292oJopJ 4fzJP3Km1i1Bq6LUodlGRts4rulmJr5o78i18fF3R7UDgEyFrlFGlGs2/CiXEwm+dT5Y tDv1kpkJx3prlFNZhbG+WqItUleUg2osr50+c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690842871; x=1691447671; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ub3ChEH3otGkbVXgt5snJ9kZNSAQ8RrUbWyDXFd/CAA=; b=Jo01vS7oH+OluliE9STNNyC85t8+8aDNkRR5Og+AbOytYO1X+B7v2D8P1AAsmJxDJv 3aUwepvRUShWRTk9+DWijggmz42VvMOPwCF5Gm3euQwRGMyLuFNitQtV2N+JQ06sNEfx skpX1fdNsKz6lm0KP0J03CeRo7jkw27IF8vvlHcMtwbABA6Yd2XDP3OKxJ79tu7gTrJH hqTV5QijpeQlWJsKOk9gzrs54TjiqiDRSySGF93DTgfabEseyBu+qRCYVjKWy/06sgfE qQs1mJfRDEq9b2n+ewVa8lw/r+WfxAyWuvj5ZkcCtTSmGDeO6ILSoSfgT1tay13L5/fD ZV4Q==
X-Gm-Message-State: ABy/qLZLNUuaOmY4MAy/H4Lo7zUWxbRFFKEiWa+FlemBgi7LbYdFxECe W0YGqne2ENf0b+HJCgwvt+UOMBA2BGEiZ1TzyuCxIYkVoutg+8BMfHM=
X-Google-Smtp-Source: APBJJlHEl5wGHLVWdlJ8b2dW/ByMKPlz34sg0Cw+O6TVtSX2AeSJfbhziCSvN18CahWdrSwX0m6i2ftauDl1RRmE+N0=
X-Received: by 2002:a05:620a:2ae2:b0:76c:9884:4dce with SMTP id bn34-20020a05620a2ae200b0076c98844dcemr7152604qkb.63.1690842871130; Mon, 31 Jul 2023 15:34:31 -0700 (PDT)
MIME-Version: 1.0
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Mon, 31 Jul 2023 15:34:20 -0700
Message-ID: <CAEmnErdYmmgQ-YdXEoATCOpWvdgq=ibWWz47B6VPhNEggX3cFg@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: "acme@ietf.org" <acme@ietf.org>, Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Content-Type: multipart/alternative; boundary="000000000000b483420601d00894"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/miWLvbnujayTxWyyt8-56IXnWoY>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2023 22:34:36 -0000
(Apologies if you're receiving this twice; I originally sent it only to the CABForum list, instead of this IETF list.) Hi Paul, I'm sorry that I wasn't able to be at the ACME session last week; I've enjoyed reading the presentation slides and the draft notes that were taken during the session. In general, I'm very in favor of a system that allows for natural configuration of and fallback between multiple ACME CAs for a given domain. I think that the core concepts here of leveraging CAA records, adding a "priority" field, and declaring a new well-known path where ACME directory info can be found, combine to make a compelling system. I have some editorial notes to tighten up this draft and make it easier to digest: 1. I believe Section 4 should be rewritten to be more clearly normative. I think it can be condensed to just one or two paragraphs, which basically state "Compliant CAs MUST expose a copy of or a redirect to their ACME Directory resource [RFC 8555 Section 7.1.1] at the .well-known/acme path (see Section 7 IANA Considerations) under the CA's issuer-domain-name [RFC 8659 Section 4.2] hostname." 2. Section 5 can be similarly simplified; for example, steps 5-9 do not interact with the new CAA records or the new well-known URL at all and are an unnecessary recapitulation of RFC 8555 Section 7.4. I believe that this section should restrict itself to describing the process by which a client queries CAA records, does priority ordering, and resolves potential conflicts between records for different domain names. The goal is just to derive a directory URL. Then it can simply hand things off to RFC 8555 Section 7.1.1, which begins "This should be the only URL needed to configure clients." 3. I'm confused by the inclusion of Section 6 at all. What about this proposal interacts with External Account Binding in a sufficiently new way as to merit this whole section? As far as I can tell, the point of this draft is that there will be no difference between setting "directory: https://someca.com/api/directory" in an on-disk config file, and setting a "CAA 0 issue someca.com; discovery=true" DNS record. In either case, handling any other requirements for external account binding is incumbent on the ACME client operator, so I'm not sure why it gets a call-out here. Specifically, it seems telling that the whole of Section 6 contains a single normative requirement: "Clients SHOULD provide users with the ability to configure and utilize external account binding". How does this differ from RFC 8555 Section 7.3.4, which describes the client behavior necessary to conduct external account binding? Thanks, Aaron On Thu, Jul 6, 2023 at 7:55 AM Mike Ounsworth <Mike.Ounsworth= 40entrust.com@dmarc.ietf.org> wrote: > Hi ACME! > > This is new business that we would like to add to the agenda for 117. > > Thanks, > --- > Mike Ounsworth & Paul van Brouwershaven > > -----Original Message----- > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > Sent: Thursday, July 6, 2023 9:39 AM > To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Paul van Brouwershaven < > Paul.vanBrouwershaven@entrust.com> > Subject: [EXTERNAL] New Version Notification for > draft-vanbrouwershaven-acme-auto-discovery-00.txt > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > > ______________________________________________________________________ > > A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt > has been successfully submitted by Paul van Brouwershaven and posted to > the IETF repository. > > Name: draft-vanbrouwershaven-acme-auto-discovery > Revision: 00 > Title: Auto-discovery mechanism for ACME client configuration > Document date: 2023-07-06 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt > Status: > https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/ > Html: > https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery > > > Abstract: > A significant impediment to the widespread adoption of the Automated > Certificate Management Environment (ACME) [RFC8555] is that ACME > clients need to be pre-configured with the URL of the ACME server to > be used. This often leaves domain owners at the mercy of their > hosting provider as to which Certification Authorities (CAs) can be > used. This specification provides a mechanism to bootstrap ACME > client configuration from a domain's DNS CAA Resource Record > [RFC8659], thus giving control of which CA(s) to use back to the > domain owner. > > Specifically, this document specifies two new extensions to the DNS > CAA Resource Record: the "discovery" and "priority" parameters. > Additionally, it registers the URI "/.well-known/acme" at which all > compliant ACME servers will host their ACME directory object. By > retrieving instructions for the ACME client from the authorized > CA(s), this mechanism allows for the domain owner to configure > multiple CAs in either load-balanced or fallback prioritizations > which improves user preferences and increases diversity in > certificate issuers. > > > > > The IETF Secretariat > > > Any email and files/attachments transmitted with it are intended solely > for the use of the individual or entity to whom they are addressed. If this > message has been sent to you in error, you must not copy, distribute or > disclose of the information it contains. Please notify Entrust immediately > and delete the message from your system. > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Richard Barnes
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Deb Cooley
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Michael Richardson
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Aaron Gable
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth