IETF Logo Mail Archive

Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

Fraser Tweedale <frase@frase.id.au> Fri, 07 July 2023 00:06 UTC

Return-Path: <frase@frase.id.au>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 160D7C15109F for <acme@ietfa.amsl.com>; Thu, 6 Jul 2023 17:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.397
X-Spam-Level:
X-Spam-Status: No, score=-6.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDhUwgJLA6ml for <acme@ietfa.amsl.com>; Thu, 6 Jul 2023 17:06:23 -0700 (PDT)
Received: from smtp02.aussiebb.com.au (smtp02.aussiebb.com.au [121.200.0.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C90C15152B for <acme@ietf.org>; Thu, 6 Jul 2023 17:06:23 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp02.aussiebb.com.au (Postfix) with ESMTP id 69DF6100F60 for <acme@ietf.org>; Fri, 7 Jul 2023 10:06:20 +1000 (AEST)
X-Virus-Scanned: Debian amavisd-new at smtp02.aussiebb.com.au
Received: from smtp02.aussiebb.com.au ([127.0.0.1]) by localhost (smtp02.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hYd3OP2esSY for <acme@ietf.org>; Fri, 7 Jul 2023 10:06:20 +1000 (AEST)
Received: by smtp02.aussiebb.com.au (Postfix, from userid 116) id 5CDF7100F8A; Fri, 7 Jul 2023 10:06:20 +1000 (AEST)
Received: from bacardi.hollandpark.frase.id.au (unknown [100.103.3.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp02.aussiebb.com.au (Postfix) with ESMTPS id D30AB100A47; Fri, 7 Jul 2023 10:06:16 +1000 (AEST)
Received: from bacardi.hollandpark.frase.id.au (localhost [127.0.0.1]) by bacardi.hollandpark.frase.id.au (8.17.1/8.17.1) with ESMTPS id 36706FAu008551 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 7 Jul 2023 10:06:15 +1000 (AEST) (envelope-from frase@frase.id.au)
Received: (from fraser@localhost) by bacardi.hollandpark.frase.id.au (8.17.1/8.17.1/Submit) id 36706FWI008550; Fri, 7 Jul 2023 10:06:15 +1000 (AEST) (envelope-from frase@frase.id.au)
Date: Fri, 07 Jul 2023 10:06:15 +1000
From: Fraser Tweedale <frase@frase.id.au>
To: Paul van Brouwershaven <Paul.vanBrouwershaven=40entrust.com@dmarc.ietf.org>
Cc: Richard Barnes <rlb@ipv.sx>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <ZKdW965KnS_C1P6n@bacardi.hollandpark.frase.id.au>
References: <168865435873.61106.2850041921157081937@ietfa.amsl.com> <CH0PR11MB5739FDB26BF675925C449AA69F2CA@CH0PR11MB5739.namprd11.prod.outlook.com> <CAL02cgSH1XM0krpYuCVP1VNpZ8EpprHog1+-oeQkN0a5bX8vHA@mail.gmail.com> <LV2PR11MB5975C3F165D41FBA2BEED912F82CA@LV2PR11MB5975.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <LV2PR11MB5975C3F165D41FBA2BEED912F82CA@LV2PR11MB5975.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/o-P1fOtiIDyQvwkdXJJ93S5jZKI>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2023 00:06:28 -0000

Hi all,

Paul, Mike, thank you for publishing the draft.  I am happy to see
ACME service discovery being discussed again.

For compare/contrast, I'd like to bring attention to my draft from a
couple years ago, which proposed a DNS-SD profile for ACME service
discovery, and which I presented at IETF 109:

- https://www.ietf.org/archive/id/draft-tweedale-acme-discovery-01.html
- https://datatracker.ietf.org/meeting/109/materials/slides-109-acme-service-discovery-00

Broadly contrasting the approaches, I note the following:

- Use of CAA means that this mechanism is only useful for
  discovering ACME servers for DNS identifiers.  There are ways you
  could work around this but they would use CAA records in improper
  ways.

- The main problem solved in my draft was: "in this /network
  environment/, what ACME servers can/should I use?"  The CAA-based
  proposal answers a different question: "for this /domain/, what
  ACME server should I use?"  But (a) why would a domain owner need
  to control this, and (b) it doesn't actually solve the problem
  stated in the abstract:

  > This often leaves domain owners at the mercy of their hosting
  > provider as to which Certification Authorities (CAs) can be used.

  The hosting provider can still control which ACME servers can be
  reached, regardless of the preferences expressed via CAA records.

Regarding registration of CAA attributes (IANA considerations): they
need to be registered in the "Certification Authority Restriction
Properties" registry:
https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties

Cheers,
Fraser


On Thu, Jul 06, 2023 at 06:33:01PM +0000, Paul van Brouwershaven wrote:
> Hi Richard,
> 
> Thanks for your feedback!
> So if I understand this correctly, the idea is that an ACME client that intends to obtain a certificate for example.com<https://urldefense.com/v3/__http://example.com__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LXTPH7OoA$> will look up CAA records for example.com<https://urldefense.com/v3/__http://example.com__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LXTPH7OoA$> and follow the guidance there as to which CA to contact?
> Correct
> Couple of observations on a quick skim:
> 
> A brief "protocol overview" section might be helpful to capture the intended happy-path flow.
> Have you looked at the diagram in chapter 5, ACME Client Behavior?
> https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-01.html#name-acme-client-behavior
> 
> Would you suggest renaming this chapter?
> If folks are annoyed about the .well-known parts (as I am, a little): Since you're going to extend CAA anyway, you could just put a URL in there instead of overloading the CAA domain name.  For example, instead of the `discover` parameter being a boolean, you could just put the URL of the ACME server directory there.  (That would introduce a risk of divergence in the multiple-domain case, different ACME servers for the same CA domain, but that seems like it fails safely.)
> We have indeed considered putting the ACME server directly in the CAA record, as stated in paragraph 4 of chapter 4, ACME Client Configuration:
> 
> While an alternative consideration was to include the ACME server address directly as an attribute parameter in the CAA record, it was determined that this approach could introduce clutter and significantly increase the size of the record. Additionally, a rigid binding between the CAA record and the ACME server address may present challenges if the CA needs to change its server address in the future.
> 
> https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-01.html#name-acme-client-configuration
> 
> In addition to the above, I would argue that the issuer domain name is much easier for users to configure.
> Section 3.1.2 says "the value "1" represents the highest priority", but Section 3.2 includes "the highest priority of 0".  In general, the document should be clear on how the default interacts with explicit priorities.
> Aaron Gable identified the same issue and created a pull request to address and clarify the priorities. I just released a 01 version with these changes.
> 
> ________________________________
> From: Richard Barnes <rlb@ipv.sx>
> Sent: Thursday, July 6, 2023 19:29
> To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
> Cc: acme@ietf.org <acme@ietf.org>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
> Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
> 
> Hi Mike, Paul,
> 
> So if I understand this correctly, the idea is that an ACME client that intends to obtain a certificate for example.com<https://urldefense.com/v3/__http://example.com__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LXTPH7OoA$> will look up CAA records for example.com<https://urldefense.com/v3/__http://example.com__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LXTPH7OoA$> and follow the guidance there as to which CA to contact?
> 
> Couple of observations on a quick skim:
> 
> A brief "protocol overview" section might be helpful to capture the intended happy-path flow.
> 
> If folks are annoyed about the .well-known parts (as I am, a little): Since you're going to extend CAA anyway, you could just put a URL in there instead of overloading the CAA domain name.  For example, instead of the `discover` parameter being a boolean, you could just put the URL of the ACME server directory there.  (That would introduce a risk of divergence in the multiple-domain case, different ACME servers for the same CA domain, but that seems like it fails safely.)
> 
> Section 3.1.2 says "the value "1" represents the highest priority", but Section 3.2 includes "the highest priority of 0".  In general, the document should be clear on how the default interacts with explicit priorities.
> 
> Cheers,
> --RLB
> 
> 
> 
> On Thu, Jul 6, 2023 at 10:55 AM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote:
> Hi ACME!
> 
> This is new business that we would like to add to the agenda for 117.
> 
> Thanks,
> ---
> Mike Ounsworth & Paul van Brouwershaven
> 
> -----Original Message-----
> From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
> Sent: Thursday, July 6, 2023 9:39 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com<mailto:Paul.vanBrouwershaven@entrust.com>>
> Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> 
> ______________________________________________________________________
> 
> A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
> has been successfully submitted by Paul van Brouwershaven and posted to the IETF repository.
> 
> Name:           draft-vanbrouwershaven-acme-auto-discovery
> Revision:       00
> Title:          Auto-discovery mechanism for ACME client configuration
> Document date:  2023-07-06
> Group:          Individual Submission
> Pages:          16
> URL:            https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LVAiwKnsg$>
> Status:         https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LWMR1hgRw$>
> Html:           https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LUJBCXjeQ$>
> Htmlized:    https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LWo1Szs0A$>
> 
> 
> Abstract:
>    A significant impediment to the widespread adoption of the Automated
>    Certificate Management Environment (ACME) [RFC8555] is that ACME
>    clients need to be pre-configured with the URL of the ACME server to
>    be used.  This often leaves domain owners at the mercy of their
>    hosting provider as to which Certification Authorities (CAs) can be
>    used.  This specification provides a mechanism to bootstrap ACME
>    client configuration from a domain's DNS CAA Resource Record
>    [RFC8659], thus giving control of which CA(s) to use back to the
>    domain owner.
> 
>    Specifically, this document specifies two new extensions to the DNS
>    CAA Resource Record: the "discovery" and "priority" parameters.
>    Additionally, it registers the URI "/.well-known/acme" at which all
>    compliant ACME servers will host their ACME directory object.  By
>    retrieving instructions for the ACME client from the authorized
>    CA(s), this mechanism allows for the domain owner to configure
>    multiple CAs in either load-balanced or fallback prioritizations
>    which improves user preferences and increases diversity in
>    certificate issuers.
> 
> 
> 
> 
> The IETF Secretariat
> 
> 
> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org<mailto:Acme@ietf.org>
> https://www.ietf.org/mailman/listinfo/acme<https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!eD7c6YkKC17mdQGlDcEaGTQbmEgU6N2THkaQbM6RXa0FwMd1w2P8dNkfeej-TpOZBOANOymbB6sV_LWRYQnK_A$>

> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email