Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Thu, 13 July 2023 09:01 UTC
Return-Path: <Paul.vanBrouwershaven@entrust.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8805C14CE46; Thu, 13 Jul 2023 02:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iR9kZLACZyBt; Thu, 13 Jul 2023 02:00:56 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D303C151061; Thu, 13 Jul 2023 02:00:54 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 36D7rVIj014574; Thu, 13 Jul 2023 04:00:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=JJtBiFiHaMCSeFldTYAafDtT zHyQgcwzDHbYLy+aZtU=; b=CkFyDE90O4GYpZBO37+3YfSO+G7Mz2kxBEBh8pme xq7QAr/EZgEyZU9/NqTVHsatgomHgjvn+js4y8mSVLOYAndQealSG79NCwXcQw1n BPuEVJ0AOBdwIRFUatoJAL5kdV2o4Dd/rlH2fKiyC/rtuRzMxZnj2wKo/YQJnk9f ZzA7+B7kvLWWgZrczQVzFKvUqu75jxfTTmbfP8UMw8evc7apFKuoQAW1hccoqe5l CaxkYX3Lszufjmsvwkn8b4B3pcLThntj6pL7O6HY2QvfbR0i3mKipPWmzBufQ+my 9TgTJUNwSHEbSDjwzQlTwgWb0qJksIKyvEYK+o+BV5TUQg==
Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2048.outbound.protection.outlook.com [104.47.73.48]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3rrtmhhgqm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 13 Jul 2023 04:00:51 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KoHI3wuKS7QUhkLldEWnVvOPGD44cI3yntIO3K880OJD5YYp4iG/vACeYwYlwzh0SMrK2H9FL2QG60d7PFVZx4zg5MLIQjpTkFVCeUrmVVtgtynhVd0Piu+TQi2VY8Jo3DNMOOMbGjbPZVBSZnRRpUrw7CcHGLogNt/TVGDzOJ39ej8L+3aMgMik75WTXcH7FzC4yeLJ1DG6wa32mHYFnOL9H55WtiLjmqAKLdpFnQD2s4GtwKditJan3p94YMBf0IdN1AUlEHQz4ymjExXGig1Sc+aZtF65pRsfm4Gq8Y5OO/Fbey6lXW1BkU5aHFnzCbIONH+3tcac16QiZEhWgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JJtBiFiHaMCSeFldTYAafDtTzHyQgcwzDHbYLy+aZtU=; b=nsYO3U/ZRlGkWRFpJvKm+otQLL6Brhm0PfsEGxXPNIYhuP/4EVUSj5jrx9RMYVKxt742GZoLUOTSGUNrU4+txe2ur6mi+GKdYfXuKqysSefGfQRVN1s0IzBaaZHfYVDsGaWAFYPIwp/HgK1NZ1OrWDGsjyfxRXdRqDMAW3lKfyIU1XwWc35DlpjC3RDWt7rUPym2BMeArbFeYmgI3XDjLW55VQ8kSOE81u5xDCuo1WJOalSJ2zAJUzT38fLJne1Wg3K/MFsviI8zvd0tYuftj/kp51xLpAJXUHlW7+tGmoYUvKsK5mGchaKuV2kag3fNYa5mlRB/3qJmnGYo7uU9bA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from LV2PR11MB5975.namprd11.prod.outlook.com (2603:10b6:408:17d::6) by SA2PR11MB5003.namprd11.prod.outlook.com (2603:10b6:806:11e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.29; Thu, 13 Jul 2023 09:00:46 +0000
Received: from LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6]) by LV2PR11MB5975.namprd11.prod.outlook.com ([fe80::eb7a:e7ee:ec73:f1b6%7]) with mapi id 15.20.6588.022; Thu, 13 Jul 2023 09:00:45 +0000
From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Thread-Index: AQHZtNhN0rkAAuLzWU2v+MRP9Tu0da+2R5GwgAAsDniAABpkgIAAyIKN
Date: Thu, 13 Jul 2023 09:00:45 +0000
Message-ID: <LV2PR11MB59756958892C4D6A1D4DDECEF837A@LV2PR11MB5975.namprd11.prod.outlook.com>
References: <BB39F277-C855-4BE2-9E1D-F0792F87C7D0@redhoundsoftware.com> <LV2PR11MB5975A1AF940F81E6F3CB7B97F836A@LV2PR11MB5975.namprd11.prod.outlook.com> <LV2PR11MB59751210E50ADE0F9EA69549F836A@LV2PR11MB5975.namprd11.prod.outlook.com> <0BE16C61-3091-4CB1-B2BD-911D43499A36@redhoundsoftware.com>
In-Reply-To: <0BE16C61-3091-4CB1-B2BD-911D43499A36@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV2PR11MB5975:EE_|SA2PR11MB5003:EE_
x-ms-office365-filtering-correlation-id: 5371d68d-4d26-4e0d-8761-08db837fa4e8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rsoNKYoycAYsbLjYbz582AizEXSgPeJDLsaV0d1/lIiBfo5Z+KuWkp07elVPFmm6GykRPhgzj67FRKFVtNduMrS0wEC4aVxd6WECYetEXHt+ybaqtOt9Vmv/dUxHPRG2YQ1S4joPYNjtF767YZMl1dch2+WHW8wVHdPhd81mm0p8QdgxF3bz+sNEYoBpZ+/84Mo04SBImjd8essgTwMGTd4wJL86xIIgwaHN1iEJdyfaqieDdk6u6orBv9KKapbBLt/sRKpSw9RxZpSHCvT5tPkhJx3luZNAEB5KHfFuOvi6Sn8/ODsVYXupHskTrJ5Z5TPeJNa3FFP/QotCrtQXEb+/vcWCrI4vHzSg+XH0EFipjsQzBAC6bk7NmlGLHUuC01BUETIorkbOVKaPjA6p6LKddh3cDimPW3/iDJC89SzR6FRz4AAT6OWQm9wAjBjTDcyQ4B7o5cvSLarHu8sYWR332Y7n51hlIsoquR0lU8kpvzWPt8Dirx0jwS4ZrjznmTPXvpuE9suFzcPNdhfEie8Px1bdX+LxDPm3nGypLcutDierJow3At2eqgQDN0nCb9GZ+nOI/ApBclVjsaB5GIPJyECrEC7rlPnGapMBE5o=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV2PR11MB5975.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(136003)(39850400004)(376002)(396003)(366004)(346002)(451199021)(6506007)(186003)(26005)(53546011)(66946007)(966005)(83380400001)(9686003)(8676002)(8936002)(41300700001)(30864003)(66574015)(64756008)(316002)(2906002)(66446008)(66556008)(66476007)(5660300002)(478600001)(15650500001)(110136005)(7696005)(71200400001)(19627235002)(91956017)(33656002)(55016003)(76116006)(122000001)(166002)(86362001)(38100700002)(38070700005)(19627405001)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ziiuUmqMOaEabM1wUR/ASmQ7T+cf615xfjI9bAwYQuV+GX9zounmBoH+IZ/69WV5quxMjn4x6x9aEdjXtl4D32MtoA1+uAbq42Q/q/nn5RxXPzrUDePckjU2FywS8m/B8losgztP0EddsMHXE4aKNoPJ8rd/C/PWm/W4tdP4nl7znzmIVc9CCaQrqS3CbJIhQzuLKacj2M2vdXPtqW2FRhJqak1/YUo5x4gN9T8iJOjJYjBi1FeV9gK4xhrAD2XZNJ+UZ7QhytzZRCZJYEpkB33KZRaordPT2eH5S+Iw9K87x4YSCKFWBqeQlb6WgMQihbWltPFo+uVoBhVkRVtdqt3jge4BSXU2vxwfHiGfz4PYgtreX8S94ThIsb+Jqzpq+TYVWQIz4xBD/vd2Bg/aiigM4A49MQry8Q+0h95/BPQT2GxKi8eivagiUGDOvYjXJjwo6N9GD6vabf9qlXVUb4k5TOToGF/msrsdh9C/ea1AtedZXiGrKgwuQehGcIiC8pJSS7CBtBAXpvGjNPFh+23TLxN/Z/D3m62lt6k++KFD3bmlyvfpbzQhCqv9LT0b2oc3T8NOk0Vkp4yN9VQcs5AAnm/xNmfO7zT01xsJ2bQZFq73LmBERdvAfGTgSKx1sAiElelN0VSjCYqqKPUdbiFL2yjOPGDf1okNOZiDchBYU+Sf6uLWNyNdBc2AaTrMQI4IoaRAyFtkcv02cAzEkRfcYoxSVqbxvXVtubtsxFSV/U8SAtqrJKZVi539RvjvkSmXpcj+wUAuAOvsJ4NT7KBJ641xju9J4GS6uzd7QuZwsbeA6NRw2AP3Yaq3/z9xEKcTzZEplL6r8oEfiBVqiFU6ENGsfO/+65U/hlD4hOIa04Co2ijJBb6R3EWyv65rB0Y14hitSuTOyskdLz2bAVa66sYfHwtJ1P2s4qA/Zo6hbIDM6YYSokXf+2SMrr8ffY0SgwBvYf6wVV1Y5AGdb2M8McdRns1na7ed7Nt5941jmen5Tatp/Nqdhi+SZ1IBtQzdkYXEDlKqn3aqphygppYYxULvJ6whkhO9v/mKUwTIkVlUDAqCNEYuB8kM4ePjjUd24WQs5tiHuG6MgL3gTDHXp2y01TMyJvn8asZDwoDXdxLWkFVy+dW/tYQF547ISSOpdScEM+ZnLaB3ojLGZL16K7KeWAZ7ZuLWvBBBDnsrorcWK7S9ZqdkRZWRggzqQ2WZUY22AOqOXozC8csEnrlClyfA+fM/cld4et8du4bsvASwd5DmyvxjOCSdG0xv4gT8Wvo0K8VJ7ZN62RDgwhhdD0xlrZS0aYyB75Hc0rLe+l+s+NYS0b9DtFtAlM5F1AUdeHnlFqdf63Bgz87vxbBXqDhP4wKJmTMcbQd0C1QSSuW9MJT0q3Bzg3ncQfUQiHy2liw+8ugVe+9AdvriSyp3Q2tm+YdP9f0PQ9ibN3eoHiNQsJ4bpG9Okjzm1Jf2hD9jtPYSGomtVDny0SqJYTzCsGwQ9IGYtpnmRS5j8+n8CB6rbODmMPCnM/VbEIEqLBGi4z/w8WQ5MotJP4dA3myhVSJJZpKp/Mhb9IKLGvb7kK5f634J1qatCSUyNZgCX/tNbNGiLVYv1hAaz9an5g==
Content-Type: multipart/alternative; boundary="_000_LV2PR11MB59756958892C4D6A1D4DDECEF837ALV2PR11MB5975namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV2PR11MB5975.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5371d68d-4d26-4e0d-8761-08db837fa4e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2023 09:00:45.3831 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iKhJWqFLIM4SE/FAJYddadAOoQRoh1c/q6tdDXVdjbn6CMlrfpUg5h5ZaceGI32IN8oblceO83vYhlBAQzNJVnXTNHDpUPOuJ6VvphqquYbnq/YaDbA2kdl5xonIPHXf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB5003
X-Proofpoint-GUID: Xj-9dknupHtTCAnJcXKP1hfe07PDXutw
X-Proofpoint-ORIG-GUID: Xj-9dknupHtTCAnJcXKP1hfe07PDXutw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-13_04,2023-07-11_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 clxscore=1015 impostorscore=0 mlxlogscore=999 suspectscore=0 lowpriorityscore=0 mlxscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2305260000 definitions=main-2307130078
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/oLNbiunGj_73L6xe43rL0-J654o>
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2023 09:01:00 -0000
I have rewritten items 3.x in section 5.1<https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html#section-5.1> and hope this makes it easier to understand, the example<https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html#section-5.1.1> is also slightly updated but might no longer be needed, what do you think? ________________________________ From: Carl Wallace <carl@redhoundsoftware.com> Sent: Wednesday, July 12, 2023 22:02 To: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; acme@ietf.org <acme@ietf.org> Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt The example is good, but it doesn’t quite get at the issue. I think the problematic text is “if no common CA is found.” In the example, there is a common CA, there are just different priorities. It does help clarify the “as few domains” part though. Maybe something like “if all domains do not prefer the same CA, the ACME client tries…” would be more clear. From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Date: Wednesday, July 12, 2023 at 2:30 PM To: Carl Wallace <carl@redhoundsoftware.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org> Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt >> - In 5.1, what does 3.b mean? Can you add an example? > I will try to add an example here. Does this example help to clarify the intend of 3.b? https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html#name-selecting-a-common-ca-throu<https://urldefense.com/v3/__https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html*name-selecting-a-common-ca-throu__;Iw!!FJ-Y8qCqXTj2!eFlTAJDn4_qEQIeBFBPRukY5rsKusH5eWmPHWn-2zCmUOmW1e-UCZqS9B6bv14wTuIKceVYqwHIfr2LDsFnGtha72nkijTE$> The other changes have also been incorporated. ________________________________ From: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Sent: Wednesday, July 12, 2023 18:16 To: Carl Wallace <carl@redhoundsoftware.com>; Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; acme@ietf.org <acme@ietf.org> Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt Thanks for your detailed review! - Why is the draft informational and not standards track? Most people I spoke to, while discussing the idea, thought that it would need to be information, but if people here feel that this needs to be changed to standards track, I'm fine with that too. I'm relatively new to the drafting process. - Why does absence turn the feature on? Wouldn't this invite sending spurious requests for ACME information to CAs configured before this draft existed that do not support ACME? The reason is that with the move to shorter live certificates, automation will become essential. If we default to off, we will likely only see CAA records with this option enabled. The benefit of these spurious requests is that it would give a clear signal to these CAs that they might need to adopt ACME and/or auto discovery, something that is also pushed by the root programs. If an account binding is required (which is the case for most commercial CAs) the user will be asked to establish this binding, but no certificates will be issued until the account binding is established. When no account binding is required, the certificate will automatically be replaced by the authorized CA. See also the security considerations in section 8.1. - Is a boolean the right type for discovery or should it be a string that indicates the protocol that is the target of auto-discovery? The protocol is already indicated by the property (i.e., issue, issuewild, vmc, issuemail, etc.) - Do/ought parent domains apply (as they do in CAA)? If not, it might be worth a few words since the usage here is different. Yes they do, section 5 states "The ACME client initiates a DNS lookup to retrieve the CAA record(s) according to [RFC8659]", which specifies how CAA lookups need to be performed. - In the next to last example in 3.2, why does EV without priority go first? It should not, we updated the logic later, I will get this corrected by including a priority here as well. - In 5.1, you might want to replace the long paragraph with bullets. This is fixed on GitHub<https://urldefense.com/v3/__https://vanbroup.github.io/acme-auto-discovery/draft-vanbrouwershaven-acme-auto-discovery.html__;!!FJ-Y8qCqXTj2!eFlTAJDn4_qEQIeBFBPRukY5rsKusH5eWmPHWn-2zCmUOmW1e-UCZqS9B6bv14wTuIKceVYqwHIfr2LDsFnGtha7wgu46ys$> and will be included in the next release. - In 5.1, what does 3.b mean? Can you add an example? I will try to add an example here. - You should expand QWAC on first use and maybe add an informational reference. Yes, I will add the meaning of the abbreviations and maybe a reference there. Thanks, Paul ________________________________ From: Carl Wallace <carl@redhoundsoftware.com> Sent: Wednesday, July 12, 2023 17:48 To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; acme@ietf.org <acme@ietf.org> Cc: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com> Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt This looks like a useful addition. Here are a few comments and questions: - Why is the draft informational and not standards track? - Why does absence turn the feature on? Wouldn't this invite sending spurious requests for ACME information to CAs configured before this draft existed that do not support ACME? - Is a boolean the right type for discovery or should it be a string that indicates the protocol that is the target of auto-discovery? - Do/ought parent domains apply (as they do in CAA)? If not, it might be worth a few words since the usage here is different. - In the next to last example in 3.2, why does EV without priority go first? - In 5.1, you might want to replace the long paragraph with bullets. - In 5.1, what does 3.b mean? Can you add an example? - You should expand QWAC on first use and maybe add an informational reference. On 7/6/23, 10:54 AM, "Acme on behalf of Mike Ounsworth" <acme-bounces@ietf.org <mailto:acme-bounces@ietf.org> on behalf of Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:40entrust.com@dmarc.ietf.org>> wrote: Hi ACME! This is new business that we would like to add to the agenda for 117. Thanks, --- Mike Ounsworth & Paul van Brouwershaven -----Original Message----- From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> Sent: Thursday, July 6, 2023 9:39 AM To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com>>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com <mailto:Paul.vanBrouwershaven@entrust.com>> Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt has been successfully submitted by Paul van Brouwershaven and posted to the IETF repository. Name: draft-vanbrouwershaven-acme-auto-discovery Revision: 00 Title: Auto-discovery mechanism for ACME client configuration Document date: 2023-07-06 Group: Individual Submission Pages: 16 URL: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TyALA0c$<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TyALA0c$> <https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TyALA0c$ > Status: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_ZJirVYA$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_ZJirVYA$> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_ZJirVYA$ > Html: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TfosM1M$<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TfosM1M$> <https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_TfosM1M$ > Htmlized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_WIL7M14$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_WIL7M14$> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_WIL7M14$ > Abstract: A significant impediment to the widespread adoption of the Automated Certificate Management Environment (ACME) [RFC8555] is that ACME clients need to be pre-configured with the URL of the ACME server to be used. This often leaves domain owners at the mercy of their hosting provider as to which Certification Authorities (CAs) can be used. This specification provides a mechanism to bootstrap ACME client configuration from a domain's DNS CAA Resource Record [RFC8659], thus giving control of which CA(s) to use back to the domain owner. Specifically, this document specifies two new extensions to the DNS CAA Resource Record: the "discovery" and "priority" parameters. Additionally, it registers the URI "/.well-known/acme" at which all compliant ACME servers will host their ACME directory object. By retrieving instructions for the ACME client from the authorized CA(s), this mechanism allows for the domain owner to configure multiple CAs in either load-balanced or fallback prioritizations which improves user preferences and increases diversity in certificate issuers. The IETF Secretariat Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ Acme mailing list Acme@ietf.org <mailto:Acme@ietf.org> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_F-p648Y$<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_F-p648Y$> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!a4X0nrc1_QemkMo4Rt42Ki79RTnygcbMk0rum9pgO9MatIOC543E09zHtIByD45cb1tDPUXikl8nTN2z2czGowi_F-p648Y$ >
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Richard Barnes
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Fraser Tweedale
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Salz, Rich
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Carl Wallace
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Tim Hollebeek
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Seo Suchan
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Tim Hollebeek
- Re: [Acme] [EXTERNAL] New Version Notification fo… Paul van Brouwershaven
- [Acme] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Deb Cooley
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Amir Omidi
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Michael Richardson
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Aaron Gable
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Paul van Brouwershaven
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Q Misell
- Re: [Acme] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth