Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

[Mike Ounsworth <Mike.Ounsworth@entrust.com>]

Thanks for the comments Fraser.

Guilty as charged -- we were not thinking about private enterprise environments when we wrote it; we were thinking about publicly-reachable servers on public clouds getting certs from public CAs. In that context, the quote from the abstract "at the mercy of their hosting provider as to which Certification Authorities (CAs) can be used" is less about the ACME server being reachable in a network sense, and more about public hosting providers -- quite reasonably -- not wanting to maintain a dropdown menu of every ACME server on the internet. Typically if you want to use a CA other than the single one that your hosting provider knows how to ACME to, then your only option is to manually upload a PEM file. Yuck. The other assumption here is that this draft is really for domain owners who care enough about where their certs come from to have a "favourite CA" because people who don't care will be happy to use whatever default ACME server.

That said, it's interesting to think about how this could apply to your enterprise problem of "find me /some/ ACME server that I can reach/use in this network zone". Assuming a private network with multiple DNS zones, you could configure your private DNS to slap on a constant CAA record across a DNS zone, and that gives you your "give me an ACME server, any one will do", right?

Out of curiosity, what happened to draft-tweedale-acme-discovery? Did it just not have enough momentum to proceed? Searching on the ACME list archive did not turn up very much discussion.

---
Mike Ounsworth

-----Original Message-----
From: Fraser Tweedale <frase@frase.id.au>
Sent: Thursday, July 6, 2023 7:40 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>
Cc: Richard Barnes <rlb@ipv.sx>; Mike Ounsworth <Mike.Ounsworth@entrust.com>; acme@ietf.org
Subject: Re: [Acme] FW: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt

On Fri, Jul 07, 2023 at 10:06:15AM +1000, Fraser Tweedale wrote:
> - The main problem solved in my draft was: "in this /network
>   environment/, what ACME servers can/should I use?"  The CAA-based
>   proposal answers a different question: "for this /domain/, what
>   ACME server should I use?"  But (a) why would a domain owner need
>   to control this, and (b) it doesn't actually solve the problem
>   stated in the abstract:
>
>   > This often leaves domain owners at the mercy of their hosting
>   > provider as to which Certification Authorities (CAs) can be used.
>
>   The hosting provider can still control which ACME servers can be
>   reached, regardless of the preferences expressed via CAA records.
>

With respect to (a) - never mind.  I thought about it some more and the answer is obvious.  Where a CA authorization (i.e. restriction) exists in the form of a CAA record, it is useful to be able to direct a client to the authorized issuer(s) for the affected domain(s).

I see that your draft solves a real problem.  But it does not help much in enterprise environments, where the question is often "find me /some/ ACME server that I can reach/use, or which the administrators prefer".  Two different problems, two complementary approaches.

Thanks,
Fraser
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.