IETF Logo Mail Archive

[Acme] Re: ACME discovery drafts looking for an author

"Liuchunchi(Peter)" <liuchunchi@huawei.com> Tue, 01 April 2025 07:22 UTC

Return-Path: <liuchunchi@huawei.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1A2B5159E41A for <acme@mail2.ietf.org>; Tue, 1 Apr 2025 00:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfB95ExN-cXm for <acme@mail2.ietf.org>; Tue, 1 Apr 2025 00:22:05 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AF123159E40E for <acme@ietf.org>; Tue, 1 Apr 2025 00:22:00 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4ZRfYz1QcDz6L57g for <acme@ietf.org>; Tue, 1 Apr 2025 15:21:27 +0800 (CST)
Received: from lhrpeml100004.china.huawei.com (unknown [7.191.162.219]) by mail.maildlp.com (Postfix) with ESMTPS id 4C3A614072B for <acme@ietf.org>; Tue, 1 Apr 2025 15:21:59 +0800 (CST)
Received: from kwepemf200006.china.huawei.com (7.202.181.232) by lhrpeml100004.china.huawei.com (7.191.162.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Tue, 1 Apr 2025 08:21:58 +0100
Received: from kwepemo200018.china.huawei.com (7.202.195.205) by kwepemf200006.china.huawei.com (7.202.181.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 1 Apr 2025 15:21:56 +0800
Received: from kwepemo200018.china.huawei.com ([7.202.195.205]) by kwepemo200018.china.huawei.com ([7.202.195.205]) with mapi id 15.02.1544.011; Tue, 1 Apr 2025 15:21:56 +0800
From: "Liuchunchi(Peter)" <liuchunchi@huawei.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: ACME discovery drafts looking for an author
Thread-Index: AduZeGev8Rr+K8ZnRvWbWxBdlWpbxgJWbZnA
Date: Tue, 01 Apr 2025 07:21:55 +0000
Message-ID: <52493c2579394eba926ec0129d7aca52@huawei.com>
References: <CH0PR11MB57393FF8E15C42DFC79EF6A19FD82@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57393FF8E15C42DFC79EF6A19FD82@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.114.71]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: OXMUOJTXNAG4MGSZPE5ZKRJQHCGEVVJI
X-Message-ID-Hash: OXMUOJTXNAG4MGSZPE5ZKRJQHCGEVVJI
X-MailFrom: liuchunchi@huawei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME discovery drafts looking for an author
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/txTDhCT4bz1hL-rmZEWAmp29yUc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

If I get it right, you are maintaining a whitelist of authorized clients (via pks) that can request issued certificates from SP/CA. This part is quite clear. 

My question is about this "certificate" that needs distribution restraining -- is it the server certificate (of a web)? If it is, I thought it is free to distribute in order to visit the service?

If it does need distribution restraining, the reason I can think of is "private key is also maintained by the SP/CA so they can be used together for third party adversary to spoof my domain". But this becomes more of a private key protection problem...  I think it is interesting work but I am just trying to understand the exact value use case.

And what are the required works for it to proceed?

Peter

> -----Original Message-----
> From: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
> Sent: Thursday, March 20, 2025 5:28 PM
> To: acme@ietf.org
> Subject: [Acme] ACME discovery drafts looking for an author
> 
> Hi ACME,
> 
> As I said during ACME today, I have a pair of (expired) drafts that I can no
> longer continue to put time and effort into. They are looking for a new lead
> author. FREE TO A GOOD HOME!
> 
> They are:
> 
> draft-vanbrouwershaven-acme-auto-discovery
> draft-vanbrouwershaven-acme-client-discovery
> 
> The idea of the drafts is:
> 
> acme-auto-discovery:
> What if your website is hosted by a cloud hosting provider and their UI only
> gives you two options for where to get a certificate for your website: A) use
> the CA of the cloud provider's choice over ACME, B) upload a PEM file. The
> first means that you have no ability to manage that certificate, control which
> clients can request that certificates, manage how many copies of that
> certificate get issued, or revoke that certificate. It also becomes very difficult
> to monitor CT logs for abuse of your website since you have no visibility into
> which cert requests were made on your behalf. This also leads to lack of CA
> diversity since many cloud hosters use the same small number of CAs. Option
> B) "upload PEM file" is going to become an extinct species with the push to
> 45-day certificates and beyond. This draft provides a mechanism where you
> can put in your website's CAA DNS record (although maybe SRV would be
> better?) the URL and CA Account info for where you would like the ACME
> client to go to retrieve a cert for your domain.
> 
> 
> acme-client-discovery:
> If, using the above mechanism, you wish to configure at your CA an allow-list
> of ACME clients that may request certs for your domain, how would you do it?
> The obvious way is to configure an allow-list of ACME Client public keys,
> however a naïve approach here would lock-in keys such that hosting providers
> cannot rotate ACME client keys or add new ACME clients. This draft registers
> a .well-known URI at which a hosting provider can publish the set of public
> keys that belong to its ACME clients. Essentially, a level of abstraction for
> allow-listing ACME clients that may request certificates against your CA
> account.
> 
> 
> These drafts have had some design team iterations and are fairly mature, but
> will require some effort to get them through adoption and WGLC. If you think
> these problems are worth solving, these drafts can be yours free-of-charge! I
> would be happy to stay on either as a secondary author or document
> shepherd, but I can no longer dedicate time to advancing them.
> 
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
> 
> Any email and files/attachments transmitted with it are intended solely for
> the use of the individual or entity to whom they are addressed. If this message
> has been sent to you in error, you must not copy, distribute or disclose of the
> information it contains. Please notify Entrust immediately and delete the
> message from your system.
> 
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status