[Acme] Re: Call for adoption: draft-geng-acme-public-key-06 (Ends 2026-05-12)
皮皮猪 <507069@qq.com> Tue, 05 May 2026 23:47 UTC
Return-Path: <507069@qq.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7CA2FE9909A9; Tue, 5 May 2026 16:47:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778024844; bh=Qg9rjTSfj4dRI9QK0HZUBk0MLtREDEaqikRIBitVc5k=; h=From:To:Cc:Subject:Date:References:In-Reply-To; b=VQUHcMk9TUWKrPHyJ0BuZ2/FW0hGZFpPpi1nd1/mHGpo7dHzIDgePNd+ry8zzafic 4hp9bCIN9EcOo00lBlo18M8m7YmJlBNyYSBuqploQWyeMH51KyfXkZL7/KHrG4acSk 2+FKTfZOMVpYgX5aDDnbXWM5ARGDsn9RF4PdBL/M=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level:
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=qq.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd9dnbcUutlr; Tue, 5 May 2026 16:47:20 -0700 (PDT)
Received: from xmbghk7.mail.qq.com (xmbghk7.mail.qq.com [43.163.128.43]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1453CE99099B; Tue, 5 May 2026 16:47:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1778024828; bh=1gLRl00QuW+TbqRa4QfxHY7q1ypL1oDNsprkoWa0hQQ=; h=From:To:Cc:Subject:Date:References:In-Reply-To; b=vN894gJQXXpxHdRihJWDcEZKzlC/iOBsupfdIiOKmcNd5N1hTe2cOw+wswqduiroC F5hSDDePVdf2GxGvkBL8JnkZUIasLPwwak7eiwN0DHnbgr7+w1YrmXJIh0VnXt8PsG F1JDM4MxfHeLmbBxpKw2tgaeFrR0t1o+y5iLMA90=
X-QQ-XMRINFO: Mp0Kj//9VHAx39LQShQ63iTqdJn5UuyUvg==
X-QQ-XMAILINFO: NX669osvFPDa21lEg1/vNdFYUKyUg+I5Z4mQfzuKPBL+sdxepSgyQLctpaHVHA i4TS907VnLOCD8UAJslANbbMsAiPB4NAGl7rWiQ24bXLroiqz89PEh4SV3wqaNLSk38eYHT+7+hq9 48JI9mLhj0YmPdR3Jd5sNRtEGnsGq931GnUHa5UG2R8mwnFJ2CeEth7Hxule63gluWza9UE51duHo iG6tvH2r6C53J2ZZDkIFY9WOzvAs+lKj8gELOYclScwQ6pB352+akNh8St/vGSmpJTdJzzYda0t53 noi0gqCyLuXICf5J0C0eTWCCXBXBRQZr88JPcVX7bOdljRHArhVSa5M5xRF/oIrWZzwKTVUqU8DCp unxm9/4C2YB4mHk+AgWJadaEDZdWH7SudGi/nZn1i7dLn+dGq/vHbJ52judaJ5EtcrzwobjT0304j AhH8LMjruorI6rStgT2DK2rLA99IwNBwgbEYJ9E/iu7jSa5bI5qwYoEkWhQBwOh4a8JElMKyoVHC4 kHYsAfCA6vhOhziUqJxefxjRtsqEHajPXCio/vcnKTu5qtX9Pho2y7OmcLBFoknRYJP0L+geSsaIU qlX8Gp0vY0Rv8zKMU9hbgsOiPKvqhP7uc78JkYZw01VbQwobRQCX7d+YG/9Jv/kM7x2EdX7d44nVl +1pjMrr5fNUvvJcAhS1gym9awD4bqixF6zrqVoSBQLbY58Sn/sdn3vosxQxNpCW55KRQYSezoPl+y Sh+SksVGeaYra8a3tCJ+ERdbv18A8qmPtv/EvUHlStbIB8SltFjCojODcYHA7Fldlq2LNGRhn/1oU JQLyDkgdnazSYG2OR7x88c8PsceKO0SmiIxuHctWnR+0TOdMKVCyPUiqO7p4cMSN1URClumTT3vUh CeAgzCcYF5+GVW/oqKS4zKAeOBPB3dD3ZmKN2Q6ONQhT7U6CEsiaJ7gsSglZGCOs7UoI1VwicBYTE huS5e7d7AY4lNMKTa5zsTmglBJNgol6KAIHOL27vhIwg73PgEl8jpPQbLmnunyDk1a+JVuASxAtco 7AC2T7IH2JdP2KKtTknedZNf/R3FYPsP8FiSAGPPKJb8AeXg=
From: 皮皮猪 <507069@qq.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_69FA817B_7B6026E0_1050AEF3"
Content-Transfer-Encoding: 8bit
Date: Wed, 06 May 2026 07:47:07 +0800
X-Priority: 3
Message-ID: <tencent_7146BE905DBABB49315C4106E6AE619D2D0A@qq.com>
X-QQ-MIME: TCMime 1.0 by Tencent
X-Mailer: QQMail 2.x
X-QQ-Mailer: QQMail 2.x
References: <177741722137.243357.10440835172964235548@dt-datatracker-b45949c58-t72jx> <15374.1777570611@obiwan.sandelman.ca> <3BE2723E-6FD5-45F3-B5AF-BE5C2D05B91F@trustasia.com> <23423.1777994174@obiwan.sandelman.ca>
In-Reply-To: <23423.1777994174@obiwan.sandelman.ca>
X-QQ-mid: xmseza56-0t1778024827ti0d0ri7c
Message-ID-Hash: FDZ33MDV4ED5736ALF3BV4JSBPEWAJUC
X-Message-ID-Hash: FDZ33MDV4ED5736ALF3BV4JSBPEWAJUC
X-MailFrom: 507069@qq.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "acme@ietf.org" <acme@ietf.org>, "wupanyuuu@gmail.com" <wupanyuuu@gmail.com>, draft-geng-acme-public-key <draft-geng-acme-public-key@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Call for adoption: draft-geng-acme-public-key-06 (Ends 2026-05-12)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/uynJqY7hMCvo1sUDq9EalCk2CA8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi Michael,
To clarify the architectural reasoning behind the pk-01 proposal, I would like to outline how we see the verification dimensions in ACME.
ACME [RFC8555] models certificate enrollment as an order containing a set of identifiers. Each identifier maps to an authorization that carries a set of challenges. Existing challenges such as dns-01 and http-01 address Domain Control Validation (DCV).
Early versions of the pk-01 draft (prior to -05) also explored Identity Control Validation (ICV) for non-DCV scenarios. This line of exploration originated from the sso-01 draft and several subsequent related drafts.At that stage, public-key identity binding and Proof-of-Possession (PoP) were interleaved, aiming to shift the paradigm from "controlling communication resources" toward "controlling the claimed identity."
Following extensive discussion, beginning around draft -05/-06, community feedback converged on the view that PoP should be fully decoupled as an independent component. The central question, therefore, is not whether to replace the CSR, but rather: what mechanism should prove possession of a public key, and how can that mechanism be combined orthogonally with both the existing DCV framework in ACME and any future ICV?
In short, the ACME protocol suite comprises three independent verification dimensions, each supported by its own protocol framework. DCV and ICV stand as parallel capabilities; either can independently satisfy identifier validation and support certificate issuance. PoP is an independent verification dimension. It may be used together with DCV or ICV and may also serve alone as the basis for certificate requests when an order contains only the "pk" identifier.
In my understanding, the three are fully orthogonal to each other.
ACME identifier
|
+------------+------------+
| | |
dns-01 pk-01 idp-01
| | |
v v v
DCV PoP ICV
| (fully decoupled) |
+------------+------------+
| |
DCV + (PoP) ICV + (PoP)
DCV [RFC8555]: Do you control this domain name?
ICV (idp-01): Do you control this identity?
PoP (pk-01): Do you possess this private key?
Best regards
Geng Feng
原始邮件
发件人:Michael Richardson <mcr+ietf@sandelman.ca>
发件时间:2026年5月5日 23:16
抄送:acme@ietf.org <acme@ietf.org>, 507069@qq.com <507069@qq.com>, wupanyuuu@gmail.com <wupanyuuu@gmail.com>
主题:Re: [Acme] Call for adoption: draft-geng-acme-public-key-06 (Ends 2026-05-12)
palos.chen <palos.chen@trustasia.com> wrote:
>> It seems that this almost suffers from the same mis-understanding of
>> challenges as acme-rats originally did. At least though, the intention
>> is that it is pk-01 OR dns-01 OR http-01 OR ... (not AND as rats
>> needed)
> In -07, pk-01 is no longer entangled with identifier validation. We
> introduced a new "pk" identifier type (Section 3); pk-01 is bound to
> "pk" identifiers and proves possession of the certificate private key
> only. Existing challenges (dns-01, http-01, ...) remain bound to their
> own identifier types per [RFC8555] without modification.
But, it's the wrong approach.
You have to change pk-01 each time someone comes along with a new challenge
type. What you are doing is orthogonal to the challenge.
> The async/sync modes of -06 are entirely removed in -07. pk-01 no
> longer carries any identifier control role. Existing extensions
> (onion-csr-01, subdomain, dns-persist, etc.) continue to operate
> unchanged alongside pk-01.
okay, but I still think this is the wrong direction.
I think that what you are proposing is useful, but it's a fundamental change
to ACME, and should be treated that way.
>> Replacing the CSR with something better, something that can deal with
>> keys that can't make signatures (either do to math or policy) is
>> important. I had proposed work like this if/when we start RFC7030bis.
> We share this motivation. KEM-key support is in fact one of the
> primary reasons for a dedicated PoP mechanism rather than relying on
> the CSR self-signature, which is impossible for KEM-only keys. -07
> supports ML-KEM-512/768/1024 via a Decapsulate + HKDF + HMAC PoP — see
> Section 5.2 (KEM PoP construction) and Section 5.4 (KEM algorithm
> registry).
Then, let's fix/replace CSR.
>> The ACME server should simply announce the set of POP methods that it
>> can support, with CSR being the default. I don't think a new challenge
>> method is the correct way to negotiate this.
> This is the one architectural point where we've taken a different
> direction, following the chair's earlier guidance and the model that
> ACME has consistently used: challenges bound to identifier types
> (dns-01 for dns, http-01 for dns-via-http, onion-csr-01 for onion,
> etc.). -07 introduces a "pk" identifier type and a pk-01 challenge
> bound to it, which keeps the architecture modular and aligned with how
> the working group has handled similar extensions.
I think the chairs are wrong here :-)
I don't think this is a good direction to go, because I don't think your
needs are not the same as, for instance, .onion.
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
** My working hours and your working hours may be different. **
** Please do not feel obligated to reply outside your normal working hours **
- [Acme] Call for adoption: draft-geng-acme-public-… Mike Ounsworth via Datatracker
- [Acme] 回复:Call for adoption: draft-geng-acme-publ… 皮皮猪
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Liuchunchi(Peter)
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Michael Richardson
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Ilari Liusvaara
- [Acme] Re: Call for adoption: draft-geng-acme-pub… palos.chen
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Michael Richardson
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Lijun Liao
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Ilari Liusvaara
- [Acme] Re: Call for adoption: draft-geng-acme-pub… 皮皮猪
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Mike Ounsworth
- [Acme] 回复:Re: Call for adoption: draft-geng-acme-… 皮皮猪
- [Acme] Re: Call for adoption: draft-geng-acme-pub… Mike Ounsworth