Re: [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt

Carl Wallace <> Wed, 30 August 2023 14:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7FC3C151547 for <>; Wed, 30 Aug 2023 07:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o6tA-SOmLK6b for <>; Wed, 30 Aug 2023 07:02:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 8E2FEC15153F for <>; Wed, 30 Aug 2023 07:02:46 -0700 (PDT)
Received: by with SMTP id 5614622812f47-3a741f46fadso3839925b6e.0 for <>; Wed, 30 Aug 2023 07:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1693404165; x=1694008965;; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:from:to:cc:subject:date:message-id:reply-to; bh=ipJUvU5PQJiA0yVpshsUJU8oxZPLNgsRNActm503Ags=; b=FAsJccWlDV3vg2KxtgnLwKNJNntamaE+y3NkCO5qEf9Ic0b6FfBFvvZiH68Rk8tcNq 5rVZG9iIi9m7G7slMEwQGaLAFt0Iw9AR4sjWehcwmmSQRCgc0bNFVwgFAAjMRvPEq7Lr vIbKGCyuldajWIKh71NjQ0aRH+x0+uoJZiVVU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1693404165; x=1694008965; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ipJUvU5PQJiA0yVpshsUJU8oxZPLNgsRNActm503Ags=; b=TqjndOJ5gCwsfKyFSUl9ql21mlE1AgWBdxzBys3QlepTrFl+vQ3oDKwg7nNXow7z/x i2o7YafEpq+2qjA4ymU6hsTtHHGwQZI0J5cgeXA2Tr8fKilQjgEMO71xgWqCEDnuw80b VQv5YIbvg249NrtjzIrI4O6msA39z2sLl3KDmP8RlA8vupRRQQb6XL3CqArZ9McLY2Xn WnlymW8Lgz2cD/MM/XQ8HWHWR40HX3PAVVzglQxk1u3wd9Lq6ikTmn7/7E2xqcgKQ+ff 6pV19m4A9CtYNL1z5EjzQWpPrM3CJv2hZ6Za4Stb1EfSBnfEahauPtq84uGc4qhzEsGm i8yg==
X-Gm-Message-State: AOJu0YzkjF5wfw47Skydh20Cgg7bj9hufP4Bg/SNQkctek3TfRMsIJE5 9/MGFsjseRryz0uvB5dSKDgUdg==
X-Google-Smtp-Source: AGHT+IEsuIYFgZHvr33lOTgn2h29bUGRjZXquITUe15fpLTsq6Uz3d1i5N4ZDyUQpEZ54eWEsYsSrA==
X-Received: by 2002:a05:6808:308d:b0:3a7:6224:8424 with SMTP id bl13-20020a056808308d00b003a762248424mr2666429oib.56.1693404165070; Wed, 30 Aug 2023 07:02:45 -0700 (PDT)
Received: from [] ([2600:100a:b029:be38:5580:8241:3eb2:d1d1]) by with ESMTPSA id u12-20020a056808150c00b003a747ea96a8sm5576915oiw.43.2023. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Aug 2023 07:02:44 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.76.23082700
Date: Wed, 30 Aug 2023 09:02:42 -0500
From: Carl Wallace <>
To: Michael Sweet <>, IOTOPS Working Group <>,, PWG IPP Workgroup <>
Message-ID: <>
Thread-Topic: [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt
References: <> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3776230964_419419817"
Archived-At: <>
Subject: Re: [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Aug 2023 14:02:54 -0000

Here are a few comments and questions:


Section 3.2.1 says root certificates "MUST contain subjectAltName extensions for ".local" and the local domain name(s), and MAY contain subjectAltName extensions for the current IP address(es) of the server." Section 3.3 says "Client Devices MUST NOT use ".local" host names or IP addresses to validate the CA certificate since those values are not unique." These statements appear to be in conflict. Re: 3.2.1, should there be a similar section for an intermediate CA or is the root expected to issue all certificates?


The MUST in section 4.5 seems like it should be split into a SHOULD for revocation and a MUST for re-issuance. The current text has a MUST for revocation or re-issuance.


Section 4.7 requires revocation of all certificates with an old name when its name changes. Is it necessarily the case that the appropriate local ACME server will be available to revoke the certificates? What should be done if it’s not?


In Section 4.9 what does "Client Devices MUST separately track and validate the root X.509 certificate for each local ACME Server" mean? Does this mean relative to TOFU, checking self-signed signature and SAN, or something else? The draft intimates there is a separate trust anchor store per network. If this is intended, it may be worth stating.


From: Acme <> on behalf of Michael Sweet <>
Date: Wednesday, August 2, 2023 at 11:08 AM
To: IOTOPS Working Group <>, <>, PWG IPP Workgroup <>
Subject: [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt




This version addresses the feedback I've received since IETF-116, namely:


- Using the ACME server's root certificate as the network identifier

- Highlighting where/how this fits with secure network connection

- Clarifying the trust model

- Adding security considerations WRT key material


As always, feedback and questions are appreciated!


Begin forwarded message:



Subject: New Version Notification for draft-sweet-iot-acme-04.txt

Date: August 2, 2023 at 12:01:54 PM EDT

To: "Michael Sweet" <>


A new version of I-D, draft-sweet-iot-acme-04.txt
has been successfully submitted by Michael Sweet and posted to the
IETF repository.

Name:                   draft-sweet-iot-acme
Revision:              04
Title:                      ACME-Based Provisioning of IoT Devices
Document date:                2023-08-02
Group:                  Individual Submission
Pages:                   13

  This document extends the Automatic Certificate Management
  Environment (ACME) [RFC8555] to provision X.509 certificates for
  local Internet of Things (IoT) devices that are accepted by existing
  web browsers and other software running on End User client devices.

The IETF Secretariat


Michael Sweet


_______________________________________________ Acme mailing list