[Acme] ACME discovery drafts looking for an author
Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 20 March 2025 09:27 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 07B3EF86120 for <acme@mail2.ietf.org>; Thu, 20 Mar 2025 02:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nrb4OVXEKPxB for <acme@mail2.ietf.org>; Thu, 20 Mar 2025 02:27:50 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) by mail2.ietf.org (Postfix) with ESMTP id F3D40F86089 for <acme@ietf.org>; Thu, 20 Mar 2025 02:27:48 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 52K1Z2f1011133 for <acme@ietf.org>; Thu, 20 Mar 2025 04:27:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=mail1; bh=PW3ikZkHLQJW/Dwpv8wjGiLiy2 PbUbRWDB74ByK9zDw=; b=dQUGuM9YJVQJM/6FWegfSBJwYsCsbdwWHoSbmzDUlP pBnfd18wEu17KrSu/JIib2QsSiSHheBogub4ncIynDn2FyfjjEKlvl7YQZ5BDOPR 7JnjpB2gH24e53yuGiLWoyHGxUrUs5QCRLsp4l8ZG32rGxeFWYplN4viCNlJ5fxL EYbOxyWH0INpmRqnxLJ98zcdMqYH/Fml1f5qeNb6IbG9ERR9z/8/CC6vRXlD4wK4 bdBSKbTxrk82X6EPDAJbNr4fHooHJC3lcJE1NU7fmfWOFq9UOY5fRbhgJfFFWlrB evjAw/tOwm2tSBqPmOtN934tjGJD35tDjRE7Z0aQmaGA==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2045.outbound.protection.outlook.com [104.47.55.45]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 45frssvv1b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <acme@ietf.org>; Thu, 20 Mar 2025 04:27:47 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DdPBe3vcqGb7O4Ml6cdOB4Kwqg04/BhGCUc1SNLvYCA1VxKaKzTbCnHAU9hqQpX9uyAAhb+I63kGPLyIG3dNUaJkIf1iQZ+cPfCELsEqj3JdlXNm7+J1c9ZqFboCZ3LAuTiTz7Cdc6stoSJH287gdqJ71tUoRPp1GLoCVl1tLo2hDKG2dFCWTgkhfs+xBus3WYaaNCL9VJxWCOIT/ebefXhxzIPYCRQEXa8phCJQUVNx+aNVkZfyJz/PYbBaRjcToyMPiolP9lkRshQVAFR7u8SemqnbSlC5ky3MK76Hmgt5H8XuJPat8LXJCrt0NrKdbut5WCttEJ0A9JqBxqWGUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PW3ikZkHLQJW/Dwpv8wjGiLiy2PbUbRWDB74ByK9zDw=; b=SunH9ndfIRGhJgvvYeAMsuvPIfkdr1qFPRvnD8FspSG0BQ10RBMYl3kvSRBz6qIhWNYe+3Uqjr6TY33DQ5REk0Akk0429cSu2PLETh+s4pTluyj/gO1tz4+oLJfv5r3tgUN7jDJBLFhcyNcAAsgaEf88RLmvrvmWlolxgIAG0qq3v0rKYARgmGwgWAozQxQlHejBLHdy9eiBUpnYlQW9fNwEq6dem/8GIpu/hkdqxMSUGgtpVNDywNZvwMUPAbN0vV4qknafhZmZ8H9u0oPlmRg0KkjeqUt2Q0FsiXhsID1/14mhpgEROXe4WDnDPzaBIogkRfXWgSWLQA0iUX+/0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by LV2PR11MB6071.namprd11.prod.outlook.com (2603:10b6:408:178::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.34; Thu, 20 Mar 2025 09:27:42 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702%6]) with mapi id 15.20.8534.034; Thu, 20 Mar 2025 09:27:41 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: ACME discovery drafts looking for an author
Thread-Index: AduZeGev8Rr+K8ZnRvWbWxBdlWpbxg==
Date: Thu, 20 Mar 2025 09:27:41 +0000
Message-ID: <CH0PR11MB57393FF8E15C42DFC79EF6A19FD82@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|LV2PR11MB6071:EE_
x-ms-office365-filtering-correlation-id: fe46c917-20df-49f0-6ead-08dd679176c4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: 1SkKAU3wjD14LKnKBLSU+ElA+J1oa7El0xE0X8g3apRHEU/sP8B10BtkJN2aBlDzwzoRTQr3dEqBstaMbLLpUilBeAYV/TEUB8+WYij/CgeliMCt71DqzTcXZ1K0OZAHxNB5Pb/zVFNWVzb1s7dQfZTcIGosy0J1ZC/ItpXQRniIzDCeaY/rjm/w13XTgGnw4PTZvcsw4NODC1MJhU9gNI0xz+LXdfJcL57zZotk37In2rC73oZJYQmEBj7T0vGYbK+yB+KjateSzOqMt8FbXZKjmJGP5ahLkLPM35b1vw95iMPUAq7e6cOtLe00ZlhP++bjjdy+ZrWT6XT+66cexuOHefZTc4bSzFY/4A0qnxXvFN6kfdAG8/Um9+ziIYtAdRhct45F59Iexm07emeJ0GHnOeVT213WUgjUfkdIJoDGwL8gW1IWGdO4zLz7ZUVeP6eAuky4ExRYUIYqg/M4JVHVSeldrcWlHW/JHgOgvvuTng14WAFTZT5d3R1d8lYvfSry4M8yGw5wyu++wM+tUTSG4X6MUe6adkZuN7wjJfGY9MzqTOwXkue5/qE4bVRE1v/dEk/aNUWNU+4I2SCcA8AXVEMzjJo/tCXOS6+k+mtfiMUjkiQVbeo5o31grHm6T4P3LaeM4qofo5Q5N5gKc2LAFcgLPWpyDRG5A7YurFcXI/fXxhVE6nzoNTXy/gOFBYLoTpvOpByWYeAbAAfyFYwJ9Er//zyE6ojUqJsaHHWhjnlk8RfIBBXaysSqQVVy4fOdd3oBQbC2vE1biMbLTKDErXs/l1spittR7kHgroeoQzAfGp2GMR1iYi4u2Z5PdRsatmrUN4uEZmB0bE8/7t9NJkciKW47aWTCVVs9k/JC9hxbRLiat7eI44FWeP1/FqzWcoXjceaMz7uYYtrwOLfi5E/Ha2ooFiUenpY2fVVpTxE72tSwrlR6XvRRqX+xUxeLrFm0sM8j3gZNn0Pin1hvqbjP0VZdMkqjJlZI6cVgSApXd+SmVNUJ2woR7VHFZJ5F8X7YzI9bKFOrWuXt7CqpJoq975jiObHJov5l/A9i632md/emc2PiRi8BOSkK7/9lqwZeUuh6bBRW6LUf5WL/TwJ7jbaKtcbwHEXRlOFQXNIrCXN0ZoaciTwXMHH6KPLjUvtpCvOKQw2jC/EME5mJxz4uA9lVTAc8kQjV1bc5wnkyu/cK4p4+kZtpDAOYPimZ8AHUXAb0Gpgq02wZ00kgX4riMnPinNhFD1ywY/h3F+ceUaMwj2v/RoiS9XUqYC12G+ljC/tgpr+PStY6N1A0Ge8cWF0kF1JYPTz4azZYKPxpiX5JfepuA0VdUeF8MiE3bIUcDhR3XqlDeDPa8FW0pg2uoOvscGzy+akHBq60b5F7nPQ0XUqPyQzNv+bh5dYHce8RhEylqh7ZL+J4LRCw8X9T0Cqqsid4LichJyolSE8vcfkPRn7FVo19EfUu
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR11MB5739.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9zc6X+rCCuShzQIRhsF7Av5pSJmt8ROXutUtJgCxiQK6vgxQdTe0oZmjUTocmwB1DhAHOjaMvYHKF7pIN6tq8UK5/u29WNI6r48Lh0XfjFbAnSx0W6uizM4V+V2tb11o17ewqQyWieWkIhkyy8rdZ+ya/lEP0zxeqaxh5IdSbigiI7xhKJ3RPiYPZ1S9Olx1y/6y+fjSDpjM///Dz7xBAYy2hbN0cz6vc0ijLTTjd7Ai2dHnxVE3FLkfFKbWWJzpVvVV/QokmO7vzIaIrcd59eeu1nO7yTgyKpzt3VUQcvXAJTMwbh95DrjBYlFn6c714dGf16jtAzvme3roryBP07oq9Vgy6+l14WIfoHkdTY8MTmmTw1d13qDUT89TWlIiHcNDKGSWv8CDYmitjiaesGtMsGbrk3AAyJZAvv0Azv8YjPzL8aYGXZOzsRvLmqXkJ79CRQJ0xjR2haN8WSREwTXonTe0fdzXVIwnprf2smKDF2v+eQgkUyh3uiC1sMdhGwqsg2D38NSz7Rlm6bcCV44bFQbZXZyOBvxfa2GVAwJp89Kb+gHdaFtJRURwhDyqMYKKr4fEniesi00tHI9SRNBiZlBVqwCnWkI4o6P1SCW0F7CDFWrm1Wh8AzhUs0SUit+aSbx5GnVLOZLSHgDcYEXmlgMRpbSucQKHlIy5cCuNBmwse+3ZhxaW91iYMJRmjLi0unYwKo3ZaI/9RRzqa7Id5KHQYLw2EFeHkq/9QArNgQstDsmTEe/N6U8ZcpYeRj6Qp4kzLm51sFSEKRAOytdGbxA/mnK9gsDHS+mAUdpaGRHlu4GAH6d/SMZN2Sxh0nda6zW9J111LZAgG8kqW0DtIB/K3fQTClNUu6OlNOjJUWSzX3pmjAENkZbUo4l9i5FT5oPnueMlCKT5kDF0AwmnzgNZ2V9fvJE7YXelE+wUEIZifZ2Z+GpZDMDloDFnjO6W2skjZm9XLYqVhfaOmf8EgcVypJ/LPNEEqKE2zIxDOAyCpvWn2xez568ErZR265JODgLZq1+5J6H+EPjV7YsOjIs1sujfLazOPetrw1rVDIrDptkYlpZR+pHSL1CJIIr57K2MPwkMm36rXJbdDDglxz4ORNH5N/qNCY8TEngkv0DnZBPw0UBpwKAFRO/p/sRke0WWTvLv/kOLQXuzPhNUoIV4xnw7Ugw6w2GwsRHY6AB6/VhGTXNt2iWAzZnnKzCKU2Y3kF43hvNzG//I59vSO7wA+WEvWM97dZoZGsY+7ahpBmkDaACC1fN1MTTV4jZ3MfObZ1pUQZ9HcSzMg0D/49AfP5JFYfZtLz6muVsdUWkcMmPhOvWKwqZiUg6qhuXF3L+39mjL+Q2L7ax9Q8MX9h8O4MToqeMjgHFOQGqZ7GqzVKfFY35uB1BxMGjfnbNkbtJWVtJjdBqPE9R/b4UzS41ybFQC1+Q6/yDfhq+gCxKBP4hzBotFCRLPzmLTHTsmBu80mELWuouccCgcqwOpaHdE3XQF46CCztPjbUz2zWpvnwki3+y602UnXg/a04AUBmkr1Cm5LBzQpJG32FRbcse2SvURiyCKwUjUNxMlIBGE51G3/IrscHlQzBnA
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe46c917-20df-49f0-6ead-08dd679176c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2025 09:27:41.6560 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: A0olkUZhNOlL70BLS1SAK/D+P1EtnkCIlvMbhpb7Si35NtR9gjm49XQhPXJftfuu6qEat/JpyqnnU8dSolYqFhBmotZQ2BJh3+EAZHkUNNE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR11MB6071
X-Proofpoint-ORIG-GUID: lpSaqW--2x-eyuiT93gj6D9WfjbBPKTM
X-Authority-Analysis: v=2.4 cv=E8TNpbdl c=1 sm=1 tr=0 ts=67dbdf93 cx=c_pps a=R19XVbJ/69TrMGWtO/A4Aw==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=8nJEP1OIZ-IA:10 a=Vs1iUdzkB0EA:10 a=H5OGdu5hBBwA:10 a=FEbzDYiKvWYA:10 a=LKZdc75Ll1P7U8XlC0AA:9 a=wPNLvfGTeEIA:10
X-Proofpoint-GUID: lpSaqW--2x-eyuiT93gj6D9WfjbBPKTM
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1093,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-20_03,2025-03-19_01,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 clxscore=1011 bulkscore=0 adultscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 mlxlogscore=874 mlxscore=0 spamscore=0 phishscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502280000 definitions=main-2503200057
Message-ID-Hash: OAYYDMZZL7RIWS36NDSYCTUWIQBID35K
X-Message-ID-Hash: OAYYDMZZL7RIWS36NDSYCTUWIQBID35K
X-MailFrom: Mike.Ounsworth@entrust.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] ACME discovery drafts looking for an author
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/yCh3js6z5juACnltELGfeBUoZVg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi ACME, As I said during ACME today, I have a pair of (expired) drafts that I can no longer continue to put time and effort into. They are looking for a new lead author. FREE TO A GOOD HOME! They are: draft-vanbrouwershaven-acme-auto-discovery draft-vanbrouwershaven-acme-client-discovery The idea of the drafts is: acme-auto-discovery: What if your website is hosted by a cloud hosting provider and their UI only gives you two options for where to get a certificate for your website: A) use the CA of the cloud provider's choice over ACME, B) upload a PEM file. The first means that you have no ability to manage that certificate, control which clients can request that certificates, manage how many copies of that certificate get issued, or revoke that certificate. It also becomes very difficult to monitor CT logs for abuse of your website since you have no visibility into which cert requests were made on your behalf. This also leads to lack of CA diversity since many cloud hosters use the same small number of CAs. Option B) "upload PEM file" is going to become an extinct species with the push to 45-day certificates and beyond. This draft provides a mechanism where you can put in your website's CAA DNS record (although maybe SRV would be better?) the URL and CA Account info for where you would like the ACME client to go to retrieve a cert for your domain. acme-client-discovery: If, using the above mechanism, you wish to configure at your CA an allow-list of ACME clients that may request certs for your domain, how would you do it? The obvious way is to configure an allow-list of ACME Client public keys, however a naïve approach here would lock-in keys such that hosting providers cannot rotate ACME client keys or add new ACME clients. This draft registers a .well-known URI at which a hosting provider can publish the set of public keys that belong to its ACME clients. Essentially, a level of abstraction for allow-listing ACME clients that may request certificates against your CA account. These drafts have had some design team iterations and are fairly mature, but will require some effort to get them through adoption and WGLC. If you think these problems are worth solving, these drafts can be yours free-of-charge! I would be happy to stay on either as a secondary author or document shepherd, but I can no longer dedicate time to advancing them. --- Mike Ounsworth Software Security Architect, Entrust Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [Acme] ACME discovery drafts looking for an author Mike Ounsworth
- [Acme] Re: ACME discovery drafts looking for an a… Liuchunchi(Peter)
- [Acme] Re: ACME discovery drafts looking for an a… Mike Ounsworth