[Acme] Re: ACME and PLANTS
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 13 March 2026 22:17 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49C82C990A9C for <acme@mail2.ietf.org>; Fri, 13 Mar 2026 15:17:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AXI1YhUfauu for <acme@mail2.ietf.org>; Fri, 13 Mar 2026 15:17:09 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9F295C990A94 for <acme@ietf.org>; Fri, 13 Mar 2026 15:17:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 0ACA01800E; Fri, 13 Mar 2026 18:17:09 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id p5lYt2eaKuLD; Fri, 13 Mar 2026 18:17:07 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1773440227; bh=uCta9zA8M8/EqRZJxk03fvlshYCvCbY9cFCOphB6xhQ=; h=From:To:Subject:In-Reply-To:References:Date:From; b=qo2dZMGfaxMx/NYMVZbs6qxsPbMga6Om1sweSwW2R2X50K6oxJVbXT5PfNOTQqhLM QQy6K+H8FECSrf6cW/N2X5N//UZEpDvwbhQBAD/CRmX63BrcT6Cu1WUnPC08ybvxsT oPvpEfjE6+5HBWX9c8wXLeRP3twe+5aibxZ4e55Xx045Djy+bdXIy58NQjm0vPvnpu ulIYyRfihVkEG5v/+IPtsmH2uoVH35WEBLVjMf26eiZYu5khmpKQBlNG8Ln7TYpv79 4LzcWAe+LhxvshOsH3mAsF5heEEawdsbGAC8cO8LHlqUsMY3LmGvU1e1fnrM/UeJlS CdQDcWeUNbF4Q==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 84ADA1800D; Fri, 13 Mar 2026 18:17:07 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7B036182; Fri, 13 Mar 2026 18:17:07 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, IETF ACME <acme@ietf.org>
In-Reply-To: <abQOXHRLvxL8H6zG@LK-Perkele-VII2.locald>
References: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com> <abMdm49TFzXz5K4H@LK-Perkele-VII2.locald> <CAF8qwaCfV8G52oGMbuktBZ_-mvmaPghD5Zi_eZpdrad_+E3R4Q@mail.gmail.com> <abQOXHRLvxL8H6zG@LK-Perkele-VII2.locald>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 13 Mar 2026 18:17:07 -0400
Message-ID: <6243.1773440227@obiwan.sandelman.ca>
Message-ID-Hash: XT7RCJ7ZSBX5Q3ZDTCBGA3AB6BYB62MD
X-Message-ID-Hash: XT7RCJ7ZSBX5Q3ZDTCBGA3AB6BYB62MD
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME and PLANTS
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zkDbNVCNfKb1CBO3d1GL3TZWtME>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>> Yup. You can think of MTCs as "just" a very funny signature scheme for
>> signing certificates. So it's all flavors of picking which CA instance to
>> respond with, whether a MTC CA instance vs a traditional CA instance, or a
>> PQ CA instance vs an ECDSA CA instance.
> The X.509 code from TLS library I have written thinks MTCs are
> malformed. Extending that code to handle MTCs is not acceptable due to
> security concerns.
Do you prefer to have a different set of routines to process MTC PKIX then?
And the application level (or TLS level) has to be aware of the difference?
I can see lots of good reasons to do this long-term: a future steady state
where 5280 certicates do not exist, so one can get rid of that "legacy"
library code.
>> Then the server operator would glue it all together by arranging for the
>> ACME client to run on a cron job. And since that cron job both has access
>> to authentication and ACME state, the fact that ACME authenticates all its
>> URLs is not a huge deal.
> What if the authentication fails?
Huh? why would that occur. Seems broken, period.
How would you do account linkage over time?
>> A separate unauthenticated URL would suggest a
>> world where the server operator has a *separate* scheduled job that's have
>> the ACME account key, but does have read/write access to certificate state.
>> I assumed that doesn't currently exist and we may as well piggy-back off
>> the existing job schedulingn.
> Even if the job runs in the same process as certificate renewal,
> determining which ACME account key to use can be difficult.
That's seems like a limitation of the code, not something the protocol should
compensate for.
> If that ACME key even still exists. Some subscribers have nasty
> habit of erasing/revoking old ACME account keys for "security" reasons.
Uhm. "Doctor, it hurts when I shoot myself in the foot."
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Mike Ounsworth
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Jacob Hoffman-Andrews
- [Acme] Re: ACME and PLANTS Seo Suchan
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Ilari Liusvaara