Minutes IETF111: acme
minutes-111-acme-02
Meeting Minutes | Automated Certificate Management Environment (acme) WG | |
---|---|---|
Date and time | 2021-07-30 21:30 | |
Title | Minutes IETF111: acme | |
State | Active | |
Other versions | plain text | |
Last updated | 2021-08-05 |
minutes-111-acme-02
ACME WG at Virtual IETF 111 Agenda Note Well, technical difficulties and administrivia – 5 min No agenda bashing Document Status (chairs) – 10 min Extensions to ACME for End-User S/MIME Certificates Published in April (RFC 8823) ACME Profile for Generating Delegated Certificates - through IETF LC, directorate review, IESG review - In RFC Editors queue ACME Challenges Using an Authority Token - AD review in October 2020 - New version in July - Some additional comments from the AD, authors stated that they will address. TNAuthList profile of ACME authorty Token - Submitted to IESG last August - waiting for the Challenges drafts to be complete ACME DTN Node ID Validation Extension - through WGLC, submitted to IESG, Roman reviewed, changes required ACME Integration - -04 posted - few comments at WGLC needs more review ACME for Subdomains - Version -05, not yet adopted - Will take the adoption call to the list. ACME Extension for Single Sign On Challenges - -01 published - Not much discussion on list Presentations: https://datatracker.ietf.org/doc/draft-ietf-acme-integrations/ (Friel, Shekh-Yusef, Richardson) - 10 minutes - Owen Friel presented - describes how ACME can be integrated with multiple existing clients - added ACME Integration Considerations Section, consolidated existing id-kp-cmcRA guidance into this section, in addition to other updates - Didn't get enough review in WGLC; feedback needed - Russ Housley volunteered to review - Deb: latest version answers all my comments https://datatracker.ietf.org/doc/draft-friel-acme-subdomains/ (Friel, Barnes, Hollebeek, Richardson) - 10 minutes - Owen Friel presented - single authentication against Authorized Domain Name, then request multiple certs for identifiers in the Domain Namespace without having to perform any authorizations per subdomain - editorial changes, clarified edits - aligned terminology with CA/B - added information on pre-authorization handling and new order handling - example protocol enhancements included on slides 4 and 5 - updates address feedback from last version - asking WG for adoption, as well as feedback on the protocol changes made in this version - Show of hands: how many people have read this draft? 7 people, Yoav says that is a good number - Deb points out that there are 4 authors - Yoav: 3 additional reviewers is nice - Owen: it's at least 5 reviewers, I did not raise hand and another author isn't there. - MCR in chat: I did raise my hand - Roman in chat: confirm on list to make it a working group draft Where do we go from here? (chairs) – 15 minutes Yoav: this group is low energy (surely we all are at this point in the week, but, documents get little review) - unlikely to run out of people who want tweeks, novel use cases, but there is little adoption/interest beyong the web use-case covered in the base doc - question to the group: is it worth continuing as a working group? - MCR: you are right, things have been slow. Reluctance to engage because things are slow and there are many conflicts. Recommend virtual interims to have fewer schedule conflicts. - start asking if small extensions require IANA action? If no, might not need to standardize around them, folks can just implement them. - leave the working group alone for a year, see how it goes. Yoav: norm is to close and reopen if there is new work - Kathleen Moriarty: I asked for my work to go to WGLC, chairs agreed, nothing happened for a year. It had enough reviews. These actions have to occur to keep energy up. I would like an answer - Roman: I like the questions Yoav asked, interested in more feedback. Also want to ask: are there latent extensions folks would like to do? We can batch them up, get them listed, bring energy back up. - Aaron Gable: we at Let's Encrypt have been less active due to turnover. Need to revoke over 200 M certs at once, which is an issue. This is my first time here, but I plan to have a draft in progress to present to IETF 112. -Yoav: can talk about the draft at an iterim meeting? - Aaron: absoloutely - PHB: tail offs are intrisic to security work, because you are never done with security. Have to accept that this is the way things are. We should address this as a Security Area by standing up an maintenance working group. - Yoav: first ACME draft was the one everyone was interested in, follow up drafts were more and more niche - PHB: that might stem from a misunderstanding about what certs are. People think of them as server certs, not organizational/domain/individual mail certs. -Roman: lets schedule a virtual interim between now and Nov, figure out what additional scope might be, no draft required (don't set the bar too high). Do we stay open to do maintenance, and what is the timer on that? If we have new work, what will it take to reason about that new scope? - Deb: will this change when the post quantum algorithms come out? - Yoav: I think not, we don't consider algorithms in ACME. Use TLS, use whatever algs are available in TLS. I don't think that is changing, but I could be wrong. - Roman: we can bring that to the discussion - Deb: we have things to finish, we can at least work on those things - Roman: definitely won't close work group out until open drafts are clear Aaron: energey issue is an IETF-wide thing, not only ACME. I didn't volunteer to read drafts because I don't know the process. New people like me might need to better understand how things work, we don't have resources to tell us how things work at IETF - Yoav: might be a casualty of COVID Open Mic/AOB - Roman: providing a date for us to have more ideas would help - Yoav: late september, early Ocotber is a good time for an interim - Deb: chairs have actions: - Sub domain doc needs to be a working group doc - advance Kathleen's draft - schedule virtual interim. - Deb: when we schedule November, we need to be mindful of conflicts - Yoav: more simultaneous sessions in virtual meetings mean more conflicts - MCR: you can attend multiple meetings at the same time virtually, though (maybe mcr can, lol) - MCR: How do we connect to devices on your local LAN that we need certs for? There is a IOT [which standards body] that thinks acme is the way to do this. Maybe it is, maybe it isn't. We need to look at it.