Automated Certificate Management Environment (acme)

IETF 113, Monday, 21 March 2022 1300-1400 CET (1200-1300 UTC

Notes: https://notes.ietf.org/notes-ietf-113-acme

Minutes: https://datatracker.ietf.org/doc/minutes-113-acme/

MeetEcho: https://meetings.conf.meetecho.com/IETF113-ACME-20220321-1200

YouTube: https://www.youtube.com/watch?v=g11bCfSfmIU

Jabber: xmpp:acme@jabber.ietf.org
https://jabber.ietf.org/jabber/logs/acme/2022-03-21.html

Agenda

• Note Well, technical difficulties and administrivia (chairs) – 5 min
• Document Status (chairs) – 10 min
• Work items
  • draft-ietf-acme-dtnnodeid-09 (Sipos) - 10 min
  • draft-aaron-acme-ari-01 (Gable) - 15min
  • draft-ietf-acme-integrations-06 (Shekh-Yusef) - 5 minutes
  • draft-ietf-acme-subdomains-02 (Richardson) - 5 minutes
• AOB - 10 min

Minutes

• Document Status

  • ACME Authority Token + ACME Authority Token TNAuthlist
    • Still waiting on the "Revised ID Needed"
    • No authors online (Mary is online, but no audio)
    • Deb will ping Jon after the meeting
  • DTN Node ID
    • New version posted recently
    • presentation today
  • ACME Client
    • No updates since IETF 112
    • Supply chain security, SBOMs, and Sigstore are driving some upcoming updates
  • ACME Renewal Information
    • Some conversations on list since last IETF
    • No new draft yet, not yet a WG document, presentation today
  • ACME Integrations
    • New version (-06) in December
    • Ready for last call?
  • ACME Subdomains
    • New version (-02) in March
    • Ready for last call?

• DTN Node ID

  • Presenter: Brian Sipos
  • Latest draft (-09) published recently
  • Referenced DTN documents are now published RFCs
  • Changes since -06:
    • Separates tokens from challenge identifiers, now very similar to RFC 8823
    • Added key authorization digest algorithm agility
    • Various typos and editorial comments
  • The COSE Hash Algorithms document referenced for digest agility is not yet published
  • Requesting WG read and review prior to April 1. Several people in the room agreed to review.

• ACME ARI Extension

  • Presenter: Aaron Gable
  • Draft -02 is not yet published, will publish shortly after IETF 113 adjourns.
  • Path construction:
    • Base path is still contained in directory
    • Remainder is now base64url-encoding of DER-encoding of CertID ASN.1, strip trailing "=" (Similar to how OCSP cert request is constructed, but without extensions)
    • Server responses haven't changed since the previous version.
  • New functionality for updating Renewal Information.
    • POST-as-GET to the renewalInfo base URL
    • Body contains base64url-encoding of DER-encoding of CertID
      • Similar to how ACME revocation requests are sent
    • Also contains metadata (see question below)
    • Request MUST be signed by the original Subscriber's key
      • No choices of keys as in ACME revocation
    • Allows ACME server to:
      • Revoke replaced certs early if necessary
      • Avoid sending unnecessary renewal reminder notifications
      • Send empty renewalInfo responses for replaced certs
  • MR: Might need to have information about which new certificate replaced an old one? So not an empty body HTTP response then?
    • Yes, considering including serial (or CertID?) of replacement cert in POST-as-GET metadata
    • The could include Serial of replacement cert
  • Open question: ExplanationURI in renewalInfo response?
    • Might provide value for certificate status monitoring services
    • Likely to be included in future draft
  • YN: Do you want to standardize ExplanationURI content type?
    • No, it is supposed to be human readable
  • YN (as chair): what are you plans in regards to the document? Do you want WG adoption?
    • (Yoav explains the process, giving up change control, etc)
    • YN: we will do adoption after the IETF week
    • DC: let's do this once you publish -02

• ACME Integrations

  • Presenter: Rifaat Shekh-Yusef
  • Just editorial since version -05:
    • Use DNS terminology consistently
    • Added mising acronyms
    • Clarified protocol vs server vs CA terminology
  • Some minor edits still upcoming
  • Asking for WG last call

• ACME Subdomains

  • Presenter: Michael Richardson
  • This document is new-ish, but was split out of the Integrations doc
  • Edits since version -02:
    • Fixed DNS and CA terminology
    • Updated JSON field names
    • Added clarifying text in examples
  • "domainNamespace" --> "subdomains"
  • Some minor edits still upcoming
  • Asking for WG last call