* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Acme Status Pages

Automated Certificate Management Environment (Active WG)
Sec Area: Eric Rescorla, Kathleen Moriarty | 2015-Jun-26 —  
Chairs
 
 


IETF-99 acme minutes

Session 2017-07-21 0930-1130: Athens/Barcelona - Audio stream - acme chatroom

Minutes

minutes-99-acme-01 minutes



              1. draft-ietf-acme-acme
          
              The draft passed a second WGLC and has gone for IESG review. There are
          some minor editorial issues. No further work is expected.
          
              2. draft-ietf-acme-caa
          
              There was no presenter or slides. The CAA draft says what
              authentication
          mechanisms are available. It could also be used for non-acme mechanisms
          (eg
          browser CAs). That would mean maintaining a registry of tokens for
          authentication mechanisms and co-operation with the CA/B Forum. It
          is looking
          at improving its authentication stuff and would probably be
          receptive. CA/B
          Forum seems to lack focus though: might need them to commit to a
          deadline. The
          CA/B Forum has concerns that new baseline requirements will be backwards
          compatible.
          
              There was a unanimous hum for a solution that does acme and non-acme
              auth
          methods.
          
              3. draft-ietf-acme-star
          
              The draft discusses auto-renewal mechanisms. It's not clear what
          should be done when the certificate life and the Expire: header disagree.
          Perhaps an absolute date could be used for killing the certificate even
          if an
          acme client is renewing/refreshing lookups. Certificate revocation
          issues are
          not yet fully worked out. It was suggested acme certificates could
          use three
          values: is available from/is available until/drop dead date for automated
          renewal.
          
              A new version of the draft should be done for IETF100 and would
              probably
          go for WGLC.
          
              draft-ietf-acme-star-request
          
              This related draft was not discussed. It will probably get adopted
              as a WG
          document at a future meeting.
          
              4. draft-ietf-acme-telephone
          
              Jon Peterson's slides are here:
          
              https://www.ietf.org/proceedings/99/slides/slides-99-acme-stir-tns-for-acme-00.pdf
          
              Endpoints could have authentication tokens, though it's more likely to
          be the intermediary (SIP proxy, SBC, etc) that holds these. Jon was/is
          trying
          to be neutral on how these tokens would be stored and accessed. Current
          thinking in the telco world is these would be in a database owned,
          operated
          and controlled by the telco responsible for the number (block). An
          ENUM like
          solution would be an obvious approach since both E.164 numbering and
          domain
          names use hierarchical name spaces. However telcos seem to be hostile to a
          DNS-based approach.
          
              5. draft-ietf-acme-service-provider
          
              Mary Barnes's slides are here:
              https://datatracker.ietf.org/meeting/99/materials/slides-99-acme-acme-identifiers-and-challenges-for-voip-service-providers
          
              The draft's been updated to account for the service provider code
          token used by SHAKEN (signature-based handling of asserted information
          using
          token), the specification adopted by two US telco bodies, ATIS and the SIP
          Forum. Richard Barnes suggested this could become a generic identification
          mechanism, not just for phone number sand SIP addresses.
          
              6. draft-ietf-acme-email-smime and draft-ietf-acme-email-tls
          
              Alexey Melnikov's slides:
              https://datatracker.ietf.org/meeting/99/materials/slides-99-acme-acme-for-email-services
          
              Alexey said there's a demand for authenticating IMAP(S) servers. The
          WG didn't have a clear consensus for any of the three options he proposed.
          There was some objection to using a Service Name Indication in TLS. He
          agreed
          to drop that and continue with the options of using DNS SRV records (or
          similar) to specify the protocol and port number or adding extensions
          to SMTP
          and IMAP.
          
              The WG noted Alexey's optimism for S/MIME. He claimed it is more
          widely deployed than most people realise. Some Outlook users are forced
          to use
          S/MIME.
          
              7. Recharter discussion
          
              This was over in a few seconds. AD Kathleen Moriarty said the
              WG should
          just update its milestones and charter and then inform the IESG. The
          WG did
          not seem to want or need a long debate over what the revised milestones
          and
          charter should be. The WG co-chairs will probably be responsible for
          updating
          these and getting WG consensus.
          
              8. AOB
          
              Someone asked if CAs would issue ACME-based certificates for
              acme. Richard
          Barnes said Digicert was still trying to work out what to do. They were
          interested in principle.
          
              Yoav Nir has replaced Ted Hardie as co-chair now that Ted has been
          appointed to the IAB.
          
          



Generated from PyHt script /wg/acme/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -