Markdown Version | Session Recording

Session Date/Time: 25 Jul 2023 00:30

acme

Summary

This meeting covered the status of several ACME-related drafts, including acme-onion, DNS account challenge, and ARI. Presentations were given on these drafts, as well as on a new proposal for ACME server discovery. Key discussion points included security considerations, client adoption, and potential next steps for each draft.

Key Discussion Points

• DNS Account Challenge:
  • The draft's use of the KID value to create a unique DNS record lookup key was discussed.
  • Concerns were raised about the complexity of supporting the draft due to the lack of a clear account URI.
  • Discussion on whether the ACME challenge label should have an added label to the left for easier zone management.
  • The CA/Browser Forum baseline requirements were discussed in the context of the design.
• ARI (ACME Renewal Info):
  • Significant client adoption was reported, along with an increase in endpoint usage.
  • Open questions include simplifying the OCSP cert ID, reducing request volume with batch endpoints, and using a single timestamp instead of a renewal window.
• Acme-onion:
  • The draft has been adopted and reference implementations exist.
  • Discussion on why HTTPS certificates are desired for Tor hidden services.
  • Security considerations of HTTP-01 challenges over onion services were discussed, specifically regarding potential unexpected properties and malicious exit nodes. It was confirmed that exit nodes are not a factor in hidden services.
  • Tooling to verify CA implementations was suggested, including test cases with intentionally broken hidden service descriptors.
• ACME ATo Discovery:
  • The problem being addressed is to allow domain owners to specify their preferred CA for public domains hosted on public cloud providers.
  • The draft proposes using CAA records to automate the discovery of the domain owner's preferred CA.
  • Discussion about DNSSEC and poisoning of DNS requests and CAA records, and what mitigations can be taken.
  • There was a discussion about whether it is a client or server focused draft.
  • Debate about Terms of Service, and if an auto discovery tool is needed.

Decisions and Action Items

• DTM Node ID Validation Extension: Contact Brian Sipsa to determine the plan for the draft, which is currently stuck.
• Draft Tier Issue: R. Barnes, R. Salz, and Roman to talk after the meeting to determine where to go with the drafted tier.

Next Steps

• DNS Account Challenge: Continue discussion with the DNSOP working group and explore potential modifications to the CA/Browser Forum baseline requirements.
• ARI: Address open questions related to OCSP cert ID simplification, batch endpoints, and simplifying renewal logic.
• Acme-onion: Implement the draft in Certbot and gather more feedback from implementers.
• ACME ATo Discovery: Discuss adoption of the draft on the mailing list. Also discuss updated draft objectives and an adoption call on the list.