Session Date/Time: 20 Mar 2025 06:00

acme

Summary

This ACME working group meeting covered several draft updates and new proposals. Key topics included ACME Renewal Information (ACME-IRI), ACME profiles, DTN node ID, TMS update for DNS-based challenges, ACME Rats, jot claim trains, PK challenges, and a discussion on auto-discovery. Several drafts are nearing RFC status, and new work areas are being explored.

Key Discussion Points

ACME-IRI and Profiles (Aaron): ACME-IRI is in the RFC editor's queue. ACME Profiles has been deployed by Let's Encrypt and implemented by several clients without major issues. A call for adoption was suggested.
ACME DTN Node ID (Brian): The dependency RFC has been published (RFC9713). The draft is ready and needs reconfirmation with a short working group last call.
TMS Update (Roachern): A new draft was presented concerning secure DNS resource record updates for ACME DNS-based challenges, particularly relevant to 5G core networks. The draft introduces an OAM entity for configuring ACME clients and authoritative DNS servers. Discussion centered on access control, replay prevention, key rotation, and cleanup of DNS records. Adoption was suggested, and various deployment models discussed.
ACME Rats (Peter Last night): Updates to the ACME Rats draft were presented, focusing on endpoint security and attestation results. The challenge type was changed to device attest, and the evidence is now carried in CMWs. Rethinking the design, specifically where to place attestation results (challenges vs. post-finalized object) was discussed. A design team meeting will be initiated monthly.
JOT Claim Constraints (Chris Went): A new authority token profile for JWT claim constraints was presented, intended for use with delegate certificates in the STIR context.
Public Key Challenges (PK Challenges): A draft was presented concerning a PK.01 challenge to verify control of the private key corresponding to a specified public key. Concerns were raised regarding malicious ACME clients subverting the intended security model.
Auto-Discovery (Mike): Discussion on expired auto-discovery drafts. The problem statement is shorter certificate lifetimes and the need for domain owners to control which CAs are used by cloud providers. Mike is no longer working on the drafts and seeks someone to take over leadership.

Decisions and Action Items

ACME DTN Node ID: Proceed with a short working group last call.
TMS Update: Take discussion to the mailing list, followed by potential adoption call.
ACME Rats: Initiate a monthly design team meeting to further refine the design.
Auto-Discovery: Seek a new leader/maintainer for the expired drafts.

Next Steps

Discuss TMS update and public key challenges on the mailing list.
Schedule a short working group last call for ACME DTN Node ID.
Announce the monthly ACME Rats design team meeting details.
Identify a new leader/maintainer for the auto-discovery drafts.