Markdown Version | Session Recording

Session Date/Time: 22 Jul 2025 09:30

acme

Summary

The ACME working group meeting covered document status updates, presentations on several draft proposals, and discussions regarding their direction and potential adoption. Key topics included client authentication challenges, auto-discovery of ACME servers, public key challenges, ACME RATS integration, JWT claim constraints in STIR certificates, ACME profiles and persistent DNS validation.

Key Discussion Points

• Document Status:
  • Two new RFCs published: RFC 9773 (ARI) and RFC 9799 (Onion).
  • Several drafts are in the RFC editor's queue or undergoing revisions.
• Client Authentication Challenge Types:
  • Discussion on the usefulness and implementation status of the client challenge type draft.
  • Concerns were raised about the scope and potential overlap with other drafts, particularly concerning WebAuthn.
  • Debate on whether this represents a fundamental change to ACME.
• Auto-Discovery of ACME Servers:
  • Discussion on the need for auto-discovery mechanisms for different identifier types, including those beyond DNS names.
  • The draft is looking for a new lead author who can champion adoption, especially someone from a major vendor.
• Public Key Challenges:
  • The presenter clarified that the use case in this scenario is for enterprise or campus contexts.
  • Concerns were raised about the practical necessity and security model of the proposed solution.
• ACME RATS Integration:
  • Discussion about combining the RATS process with the ACME process to improve device security.
  • Debate on where the attestation information should be placed within the Acme protocol flow (challenge vs. order payload).
• Extension of Public Key Challenges for JWT claim constraints:
  • A question was raised about handling multiple challenges with different authorities.
• Persistent DNS Validation in ACME:
  • Discussion on implementing static TXT records for DNS validation.
  • Emphasis on aligning with the CA/Browser Forum's efforts on this front.

Decisions and Action Items

• Client Authentication Challenge Types: Kathleen will address the feedback and decide whether a new draft should be uploaded. Chairs to start a mailing list thread on this.
• Auto-Discovery of ACME Servers: Mike is looking for someone from a CA or CSP to take lead of this draft.
• ACME RATS Integration: Discuss placing attestation result into the order payload in the main list.

Next Steps

• Continue discussion of open issues on the mailing list.
• Coordinate efforts on similar drafts (e.g., client authentication challenges, persistent DNS validation) to avoid duplication and ensure alignment.
• Continue the Akimirat design team meeting to discuss design and potentially call for adoption in Montreal.