Nitpicking is why I posted so quickly :) Please post an edited version!
On 11/9/18, 9:51 AM, "Alexey Melnikov" <[email protected]> wrote:
Sorry for nitpicking, but below are my corrections to the minutes. I can
just send the updated version instead of a patch.
> ## Email TLS certs and EMAIL end-user certs, 15 minutes
> Who will read? Ready for WGLC?
>
> Paul Hofman: I don't understand the proposed change
> Alexey: At the moment service/port are single. If you wanted to issue
multiple
> ports (IMAP/IMAPS) it needs to be multiple requests.
> Paul: I see no reason not to have multiple services.
> Chaair: One array or two?
> Alexey: One array
> Richard: I'm confused. This document is talking about authenticating
> DNS, but what would go into a certificate is a Domain.
> Alexey: In theory you could issue SRV based IDs. In the most common use
cases
> that won't be used.
Change to: In the most common use cases DNS IDs would be issued instead.
> Richard: I think this should be updated to cover SRV.
Insert: Alexey: SRV is already covered in the document.
> DKG: I want to agree with Richard. If it's just on name, this is too
complex.
> Several steps need including
> Alexey: For DNS there will be slightly specific service name.
Change to: For DNS challenge, there service name is included in the DNS
name used for the ACME challenge.
(_<port>._<service>._acme-challenge.<domain> TXT record.)
I think Richard also suggested to create a new DNS-based ACME challenge
type.
> DKG: If the cert being requested isn't specifically for the service, this
> could open an attack to other services for other protocols
> AI: Alexey to add some clarifying text, Richard to send some
> AI: After next draft, WGLC; READ
>
> Paul Hoffman: These details aren't clear in the current draft.
> Richard: We have a copy of layers of indirection, what I am least clear
on is
> the mapping of service to certificate. CA's may want to include SRV into
the
> cert if you show control of the domain.
> Alexey: I'm hoping they'll issue certs with the port
Change to: I'm hoping they'll issue certs with the service name
> Richard: I suggest you implement SRV service IDs
> Tim: SRV has been discussed but not implemented
> Tim: The assumption all zones in a domain are controlled by the same
identity is no longer true.
> Alexey: I am developing software that could develop software to validate
these, but first I need CAs to issue certs against this.
Change to: I am developing client side software that validate these, but
first I need CAs to issue certs against this.
>
>
I think it is worth pointing out here that now we moved on to the S/MIME
document:
> Yaron: Are you expecting end user to perform this challenge?
> Alexey: Yes, possibly through copy/pasting the challenge.
Change the above 2:
Yaron: Are you expecting end user to perform this challenge or email client?
Alexey: Both. If email client doesn't support this natively, it is
possible to copy&past the challenge to an external program and then
create a reply with the calculated result.
> Chair: Is there any provisiion for multiple clients?
Alexey: yes
> AI: Tim H and dkg said they would review
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
