He mailed it to the chairs and I posted it to the datatracker. I failed to mention this to the list, oops.
On 11/11/18, 4:45 AM, "Yaron Sheffer" <[email protected]> wrote: Alexey hasn't posted yet an updated version, and I edited the first part of the minutes (the STAR portion only), now attached with my changes. Chairs, please take a look, some of the changes are potentially important, as they refer to action items (I went through the YouTube video). Alexey, can you please merge them with your changes. Thanks, Yaron On 09/11/2018 5:28, Salz, Rich wrote: > Nitpicking is why I posted so quickly :) Please post an edited version! > > On 11/9/18, 9:51 AM, "Alexey Melnikov" <[email protected]> wrote: > > Sorry for nitpicking, but below are my corrections to the minutes. I can > just send the updated version instead of a patch. > > > ## Email TLS certs and EMAIL end-user certs, 15 minutes > > Who will read? Ready for WGLC? > > > > Paul Hofman: I don't understand the proposed change > > Alexey: At the moment service/port are single. If you wanted to issue multiple > > ports (IMAP/IMAPS) it needs to be multiple requests. > > Paul: I see no reason not to have multiple services. > > Chaair: One array or two? > > Alexey: One array > > Richard: I'm confused. This document is talking about authenticating > > DNS, but what would go into a certificate is a Domain. > > Alexey: In theory you could issue SRV based IDs. In the most common use cases > > that won't be used. > > Change to: In the most common use cases DNS IDs would be issued instead. > > > Richard: I think this should be updated to cover SRV. > > Insert: Alexey: SRV is already covered in the document. > > > DKG: I want to agree with Richard. If it's just on name, this is too complex. > > Several steps need including > > Alexey: For DNS there will be slightly specific service name. > > Change to: For DNS challenge, there service name is included in the DNS > name used for the ACME challenge. > (_<port>._<service>._acme-challenge.<domain> TXT record.) > > I think Richard also suggested to create a new DNS-based ACME challenge > type. > > > DKG: If the cert being requested isn't specifically for the service, this > > could open an attack to other services for other protocols > > AI: Alexey to add some clarifying text, Richard to send some > > AI: After next draft, WGLC; READ > > > > Paul Hoffman: These details aren't clear in the current draft. > > Richard: We have a copy of layers of indirection, what I am least clear on is > > the mapping of service to certificate. CA's may want to include SRV into the > > cert if you show control of the domain. > > Alexey: I'm hoping they'll issue certs with the port > > Change to: I'm hoping they'll issue certs with the service name > > > Richard: I suggest you implement SRV service IDs > > Tim: SRV has been discussed but not implemented > > Tim: The assumption all zones in a domain are controlled by the same identity is no longer true. > > Alexey: I am developing software that could develop software to validate these, but first I need CAs to issue certs against this. > > Change to: I am developing client side software that validate these, but > first I need CAs to issue certs against this. > > > > > > I think it is worth pointing out here that now we moved on to the S/MIME > document: > > > Yaron: Are you expecting end user to perform this challenge? > > Alexey: Yes, possibly through copy/pasting the challenge. > > Change the above 2: > > Yaron: Are you expecting end user to perform this challenge or email client? > Alexey: Both. If email client doesn't support this natively, it is > possible to copy&past the challenge to an external program and then > create a reply with the calculated result. > > > > Chair: Is there any provisiion for multiple clients? > > Alexey: yes > > > AI: Tim H and dkg said they would review > > > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
