Hi Mike, Paul, So if I understand this correctly, the idea is that an ACME client that intends to obtain a certificate for example.com will look up CAA records for example.com and follow the guidance there as to which CA to contact?
Couple of observations on a quick skim: A brief "protocol overview" section might be helpful to capture the intended happy-path flow. If folks are annoyed about the .well-known parts (as I am, a little): Since you're going to extend CAA anyway, you could just put a URL in there instead of overloading the CAA domain name. For example, instead of the `discover` parameter being a boolean, you could just put the URL of the ACME server directory there. (That would introduce a risk of divergence in the multiple-domain case, different ACME servers for the same CA domain, but that seems like it fails safely.) Section 3.1.2 says "the value "1" represents the highest priority", but Section 3.2 includes "the highest priority of 0". In general, the document should be clear on how the default interacts with explicit priorities. Cheers, --RLB On Thu, Jul 6, 2023 at 10:55 AM Mike Ounsworth <Mike.Ounsworth= [email protected]> wrote: > Hi ACME! > > This is new business that we would like to add to the agenda for 117. > > Thanks, > --- > Mike Ounsworth & Paul van Brouwershaven > > -----Original Message----- > From: [email protected] <[email protected]> > Sent: Thursday, July 6, 2023 9:39 AM > To: Mike Ounsworth <[email protected]>; Paul van Brouwershaven < > [email protected]> > Subject: [EXTERNAL] New Version Notification for > draft-vanbrouwershaven-acme-auto-discovery-00.txt > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > > ______________________________________________________________________ > > A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt > has been successfully submitted by Paul van Brouwershaven and posted to > the IETF repository. > > Name: draft-vanbrouwershaven-acme-auto-discovery > Revision: 00 > Title: Auto-discovery mechanism for ACME client configuration > Document date: 2023-07-06 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt > Status: > https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/ > Html: > https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery > > > Abstract: > A significant impediment to the widespread adoption of the Automated > Certificate Management Environment (ACME) [RFC8555] is that ACME > clients need to be pre-configured with the URL of the ACME server to > be used. This often leaves domain owners at the mercy of their > hosting provider as to which Certification Authorities (CAs) can be > used. This specification provides a mechanism to bootstrap ACME > client configuration from a domain's DNS CAA Resource Record > [RFC8659], thus giving control of which CA(s) to use back to the > domain owner. > > Specifically, this document specifies two new extensions to the DNS > CAA Resource Record: the "discovery" and "priority" parameters. > Additionally, it registers the URI "/.well-known/acme" at which all > compliant ACME servers will host their ACME directory object. By > retrieving instructions for the ACME client from the authorized > CA(s), this mechanism allows for the domain owner to configure > multiple CAs in either load-balanced or fallback prioritizations > which improves user preferences and increases diversity in > certificate issuers. > > > > > The IETF Secretariat > > > Any email and files/attachments transmitted with it are intended solely > for the use of the individual or entity to whom they are addressed. If this > message has been sent to you in error, you must not copy, distribute or > disclose of the information it contains. Please notify Entrust immediately > and delete the message from your system. > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
