a. ) CAs may want to put list of acme endpoints at well-known, for
example one each for DV/OV/EV like sectigo did with
https://acme.sectigo.com/v2/EV
b. ) I think hosting provider wouldn't want to visit a random CA without
human intervention, not only due to potential Malicious one but an open
acme endpoint may not allowed to use, for example CA having
noncommercial use only limit on that endpoint, and likely stick to CA
they know even if it's low priority from CAA.
2023-07-06 오후 11:54에 Mike Ounsworth 이(가) 쓴 글:
Hi ACME!
This is new business that we would like to add to the agenda for 117.
Thanks,
---
Mike Ounsworth & Paul van Brouwershaven
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Thursday, July 6, 2023 9:39 AM
To: Mike Ounsworth <[email protected]>; Paul van Brouwershaven
<[email protected]>
Subject: [EXTERNAL] New Version Notification for
draft-vanbrouwershaven-acme-auto-discovery-00.txt
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.
______________________________________________________________________
A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
has been successfully submitted by Paul van Brouwershaven and posted to the
IETF repository.
Name: draft-vanbrouwershaven-acme-auto-discovery
Revision: 00
Title: Auto-discovery mechanism for ACME client configuration
Document date: 2023-07-06
Group: Individual Submission
Pages: 16
URL:
https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt
Status:
https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/
Html:
https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html
Htmlized:
https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery
Abstract:
A significant impediment to the widespread adoption of the Automated
Certificate Management Environment (ACME) [RFC8555] is that ACME
clients need to be pre-configured with the URL of the ACME server to
be used. This often leaves domain owners at the mercy of their
hosting provider as to which Certification Authorities (CAs) can be
used. This specification provides a mechanism to bootstrap ACME
client configuration from a domain's DNS CAA Resource Record
[RFC8659], thus giving control of which CA(s) to use back to the
domain owner.
Specifically, this document specifies two new extensions to the DNS
CAA Resource Record: the "discovery" and "priority" parameters.
Additionally, it registers the URI "/.well-known/acme" at which all
compliant ACME servers will host their ACME directory object. By
retrieving instructions for the ACME client from the authorized
CA(s), this mechanism allows for the domain owner to configure
multiple CAs in either load-balanced or fallback prioritizations
which improves user preferences and increases diversity in
certificate issuers.
The IETF Secretariat
Any email and files/attachments transmitted with it are intended solely for the
use of the individual or entity to whom they are addressed. If this message has
been sent to you in error, you must not copy, distribute or disclose of the
information it contains. Please notify Entrust immediately and delete the
message from your system.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
