Re: [Acme] [Technical Errata Reported] RFC8555 (5861)

ch.edu; c...@letsencrypt.org; Owen Friel (ofriel) Cc: r...@cert.org; ynir.i...@gmail.com; acme@ietf.org; rfc-edi...@rfc-editor.org Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (5861) This overspecifies things. When someone requests to create a new authorization object (or requests

Re: [Acme] Dnsdir last call review of draft-ietf-acme-integrations-15

FYI, draft -16 was published on 13th June that (i) removes the confusing terminology and delegates completely to RFC8499 and (ii) addresses John's 2 outstanding nits. Thanks, Owen -Original Message- From: Michael Richardson Sent: Friday, June 9, 2023 2:58 PM To: Ted Lemon ; Warren

Re: [Acme] John Scudder's No Objection on draft-ietf-acme-integrations-15: (with COMMENT)

Oops missed those, will get a draft-16 out to address those nits. -Original Message- From: John Scudder via Datatracker Sent: Thursday, June 8, 2023 5:33 PM To: The IESG Cc: draft-ietf-acme-integrati...@ietf.org; acme-cha...@ietf.org; acme@ietf.org; deco...@radium.ncsc.mil;

Re: [Acme] Dnsdir last call review of draft-ietf-acme-integrations-15

As Michael says, in -14 and earlier, we were verbatim without change copying text from RFC8499. And the latest -15 abridges the text to remove quoting of the offending text from RFC8499. If neither of the above are acceptable, how about this text: "The terms Label, Domain Name, Subdomain and

Re: [Acme] I-D Action: draft-ietf-acme-subdomains-07.txt

The authors feel this update addresses all recent review comments. All comments were tracked with individual github issues, and corresponding commits, if that makes it easier to fine the respective updates: https://github.com/upros/acme-subdomains/issues?q=is%3Aissue+is%3Aclosed Owen

Re: [Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?

We will add clarifying text in draft-07 to clarify this. Thanks, Owen From: Acme On Behalf Of Yanlei(Ray) Sent: Friday, February 10, 2023 3:47 AM To: Deb Cooley ; acme@ietf.org Subject: [Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains? >

Re: [Acme] Paul Wouters' Discuss on draft-ietf-acme-subdomains-06: (with DISCUSS and COMMENT)

Thanks Paul. The authors have been back and forth on these issues for the past month. See inline for summary. -Original Message- From: Paul Wouters via Datatracker Sent: Thursday, January 19, 2023 2:47 AM To: The IESG Cc: draft-ietf-acme-subdoma...@ietf.org; acme-cha...@ietf.org;

Re: [Acme] I-D Action: draft-ietf-acme-integrations-13.txt

Hi all, This addresses all issues raised on the mailers. The issues and associated fixes can all be seen at: https://github.com/upros/acme-integrations/issues?q=is%3Aissue+ The authors noticed one issues related to Joe Salowey's feedback on tls-unique channel binding: An update for TEAP is

Re: [Acme] Artart last call review of draft-ietf-acme-subdomains-04

Thank you Carsten for the review and comments. I created individual github issues for these comments and all other review comments of acme-subdomains at https://github.com/upros/acme-subdomains/issues I have committed fixes and closed the associated issues for 6 of these 10 comments. Michael

Re: [Acme] Genart last call review of draft-ietf-acme-subdomains-04

Thank you Reese for the review and comments. I created individual github issues for these comments and all other review comments of acme-subdomains at https://github.com/upros/acme-subdomains/issues I have committed fixes and closed all bar one of the issues raised below. I will comment on

Re: [Acme] Opsdir last call review of draft-ietf-acme-subdomains-04

Thank you Bo for the review and comments. I created individual github issues for these comments and all other review comments of acme-subdomains at https://github.com/upros/acme-subdomains/issues I have committed fixes and addressed all of the below comments, and closed all the associated

Re: [Acme] AD review of draft-ietf-acme-subdomains-04

Thank you Roman for the review and comments. I created individual github issues for these and all other reviews of acme-subdomains at https://github.com/upros/acme-subdomains/issues I have committed fixes and closed all bar one of the issues raised below. I will comment on that one inline

Re: [Acme] AD Review of draft-ietf-acme-integrations-10

Thank you Roman for the review and comments. I created individual github issues for these comments and have committed fixes for most of them and closed the issues: https://github.com/upros/acme-integrations/issues There are three outstanding issues and I will comment on these inline below.

Re: [Acme] I-D Action: draft-ietf-acme-integrations-08.txt

This addresses all comments raised against draft-07 bar one: - Section 7.2 says: EST [RFC7030] is not clear on how the CSR Attributes response should be structured, and in particular is not clear on how a server can instruct a client to include specific attribute values in its CSR.

Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07

Hi, There were 12 individual comments/issues raised. I tracked them all as separate github issues. 10 have been addressed and fixes checked into https://github.com/upros/acme-integrations. There are only two outstanding issues, and we are noodling over the correct text. Expect an update in the

Re: [Acme] WG Last Call for draft-ietf-acme-subdomains-03

Hey all, I’ve addressed the nits and just published draft-ietf-acme-subdomains-04. Owen From: Acme On Behalf Of Deb Cooley Sent: Thursday 16 June 2022 18:33 To: IETF ACME Cc: Cooley, Dorothy E Subject: Re: [Acme] WG Last Call for draft-ietf-acme-subdomains-03 We've seen two responses to the

Re: [Acme] IETF 113 agenda items

Hi Deb, I will not be there in person, but Michael and Rifaat will, so they will present. Michael will present acme-subdomains. Rifaat will present acme-integrations. They will both only need ~5 minutes each, primarily only editorial updates. -Original Message- From: Acme On Behalf

[Acme] acme-subdomains RFC8499 vs. CA/B terminology

I mentioned it at IETF 112 that we needed to decide on use of RFC8499 vs. CA/B forum terminology in the document. As this document is not specific to Web PKI use cases, I prefer RFC8499 terminology. Martin expressed that preference too:

Re: [Acme] question regarding -subdomains-00 section 5

Thanks for the review Daniel. I created a github issue to track: https://github.com/upros/acme-subdomains/issues/2 From: Acme On Behalf Of Daniel Migault Sent: 09 December 2021 06:26 To: acme@ietf.org Subject: [Acme] question regarding -subdomains-00 section 5 Briefly looking at the flows

Re: [Acme] comments on: draft-ietf-acme-integrations-05

Hi Deb, I have raised github issues for all these items: https://github.com/upros/acme-integrations/issues I will get these addressed later this week. Thanks for the review. Owen From: Acme On Behalf Of Deb Cooley Sent: 27 November 2021 19:43 To: acme@ietf.org Cc: Cooley, Dorothy E Subject:

Re: [Acme] 2nd working group call for adoption

-Original Message- From: Martin Thomson Sent: 18 October 2021 09:46 To: Owen Friel (ofriel) ; acme@ietf.org Subject: Re: [Acme] 2nd working group call for adoption On Fri, Oct 15, 2021, at 18:00, Owen Friel (ofriel) wrote: > Not sure why "domainNamespace" is used as t

Re: [Acme] 2nd working group call for adoption

Not sure why "domainNamespace" is used as the field when "subdomains" is shorter and easier to understand. [ofriel] there was early discussion on the mailer about what exactly a 'subdomain' meant. So we quoted the CA/B Browser baseline definitions and used that terminology instead. Note

Re: [Acme] working group call for adoption

From: Aaron Gable Sent: 14 September 2021 00:02 To: Owen Friel (ofriel) Cc: Michael Richardson ; Ryan Sleevi ; Deb Cooley ; acme@ietf.org Subject: Re: [Acme] working group call for adoption On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) mailto:ofr...@cisco.com>> wrote: Consider

Re: [Acme] working group call for adoption

From: Acme On Behalf Of Aaron Gable Sent: 02 September 2021 08:31 To: Michael Richardson Cc: Ryan Sleevi ; Deb Cooley ; acme@ietf.org Subject: Re: [Acme] working group call for adoption On Wed, Sep 1, 2021 at 5:28 PM Michael Richardson mailto:mcr%2bi...@sandelman.ca>> wrote: Yes, but not

Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt

.devices.ra.example.org and ACME issues cert. (or using acme-subdomains, proves ownership of devices.ra.example.org) From: Deb Cooley Sent: 10 June 2021 17:52 To: Michael Richardson Cc: Owen Friel (ofriel) ; acme@ietf.org; Cooley, Dorothy E Subject: Re: [Acme] comments on: draft-ietf-acme

Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt

Yes Deb, it did get lost in the shuffle. See inline. From: Acme On Behalf Of Deb Cooley Sent: 19 March 2021 18:46 To: acme@ietf.org Cc: Cooley, Dorothy E Subject: [Acme] comments on: draft-ietf-acme-integrations-03.txt I thought this draft was pretty easy to follow, and I just have a few

Re: [Acme] FW: New Version Notification for draft-friel-acme-subdomains-03.txt

: acme-subdomains works for both the pre-authorization flows, and the standard flow where the client POSTs the newOrder before authorization takes place. -Original Message- From: Salz, Rich Sent: 03 February 2021 05:42 To: Salz, Rich ; Owen Friel (ofriel) ; IETF ACME Subject: Re: [Acme

Re: [Acme] acme subdomains open items

could be the BDN/Base Domain Name), then this will result in frequent failures as the client is not authorized to control the parent ADN/BDN. From: Ryan Sleevi Sent: 10 December 2020 03:51 To: Michael Richardson Cc: Ryan Sleevi ; Owen Friel (ofriel) ; Felipe Gasper ; acme@ietf.org Subject: Re

Re: [Acme] acme subdomains open items

From: Ryan Sleevi Sent: 05 December 2020 03:27 To: Owen Friel (ofriel) Cc: Felipe Gasper ; acme@ietf.org Subject: Re: [Acme] acme subdomains open items Thanks for bringing it to the list, Owen. This is something we're trying to lock down in the CA/B Forum, at least with respect to the 'http

Re: [Acme] acme subdomains open items

and/or server response. There were no concrete opinions as far as I recall (waiting on the exact minutes) and Rich said to bring the qs to the mailer for further discussion. Cheers, Owen From: Acme On Behalf Of Felipe Gasper Sent: 04 December 2020 21:35 To: Owen Friel (ofriel) Cc: acme@ietf.org Subject

[Acme] acme subdomains open items

Hi all, As recommended by the chairs at IETF109, bring the two open items to the list for discussion. These were raised by Felipe and Ryan previously. 1: Does the client need a mechanism to indicate that they want to authorize a parent domain and not the explicit subdomain identifier? Or a

[Acme] FW: New Version Notification for draft-friel-acme-subdomains-03.txt

Friel (ofriel) ; Michael Richardson Subject: New Version Notification for draft-friel-acme-subdomains-03.txt A new version of I-D, draft-friel-acme-subdomains-03.txt has been successfully submitted by Owen Friel and posted to the IETF repository. Name: draft-friel-acme-subdomains

Re: [Acme] Review of draft-friel-acme-subdomains-02

Based on that, I can provide example JSONs that enable 1 and/or 2 and make them RFC6717 compliant and align with RFC8555 examples. Cheers, Owen -Original Message- From: Felipe Gasper Sent: 03 September 2020 21:14 To: Owen Friel (ofriel) Cc: Russ Housley ; IETF ACME Subject: Re: [Acme]

Re: [Acme] ACME subdomains

ll/PAniVnsZcis;, "type": related-identifier", "related-identifier":"example.org", "related-authorization":" https://example.com/acme/authz/r4HqLzrSrpI; "status": "pending" } ], } ~~~ And for option 3, the

Re: [Acme] Review of draft-friel-acme-subdomains-02

Thanks Russ. I've addressed all these in github at: https://github.com/upros/acme-subdomains/blob/master/draft-friel-acme-subdomains.md. I have not pushed out draft-03 yet, lets see what Jacob and Felipe have to say on the related thread about challenge options, and I will incorporate then.

Re: [Acme] ACME subdomains

Thanks Felipe, Jacob, we had not really considered the use case where the server would offer challenges for both foo.bar.example.org and example.org and the client could choose which to fulfil. We assumed (maybe naively) that the server would

Re: [Acme] IETF 107; agenda

-Original Message- From: Acme On Behalf Of Michael Richardson Sent: 10 March 2020 05:47 To: Salz, Rich Cc: Alexey Melnikov ; acme@ietf.org; Mary Barnes Subject: Re: [Acme] IETF 107; agenda > draft-ietf-acme-integrations-00, ACME Integrations > Michael Richardson can

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-friel-acme-subdomains)

I just published draft-02 https://www.ietf.org/id/draft-friel-acme-subdomains-02.txt which hopefully addresses the pre-authorization and policy discussions below. -Original Message- From: Acme On Behalf Of Owen Friel (ofriel) Sent: 29 January 2020 05:51 To: Felipe Gasper Cc: IETF

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

> -Original Message- > From: Felipe Gasper > Sent: 21 January 2020 14:15 > To: Ryan Sleevi > Cc: Owen Friel (ofriel) ; IETF ACME > Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call > for adoption draft-frield-acme-subdomains) > >

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

> -Original Message- > From: Felipe Gasper > Sent: 21 January 2020 14:01 > To: Owen Friel (ofriel) > Cc: IETF ACME > Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call > for adoption draft-frield-acme-subdomains) > > > >

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

out having access to a > subdomain’s, though? I thought that was the reason why ACME limits wildcard > authz to DNS. [ofriel] Daniel has clarified this already. Its a Lets Encrypt, not an ACME limitation. > > > cheers, > -Felipe Gasper > > > > On Jan 20, 2020,

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

FYI, https://tools.ietf.org/html/draft-friel-acme-subdomains-01 documents the proposed new authorization object field "basedomain" > -Original Message- > From: Acme On Behalf Of Owen Friel (ofriel) > Sent: 06 December 2019 15:41 > To: Salz, Rich ; acme@ietf.org

[Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

Any comments on this email on how to explicitly distinguish between wildcard and subdomain authorizations, which hopefully addresses ekr's mic comments. > -Original Message- > From: Acme On Behalf Of Owen Friel (ofriel) > Sent: 26 November 2019 22:51 > To: Salz, Rich ; a

Re: [Acme] Call for adoption draft-frield-acme-subdomains

DNS wildcards are mentioned in 3 sections in RFC8555 (in addition to the IANA Considerations section): 1. https://tools.ietf.org/html/rfc8555#section-7.1.3 Order Objects: Any identifier of type "dns" in a newOrder request MAY have a wildcard domain name as its value. A wildcard domain

Re: [Acme] ACME at IETF 106

Rich, 10 minutes total on these two please: https://tools.ietf.org/html/draft-friel-acme-subdomains-00 https://tools.ietf.org/html/draft-friel-acme-integrations-02 Cheers, Owen -Original Message- From: Acme On Behalf Of Salz, Rich Sent: 25 October 2019 14:02 To: acme@ietf.org Subject:

Re: [Acme] Use cases / trust model for device certs

Hi Rifaat, Inline. From: Rifaat Shekh-Yusef Sent: 17 April 2019 20:37 To: Richard Barnes Cc: IETF ACME ; Owen Friel (ofriel) Subject: Re: Use cases / trust model for device certs Hi Richard, I was not aware of the ANIMA work before the meeting in Prague, so I will definitely look