**Session Date/Time:** 25 Jul 2023 00:30

# acme

## Summary

This meeting covered the status of several ACME-related drafts, including acme-onion, DNS account challenge, and ARI. Presentations were given on these drafts, as well as on a new proposal for ACME server discovery. Key discussion points included security considerations, client adoption, and potential next steps for each draft.

## Key Discussion Points

*   **DNS Account Challenge:**
    *   The draft's use of the KID value to create a unique DNS record lookup key was discussed.
    *   Concerns were raised about the complexity of supporting the draft due to the lack of a clear account URI.
    *   Discussion on whether the ACME challenge label should have an added label to the left for easier zone management.
    *   The CA/Browser Forum baseline requirements were discussed in the context of the design.
*   **ARI (ACME Renewal Info):**
    *   Significant client adoption was reported, along with an increase in endpoint usage.
    *   Open questions include simplifying the OCSP cert ID, reducing request volume with batch endpoints, and using a single timestamp instead of a renewal window.
*   **Acme-onion:**
    *   The draft has been adopted and reference implementations exist.
    *   Discussion on why HTTPS certificates are desired for Tor hidden services.
    *   Security considerations of HTTP-01 challenges over onion services were discussed, specifically regarding potential unexpected properties and malicious exit nodes. It was confirmed that exit nodes are not a factor in hidden services.
    *   Tooling to verify CA implementations was suggested, including test cases with intentionally broken hidden service descriptors.
*   **ACME ATo Discovery:**
    *   The problem being addressed is to allow domain owners to specify their preferred CA for public domains hosted on public cloud providers.
    *   The draft proposes using CAA records to automate the discovery of the domain owner's preferred CA.
    *   Discussion about DNSSEC and poisoning of DNS requests and CAA records, and what mitigations can be taken.
    *   There was a discussion about whether it is a client or server focused draft.
    *   Debate about Terms of Service, and if an auto discovery tool is needed.

## Decisions and Action Items

*   **DTM Node ID Validation Extension:** Contact Brian Sipsa to determine the plan for the draft, which is currently stuck.
*   **Draft Tier Issue:** R. Barnes,  R. Salz, and Roman to talk after the meeting to determine where to go with the drafted tier.

## Next Steps

*   **DNS Account Challenge:** Continue discussion with the DNSOP working group and explore potential modifications to the CA/Browser Forum baseline requirements.
*   **ARI:** Address open questions related to OCSP cert ID simplification, batch endpoints, and simplifying renewal logic.
*   **Acme-onion:** Implement the draft in Certbot and gather more feedback from implementers.
*   **ACME ATo Discovery:** Discuss adoption of the draft on the mailing list. Also discuss updated draft objectives and an adoption call on the list.