**Session Date/Time:** 08 Nov 2023 12:00 # ACME Meeting - IETF 118 ## Summary The ACME working group meeting at IETF 118 in Prague covered document status and two presentations: "Acme for Onion" and "Acme Auto Discovery". The meeting discussed recent RFC publications, the status of ongoing drafts, and challenges related to automating ACME server discovery, particularly regarding account disambiguation. ## Key Discussion Points * **Document Status:** Three RFCs were published since IETF 117: Acme Subdomains (RFC 9444), Acme Authority Token (RFC 9447), and Acme Authority Token P and Off List (RFC 9448). Several other drafts are in various stages of review and publication. * **Acme for Onion:** Discussed adding CAA support for onion domains. The proposed solution involves sending CAA records over ACME, addressing concerns about requiring all CAs to run a Tor client. The placement of CAA data in the finalize call was preferred, allowing issuance at any time. * **Acme Auto Discovery:** The presentation highlighted the problem of cloud providers defaulting to Let's Encrypt and the need for a way for domain owners to specify preferred ACME servers. Challenges with external and internal account binding mechanisms were discussed, especially in disambiguating which CA account an ACME request should be associated with. * **Account Disambiguation:** A significant portion of the discussion focused on the complexities of account disambiguation, particularly when a domain owner might have multiple accounts or sub-accounts with a CA and different certificate profiles. * **DNS as a Configuration Mechanism:** The use of DNS (specifically CAA records) as the primary configuration mechanism was questioned, with a suggestion to consider alternative approaches where cloud service providers offer better UI options. * **Security Considerations:** Security concerns were raised regarding the delegation of authority to cloud service providers and the potential risks associated with putting too much information in DNS records. * **TLS Trust Extensions:** Bob Beck (Google) mentioned the TLS trust extensions draft that reuses ACME for alternate chains. ## Decisions and Action Items * **Acme for Onion:** Authors to raise CAA approach on mailing list. Chairs will determine when document is ready for working group last call based on list discussion and author confidence. * **Acme Auto Discovery:** More work is needed, specifically with the account binding component. Authors will seek CA input on customer data models and account structures. * **Acme Auto Discovery:** The WG is *not* ready to adopt this as a working group item. A design team may be appropriate pending further design work to clarify the path forward. * **Acme Auto Discovery:** Authors to continue design iterations and address security concerns. * Authors to continue to monitor the mailing list for concerns and suggestions. ## Next Steps * Authors of "Acme for Onion" will raise the CAA approach on the mailing list. * Authors of "Acme Auto Discovery" will solicit input from CAs on account disambiguation challenges and potential solutions. * Chairs will evaluate the progress of "Acme Auto Discovery" and determine if further action, such as forming a design team, is warranted.