Session Date/Time: 26 Jul 2024 16:30

acme

Summary

This ACME working group session at IETF 120 covered document status, presentations on DTI and Node ID validation, ACME profiles, and discussions on ACME Onion, device attestation, and future directions for ACME. Decisions were made regarding working group last calls and the creation of a new draft for device attestation.

Key Discussion Points

DTN Node ID Validation: Discussion around terminology in the DTN Node ID validation draft, specifically the use of the term "DTN" versus "BPV7." The draft is considered ready for working group last call.
ARI (ACME Renewal Information): Presentation on the ARI draft highlighted its stability and implementation by multiple clients and servers. There's an open question regarding a more specific error code for replaced certificate rejections. The draft is likely ready for working group last call, pending a discussion on open issues.
ACME Profiles: Aaron presented a proposal for ACME profiles, allowing CA operators to advertise supported profiles to clients. Let's Encrypt has already implemented this feature. The working group expressed interest, and a draft is expected soon.
ACME Onion: The ACME Onion draft is considered complete, but lacked response to the last call. The group needs to establish working group consensus to proceed.
Device Attestation: A discussion on carrying different types of attestation over ACME (beyond WebAuthn) was held. Two proposals emerged: wrapping CMW (Conceptual Message Wrapper) inside WebAuthn, or creating a new top-level attestation container for CMW. A consensus formed around creating a second, parallel draft for CMW-based attestation.
Public Key Identifier Type: A future proposal was discussed for including the public key in the new order request, potentially replacing the CSR. This could enable clients to prove control over the public key during validation.
Error Messages: A general discussion about the need for more precise and informative error messages. A preference was stated to reduce use of generic terms like "malformed."

Decisions and Action Items

DTN Node ID Validation: The draft will proceed to working group last call after IETF 120. Brian will address editorial comments regarding the term "DTN."
ARI (ACME Renewal Information): Aaron will address open issues on the bug tracker. The draft is likely ready for working group last call, to be started separately from the DTN draft.
ACME Onion: A thread will be created on the mailing list for those who support the draft to confirm their support. If sufficient support is shown, the draft will be submitted to the IESG. The chairs will shepherd the document.
Device Attestation: A new draft (tentatively named "device attest O2") will be created for carrying CMW attestation. Thomas and Mike volunteered to work on this draft.
Error Messages: Need to consider adding a new and more accurate ACME error type.

Next Steps

Brian to update the DTN Node ID draft with terminology clarification.
Aaron to address open ARI issues and initiate the ARI working group last call after this meeting.
Aaron will create a draft for Acme Profiles
Mailing list thread to be started regarding ACME Onion support.
Thomas and Mike to start a new draft for the CMW-based device attestation method ("device attest O2").
Continued discussion on the mailing list regarding error messages and new attestation drafts.