> On May 30, 2018, at 3:54 PM, Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> > wrote: > > Yes, please ask. If I'm going to tell the IESG that no MTI is needed, I want > to tell them that the WG had consensus. > > This came up in the “AD review” thread that many of you have probably just > seen and skimmed or ignored. :) > > ACME does not define any mandatory-to-implement signature algorithms. To the > best of my recollection, this has never come up, and Eric reasonably asks > that we not just say “silence gives consensus.” > > SO, if anyone feels we should define a set of MTI signature algorithms for > ACME, please speak up now. If you do so, consider proposing what they should > be. Please reply within a week.
I already spoke on the previous thread. I will repeat it here... PKIX chose not to specify mandatory-to-implement algorithms. This was done because the application that made use of the certificate needed to be able to impose such requirements. Here is one place from the PKIX WG archive in 2011 that states this approach: (https://mailarchive.ietf.org/arch/msg/pkix/blSByMc7SysNNvkFlsFdcrFLrIs <https://mailarchive.ietf.org/arch/msg/pkix/blSByMc7SysNNvkFlsFdcrFLrIs>) PKIX defines PKI specs for a very wide range of apps, which is why we do not mandate any alg suite. Different apps may use different alg suites. TLS, S/MIME, IPsec, SeND, etc. each gets to choose MTE algs for itself. It seems to me that ACME is being used to support certificate enrollment for many different applications, so the same approach seems appropriate. Russ
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
