how about ratelimit? for large hosting they will hit CA's default API
ratelimit fast, so they contract with a specific CA for ratelimit
increase. feels like entire automatic CA loadbearing doesn't work
without hosting provider having eab/acme account from domain holder: if
it already have menu for upload such that menu could have a box for acme
directory Uri too.
2023-07-07 오후 4:54에 Paul van Brouwershaven 이(가) 쓴 글:
Hi Seo,
a. ) CAs may want to put list of acme endpoints at well-known, for
example one each for DV/OV/EV like sectigo did with
https://acme.sectigo.com/v2/EV <https://acme.sectigo.com/v2/EV>
This could be solved by setting a CAA record to for example
"ev.sectigo.com" who could have its own ACME server.
b. ) I think hosting provider wouldn't want to visit a random CA
without human intervention, not only due to potential Malicious
one but an open acme endpoint may not allowed to use, for example
CA having noncommercial use only limit on that endpoint, and
likely stick to CA they know even if it's low priority from CAA.
If the terms of service limit usage to non-commercial use, the domain
owner should not set the CAA record if they run a commercial service,
the domain owner is the entity giving the instruction to the ACME
client and thus requests the certificate from the CA and be bound to
the terms of service.
Paul
------------------------------------------------------------------------
*From:* Acme <acme-boun...@ietf.org> on behalf of Seo Suchan
<tjtn...@gmail.com>
*Sent:* Friday, July 7, 2023 04:29
*To:* acme@ietf.org <acme@ietf.org>
*Subject:* Re: [Acme] FW: [EXTERNAL] New Version Notification for
draft-vanbrouwershaven-acme-auto-discovery-00.txt
a. ) CAs may want to put list of acme endpoints at well-known, for
example one each for DV/OV/EV like sectigo did with
https://urldefense.com/v3/__https://acme.sectigo.com/v2/EV__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTvjUpZ_0A$
b. ) I think hosting provider wouldn't want to visit a random CA without
human intervention, not only due to potential Malicious one but an open
acme endpoint may not allowed to use, for example CA having
noncommercial use only limit on that endpoint, and likely stick to CA
they know even if it's low priority from CAA.
2023-07-06 오후 11:54에 Mike Ounsworth 이(가) 쓴 글:
> Hi ACME!
>
> This is new business that we would like to add to the agenda for 117.
>
> Thanks,
> ---
> Mike Ounsworth & Paul van Brouwershaven
>
> -----Original Message-----
> From: internet-dra...@ietf.org <internet-dra...@ietf.org>
> Sent: Thursday, July 6, 2023 9:39 AM
> To: Mike Ounsworth <mike.ounswo...@entrust.com>; Paul van
Brouwershaven <paul.vanbrouwersha...@entrust.com>
> Subject: [EXTERNAL] New Version Notification for
draft-vanbrouwershaven-acme-auto-discovery-00.txt
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and
know the content is safe.
>
> ______________________________________________________________________
>
> A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
> has been successfully submitted by Paul van Brouwershaven and posted
to the IETF repository.
>
> Name: draft-vanbrouwershaven-acme-auto-discovery
> Revision: 00
> Title: Auto-discovery mechanism for ACME client configuration
> Document date: 2023-07-06
> Group: Individual Submission
> Pages: 16
> URL:
https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.txt__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTtFe7gh7Q$
> Status:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTuBIoUWfg$
> Html:
https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-vanbrouwershaven-acme-auto-discovery-00.html__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTvXjxu71A$
> Htmlized:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-vanbrouwershaven-acme-auto-discovery__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTt9chylcg$
>
>
> Abstract:
> A significant impediment to the widespread adoption of the Automated
> Certificate Management Environment (ACME) [RFC8555] is that ACME
> clients need to be pre-configured with the URL of the ACME server to
> be used. This often leaves domain owners at the mercy of their
> hosting provider as to which Certification Authorities (CAs) can be
> used. This specification provides a mechanism to bootstrap ACME
> client configuration from a domain's DNS CAA Resource Record
> [RFC8659], thus giving control of which CA(s) to use back to the
> domain owner.
>
> Specifically, this document specifies two new extensions to the DNS
> CAA Resource Record: the "discovery" and "priority" parameters.
> Additionally, it registers the URI "/.well-known/acme" at which all
> compliant ACME servers will host their ACME directory object. By
> retrieving instructions for the ACME client from the authorized
> CA(s), this mechanism allows for the domain owner to configure
> multiple CAs in either load-balanced or fallback prioritizations
> which improves user preferences and increases diversity in
> certificate issuers.
>
>
>
>
> The IETF Secretariat
>
>
> Any email and files/attachments transmitted with it are intended
solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not
copy, distribute or disclose of the information it contains. Please
notify Entrust immediately and delete the message from your system.
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTsRXrENiw$
_______________________________________________
Acme mailing list
Acme@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!FJ-Y8qCqXTj2!brMU-rWmiKuQ6G5EN8Ns5JEESSjbP9myZLjFfF9ISFYfPkLxgoTVs-Vuaaw80lPbmpqojB3H7KCIz7G4NTsRXrENiw$
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme