Hi all, I am an interested party at the CA Browser Forum ( https://henrybirgelee.com/ ), and I have worked on some other PKI standards. Lately the CA Browser Forum has been in the process of drafting a ballot (SC-088) that eliminates the need for ephemeral challenge tokens in the DNS change and allows a CA to sign a certificate solely based on the presence of a persistent DNS record (i.e., a record that does not need to change between each renewal) ( https://github.com/slghtr-says/servercert/pull/3 ).
I know this is likely too last minute for discussion at Madrid (I had originally planned to wait until the ballot was further along before bringing this up), but a conversation in the CA/Browser Forum Validation Subcommittee came up as to how exactly the new proposed method would be implemented in ACME. In the interest of having a concrete proposal, I drafted an Internet Draft that provides a tentative outline for what a new ACME method could look like to support persistent validation. The draft is at: https://birgelee.github.io/birgelee-acme-dns-persist-01/birgelee-acme-dns-persist-00/draft-birgelee-acme-dns-persist.html The Abstract, Intro, and Security Considerations are still pending, but Sections 3 and 4 contain the substance of the proposed method. I would be interested to know if any working group members have thoughts on this approach. If there is interest I will fill in the missing sections and make this a more mature draft. In general I think providing an ACME validation method for this early on will allow ACME to support persistent validation immediately should SC-088 pass. Also, while I understand there are unique security implications of this when compared to the traditional token-based dns-01 validation method, I would prefer not to focus the conversation on that, and CAs that do not wish to use this method can disable it. For reference, I did present a more in depth security analysis on the CA/Browser Forum list for those who are interested ( https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/4tATbCpQRpM/m/8mH-SX87BAAJ ). Best, Henry
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
