Re: [Acme] I-D Action: draft-ietf-acme-ip-03.txt
Works for me, I’ll push a version with this change this afternoon. Corey: thanks for catching this! I went looking for a reference on whether this was allowed but apparently completely glazed over the relevant line in 6066. > On Jul 25, 2018, at 10:59 AM, Salz, Rich > wrote: > > Use ip-addr.arpa names? > > > ___ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] I-D Action: draft-ietf-acme-ip-03.txt
You beat me to it. On Wed, Jul 25, 2018 at 1:59 PM Salz, Rich wrote: > Use ip-addr.arpa names? > > > ___ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] I-D Action: draft-ietf-acme-ip-03.txt
Use ip-addr.arpa names? ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] I-D Action: draft-ietf-acme-ip-03.txt
I see that this draft has been updated to specify how tls-alpn-01 can be used to validate IP addresses in section 4. However, IP addresses are not permitted in SNI, as RFC 6066 section 3 (https://tools.ietf.org/html/rfc6066#section-3) states that "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." Given that the tls-alpn-01 challenge mandates that servers support the acme-tls/1 ALPN, perhaps it is safe to merely state that the SNI extension MUST NOT be included in the TLS handshake at all for IP address validation using tls-alpn-01. The lack of the SNI extension in the TLS handshake would serve as an indicator to the server that IP address validation is being attempted by the TLS client (as opposed to hostname/domain validation, which will include SNI extension in the ClientHello). Thanks, Corey Bonnell Senior Software Engineer Trustwave | SMART SECURITY ON DEMAND https://www.trustwave.com On 7/25/18, 1:07 PM, "Acme on behalf of internet-dra...@ietf.org" wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Automated Certificate Management Environment WG of the IETF. Title : ACME IP Identifier Validation Extension Author : Roland Bracewell Shoemaker Filename: draft-ietf-acme-ip-03.txt Pages : 5 Date: 2018-07-25 Abstract: This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for IP addresses. The IETF datatracker status page for this draft is: https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX9MdngtgA=5=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fdraft-ietf-acme-ip%2f There are also htmlized versions available at: https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeXgRJSp90Q=5=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-ip-03 https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX4RJy15gA=5=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fhtml%2fdraft-ietf-acme-ip-03 A diff from the previous version is available at: https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS8aIXh9hw=5=https%3a%2f%2fwww%2eietf%2eorg%2frfcdiff%3furl2%3ddraft-ietf-acme-ip-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at http://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS4fdy952Q=5=http%3a%2f%2ftools%2eietf%2eorg Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ Acme mailing list Acme@ietf.org https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeSgdJHZ20g=5=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] I-D Action: draft-ietf-acme-ip-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Automated Certificate Management Environment WG of the IETF. Title : ACME IP Identifier Validation Extension Author : Roland Bracewell Shoemaker Filename: draft-ietf-acme-ip-03.txt Pages : 5 Date: 2018-07-25 Abstract: This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for IP addresses. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-acme-ip-03 https://datatracker.ietf.org/doc/html/draft-ietf-acme-ip-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-ip-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] Last Call: (Automatic Certificate Management Environment (ACME)) to Proposed Standard
NOTE: This is a second last call because of significant changes in -13. The IESG has received a request from the Automated Certificate Management Environment WG (acme) to consider the following document: - 'Automatic Certificate Management Environment (ACME)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the i...@ietf.org mailing lists by 2018-08-08. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Certificates in PKI using X.509 (PKIX) are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certificate authorities in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a certification authority (CA) and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/ietf-wg-acme/acme [1]. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the ACME mailing list (acme@ietf.org). The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ballot/ No IPR declarations have been submitted directly on this I-D. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Confirming consensus
On Wed, Jul 25, 2018 at 9:46 AM, Salz, Rich < rsalz=40akamai@dmarc.ietf.org> wrote: > There was no email, other than process comments, on these. Therefore they > are (re-)entering WGLC. > > > > @ekr, please put draft-ietf-acme-acme-13 on the IESG agenda. > Due to the changes between -12 and -13, I believe it is appropriate to have another IETFLC. I have requested that. -Ekr > > The other two documents are very short. Does anyone volunteer to do the > shepherd writeup? You can look at https://datatracker.ietf.org/ > doc/draft-ietf-acme-acme/shepherdwriteup/ for a sample. This is a good > way for someone new to the IETF process to get involved. > > > > > > *From: *Rich Salz > *Date: *Wednesday, July 18, 2018 at 3:56 PM > *To: *"acme@ietf.org" > *Subject: *Re: Confirming consensus > > > > For completeness, these are > > draft-ietf-acme-acme-13 > > draft-ietf-acme-tls-alpn-01 > > draft-ietf-acme-ip-02 > > > > *From: *Rich Salz > *Date: *Wednesday, July 18, 2018 at 2:47 PM > *To: *"acme@ietf.org" > *Subject: *Confirming consensus > > > > As discussed in a separate thread, we added mandatory-to-implement JSON > signing crypto (TLS 1.3 signing algorithms); note that this does not affect > the certificates themselves. > > > > We decided to move draft-ietf-acme-tls-alpn and draft-ietf-acme-ip to > working group last call. > > > > If you disagree with either of these decisions, please speak up by > Monday. Note that the WGLC for the main document is being re-run in > parallel with IESG and soon IETF review. > > > > > > ___ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > > ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Confirming consensus
There was no email, other than process comments, on these. Therefore they are (re-)entering WGLC. @ekr, please put draft-ietf-acme-acme-13 on the IESG agenda. The other two documents are very short. Does anyone volunteer to do the shepherd writeup? You can look at https://datatracker.ietf.org/doc/draft-ietf-acme-acme/shepherdwriteup/ for a sample. This is a good way for someone new to the IETF process to get involved. From: Rich Salz Date: Wednesday, July 18, 2018 at 3:56 PM To: "acme@ietf.org" Subject: Re: Confirming consensus For completeness, these are draft-ietf-acme-acme-13 draft-ietf-acme-tls-alpn-01 draft-ietf-acme-ip-02 From: Rich Salz Date: Wednesday, July 18, 2018 at 2:47 PM To: "acme@ietf.org" Subject: Confirming consensus As discussed in a separate thread, we added mandatory-to-implement JSON signing crypto (TLS 1.3 signing algorithms); note that this does not affect the certificates themselves. We decided to move draft-ietf-acme-tls-alpn and draft-ietf-acme-ip to working group last call. If you disagree with either of these decisions, please speak up by Monday. Note that the WGLC for the main document is being re-run in parallel with IESG and soon IETF review. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] I-D Action: draft-ietf-acme-email-tls-05.txt
On 25/07/2018 11:42, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Automated Certificate Management Environment > WG of the IETF. > > Title : Extensions to Automatic Certificate Management > Environment for email TLS > Author : Alexey Melnikov > Filename: draft-ietf-acme-email-tls-05.txt > Pages : 8 > Date: 2018-07-25 > > Abstract: >This document specifies identifiers and challenges required to enable >the Automated Certificate Management Environment (ACME) to issue >certificates for use by TLS email services. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-acme-email-tls/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-acme-email-tls-05 > https://datatracker.ietf.org/doc/html/draft-ietf-acme-email-tls-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-email-tls-05 In this version I incorporated input from Richard about use of challenge-specific parameters. I've also added proper registration of a new SMTP extension proposed in the document and did a few minor editorial changes (like adding references). I think this version is ready for WGLC. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] I-D Action: draft-ietf-acme-email-tls-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Automated Certificate Management Environment WG of the IETF. Title : Extensions to Automatic Certificate Management Environment for email TLS Author : Alexey Melnikov Filename: draft-ietf-acme-email-tls-05.txt Pages : 8 Date: 2018-07-25 Abstract: This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for use by TLS email services. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-email-tls/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-acme-email-tls-05 https://datatracker.ietf.org/doc/html/draft-ietf-acme-email-tls-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-email-tls-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
