►
From YouTube: IETF110-ACME-20210309-1430
Description
ACME meeting session at IETF110
2021/03/09 1430
https://datatracker.ietf.org/meeting/110/proceedings/
A
B
B
C
A
Okay,
so
welcome
everyone
to
the
akri
meeting
at
itf.
110
slide
so
welcome
to
not
prague.
A
This
is
the
note
12.
This
is
something
that
rich
and
I
came
up
with
just
the
other
day.
Oh
really,
I'm
sure
by
now
you've
seen
all
this
many
many
times
and
now
you've
seen
it
yet
another
time,
okay,
so
our
agenda,
for
today
we
start
with
the
regular
administrivia.
A
A
Okay,
so
we
got
a
note-taker.
We
have
a
document
update
and
we'll
talk
about,
acne
integrations
and
the
dtn
node,
and
next
steps
before
we
get
to
the
document
updates
a
little
public
service
announcement
rich
has
decided
to
step
down
as
co-chair
of
acme.
A
A
Updates
so
the
email
last
mime
is
already
in
the
rfc
pipeline.
Star
delegation
is
an
itf
last
call.
A
E
Yes,
thank
you.
So
some
of
this
content
is
duplicated
but
left
in
for
background,
so
you
can
go
on
to
the
next
slide.
E
E
And
the
point
of
why
this
draft
is
being
proposed.
We
talked
about
this
on
the
last
ietf,
but
the
idea
here
is
that
acme
has
all
of
the
infrastructure
and
bookkeeping
and
all
the
necessary
things
to
do
p,
kicks
validation
and
there's
a
need
in
the
dtn
to
be
able
to
do
this
kind
of
thing
when
a
new
node
comes
onto
the
network
and
needs
to
be
validated
the
same
way
that
a
new
email
user
might
for
an
sbm
certificate
and
next
slide.
Please.
E
So
so
the
the
flow
that
is
in
the
email,
s9
draft
is
basically
duplicated
here
with
this
other
encoding.
This
other
transport
we're
going
to
define
an
administrative
record
for
for
the
bundle
protocol
and
then
the
acme
server
generates
a
part,
one,
a
part,
two
transport,
those
two
different
paths
and
then
the
dtn
client,
that's
doing
the
validating
of
their
identifier,
combines
them
and
sends
back
the
response
next
slide.
Please.
E
So
the
because
the
blackout
period
for
the
the
internet
draft
updates-
I
wasn't
able
to
update
draft
until
just
early
this
week,
but
I
did
submit
a
zero
one
version
of
the
draft
that
had
some
clarification
and
updates.
This
is
experimental
draft.
The
idea
is
that
this
would
not
be
widely
implemented
in.
F
E
And
I
believe
this
is
the
last
slide
right.
Yes,
so
at
this
point
now
the
last
changes
to
the
draft
were
to
to
clarify
some
encodings,
some
data
encodings
to
use
native
byte
strings
instead
of
base
64
just
for
slight
efficiencies.
E
But
this
the
structure
is
really
the
same,
and
a
lot
of
some
supporting
text
was
taken
in
from
the
changes
to
the
s
mime
draft.
So
this
is
more
in
alignment
with
the
what
was
approved
for
s
mime
and
at
this
point
I
have
spent
a
little
bit
of
time
on
a
demonstration
implementation,
just
as
a
proof
of
concept
and
that's
where
things
stand
right
now,.
A
E
Because
of
the
simplicity
and
because
the
alignment
with
the
s
mime,
I
don't
believe
that
there
are
any
further
changes
necessary.
Yes,
so
oh
and
the
other
thing
to
mention
is
that
the
the
bundled
protocol
drafts
on
which
this
were
relying
on
for
encoding
and
for
for
transport.
Those
have
been
moved
to
the
the
editor
queue.
So
those
are
now
stabilized,
whereas
in
the
past
they
really
were
still
in
slight
flux.
A
The
thing
I'm
worried
about
is,
if
I
now
do
the
one
of
these
audience.
A
Of
hands
and
ask
how
many
people
have
read
either
version
of
the
draft?
Do
you
think
we're
going
to
get
more
than
five.
A
Right
so
we
could
do
the
working
group
last
call
hopefully
get.
A
Some
replies
about
it
soon,
let's
ask
a
different
way.
Anyone
opposed
to
us
having
having
a
working
group
last
call,
I
think
I
saw
roman
there
for
a
moment.
Yeah
go.
B
Ahead,
all
right,
I
was
just
gonna
jump
in
you
know,
as
brian
has
kind
of
indicated.
This
is
a
bit
of
a
very
narrowly
focused
kind
of
use
case.
We
did
decide
to
adopt
it,
so
an
approach
we
could
try
is
to
go
to
work
group
last
call
and
if
we
get
enough
folks
to
have
put
eyes
on
it,
we
and
we
work
the
results.
We
can
proceed.
If
we
don't
get
enough
review,
then
we
can
have
another
conversation
about
how
we
can
get
more
review
here.
G
E
A
Okay,
so
I
guess
we
have
a
plan
for
how
to
proceed
any
objections
to
this
plan
of
just
going
to
working
with
platco
and
hopefully
getting
enough
reviews
to
matter
we're
going
once
going
twice.
Okay,
so
this
is
what
we're
going
to
do.
F
An
slide
draft
that
describes
how
acme
can
be
integrated
with
multiple
existing
clients
and
device.
Certain
enrollment
mechanisms,
without
requiring
any
changes.
So
what's
documented
in
this
version
of
the
draft,
is
est
risking
risky
cloud
and
tip
integrations,
and
it
doesn't
change
any
of
the
specifications
for
a
usd
risky
or
type
it
just
stitches
them
together.
Next.
F
Slide
so
there's
been
one
change
since
the
previous
draft
in
igf-109,
and
there
was
one
open
item,
which
is:
how
do
we
handle
the
risky
requirements
that
the
briskey
and
then
to
research?
The
brisket
registrar
itself
has
an
identity
search
with
an
idkp
cmc
ra
eku
set,
and
the
conclusion
that
we've
reached
is
that
even
if
the
briske
ra
is,
is
in
the
middle,
acting
as
essentially
a
proxy
that
lets
a
pledge
get
a
certificate
from
acme.
F
The
briskey
area
itself
cannot
get
a
certificate
from
an
acme
server
that
is
not
willing
to
give
it
an
idk,
pcmc
array.
So,
for
example,
let's
encrypt
is
not
going
to
wish
you
an
identity
search
with
idkb,
cmc
or
asset,
and
so,
if
the
ra,
even
though
the
ra
may
be
getting
acme
certificates
on
behalf
of
pledges,
the
ra
itself
may
not
be
able
to
get
an
acme
certificate
for
itself.
F
F
Next
slide,
please-
and
this
is
just
discussion
and
we
were
looking
for
reviewers
and
feedback,
and
we
believe
that
we've
no
changes
to
make
on
this
and
it's
ready
for
last
call,
and
but
we
would
like
some
reviewers.
Please.
C
Oh
and
I
have
a
question
on
the
id
kpcmcra:
that's
in
extended
key
usage,
oid
correct.
C
So
no
my
question
was,
for
example,
in
I'm
drawing
a
blank
on
what
it's
called.
You
know
the
the
secure
ip
stuff
there's
multiple
eku's
defined,
but
the
rfc
says
you
can't
tell
you
can't
fail
to
validate
if
they're,
not
there.
C
F
But
but
the
the
one
that
the
one
that
was
contentious
is
the
is
this
one
because
yeah
the
drafts
all
but
acting
integrations?
We
know
that,
let's
encrypt,
which
is
most
isn't
going
to
hand
it
out
so
they're.
Just
that
caveat
that
the
brisky
ray
itself
needs
to
search
from
a
different
city
than
the
pledges.
D
So
it's
my
understanding
that
that
particular
eku
will
only
ever
be
used
with
cmp
if
you're
an
ra.
So
it's
really
hard
to
see
how
it
would
affect
acme.
F
But
it's
it's!
It's
for
the
brisket
integration
use
case
russell
when,
when
you're
using
so
the
brisk
array,
the
pledge
talks
to
briskera-
and
actually
I
don't
have
a
picture
of.
I
don't-
have
a
picture
of
the
architecture
in
this
presentation,
but
the
breeze.
The
slides
will
talk
to
the
brisk
array
and
the
risk
array
will
have.
F
Two
backend
integrations
once
in
a
massive
server
one
to
acme
and
the
ra
will
go
to
the
oreo
will
go
to
the
massive
first
to
get
a
voucher,
and
this
will
issue
a
voucher
to
the
pledge
and
it's
for
that
interaction,
that
the
master
will
check
that
the
the
bruce
keys,
the
brewski,
ras
and
identity
cert
has
that
bit
set
and
then
it's
a
completely
independent
interaction
between
the
or
a
and
acme
to
get
a
cert
on
behalf
of
the
pledge
and
that
bit
doesn't
play
any
role
in
that
interaction,
so
that
eku
bit
is
only
needed
for
getting
for
the
ra
to
get
a
voucher
from
the
master
server
and
that
bit
isn't
set
when
the
ra
is
getting
a
certificate
from
acme
to
hand
back
their
pledge.
F
Okay,
okay
and
we're
just
like
we're
just
we're
explicitly
calling
out
in
the
in
the
document
that
the
ra
itself
can't
get
its
own
identity
cert
itself
from
acme,
because
then
the
r
isn't
going
to
be
able
to
present
that
and
then
to
research
to
the
mass
in
order
to
get
a
voucher.
On
behalf
of
pledge.
G
So
this
is
henrik.
Don't
please
correct
me
if
I'm
wrong.
I
understand
this
extended
usage
as
the
indication
that
this
is
an
array,
and
this
is
required
by
est
in
the
the
7030
drop
it
is
was
initially
introduced
by
cmc
and
we
also
tend
to
reuse
it
also
for
cmp
so
to
have
one,
let's
say:
unique,
extended
key
usage,
identification
for
an
array
and
therefore
you're,
probably
right.
G
H
I
have
to
say
allow
twice
what
so
you
can
hear
me.
A
H
F
H
Cmp,
can
we
let
russ
talk.
A
H
D
H
H
F
H
H
A
Okay,
so
if
no
one
else
is
in
the
queue,
do
you
when
do
you
think
that
this
is
ready
for
working
with
last
call?
We
will
get
the
reviewers
there.
A
F
A
So
obvious
question:
anybody
opposed
to
going
to
working
group
last
call.
A
Good,
I
like
this
silence.
Okay,
so
we'll
start
to
working
with
last
calls
after
well
next
week.
A
Okay,
so
I
think
when
you're
also
doing
the
last
thing,
the
subdomain
so
which
can
you
put
on
those
slides.
F
So
I
can
be
allowed
not
a
server
to
issue
search
for
given
identifier
without
requiring
a
challenge
to
be
supposed
to
be
fulfilled
against
that
identifier
and
like,
for
example,
an
acme
cert
can
issue
a
search
for
food
that
part
of
the
example.com,
where
the
client
has
only
fulfilled
a
challenge
against
one
of
the
parents
authorized
domain
names,
part
of
example,
the
comrades
on
a
server
creation
search
for
multiple
for
a
number
of
some
of
them
inserts.
F
That
only
require
a
single
challenge
to
be
filled
against
the
parent
domain,
that
that's
really
nice
when
you
want
to
scale
to
use
acme
to
issue
certs
and
automatically
for
a
large
number
of
identity
search
for
devices
here,
internet
cases,
we
do
an
authorization
once
for
a
top
level
domain
or
our
apparent
domain,
and
then
we
could
use
acme
to
automatically
search
for
for
hundreds
or
thousands
of
and
density
devices.
F
F
So
what
that
means
is
that
a
dns
of
one
challenge
must
be
fulfilled
against
a
parent
authorized
domain
name
and
author
in
order
to
issue
certs
for
a
sub-domain
identifier,
we've
also
included
and
text
in
the
latest
draft
to
address
the
two
open
items
that
were
raised
on
the
mailer
and
discussed
briefly
at
the
last
itf109
next
slide.
F
F
F
Some
comments
that
ryan
and
philippe
and
a
few
people
have
made
on
demanders
as
well
is
we
could
include
an
optional
and
boolean
flag
associated
with
an
identifier
in
the
new
order,
new
whatsapp
request
and
that
optional
flag
indicates
whether
the
client
has
control
over
all
parent
at
the
ends
or
not,
and
because,
I
believe,
typically
for
for
cas
they'll
base
your
logic
off
the
top
level
domain,
example.com,
not
off
things
like
birth
example.com.
F
So
if
this
flag
is
true,
then
the
server
may
issue.
If
the
client
includes
this
flag
and
the
flag
is
through,
then
the
server
knows
it
can
issue
a
challenge
against
any
of
the
parent
edn's
and
the
client
will
be
capable
of
fulfilling
a
challenge
against
them.
If
the
client
sets
this
flag
as
false,
then
the
client
is
telling
the
server.
I
can't
fulfill
the
challenge
against
any
parent
domain.
The
only
thing
I'm
authorized
to
fill
the
challenge
against
is
the
explicit
the
explicit
mfqdn
that
I'm
requesting.
F
So
that's
the
only
thing
I
want
to
challenge
for
well.
This
slide
looks
a
little
smaller
apologies,
but
I
just
cut
and
pasted
some
text
from
the
draft,
which
shows
what
the
parent-to-main
authorization
looks
like
it's
just
an
extra
brilliant
flag
that
is
optionally
associated
with
the
identifier,
and
I
think
well,
we
can
debate.
F
We
should
actually
debate
what
the
logic
should
be
if
that
isn't
included,
and
I
think
if
the
flag
isn't
included,
it
should
default
to
true,
probably,
and
because
that's
the
behavior
that
and
baseline
acme
has
baseline
acme
doesn't
make
any
assumptions
about
this
at
all.
So
it's
left
entirely
of
the
server
policy,
but
so
I've
one
follow-on
question
for
this
proposal.
If
you
go
onto
the
next
slide.
F
So
next
slide,
please-
and
the
question
I
have
is
that
sufficiently
granular
like?
Is
there
any
need
for
a
client
to
be
able
to
specify
a
subset
of
parent
ada
into
this
control?
F
Over,
for
example,
the
client
wants
to
search
for
food
that
pair
the
example.org,
and
I
it
can
control
the
power
of
the
example
that
are,
but
not
the
top
level
domain,
and
do
we
need
that
level
of
flexibility,
and
I
don't
think
we
do,
but
I'd
like
to
discuss
that
and
other
documented
interact
for
is
that
we
don't
need
that
level
of
flexibility
and
just
a
simple
boolean
flag
is
efficient
and
so
what's
shown
on
the
right-hand
side
again
this
the
rendering
isn't
that
big
in
this
page,
but
it
shows,
underneath
the
identifier,
is
an
array
of
videos
that
the
client
is
actually
authorized
to
fulfill
a
challenge
against
yeah.
F
That's
better!
So
you
scroll
over
to
this
yeah.
You
can
see
that
the
client
has
issued
a
an
order
for
the
food
that
part
of
example.org
identifier
and
I've
just
included
illustratively.
The
client
could
also
optionally
include
a
list
of
edn's
saying
well.
I
can
confirm
the
challenge
against
food
that
bar
that
example
org.
F
F
F
Yeah
there
you
go
there
that
you
want
to
open
items.
The
draft
has
just
been
published
with
those
two
open
items
and
closed
and
documented,
so
I'd
like
to
get
some
feedback
on
those
two
proposals
for
the
open
items
and
it
is
based
on
what
was
discussed
in
demanders
a
couple
of
months
back
and
then
we'd
look
for
a
final
review
of
draft
zero.
Four
without
any
feedback-
and
I
know
ross-
you
you
reviewed
version
two.
I
believe
we've
incorporated
all
that
feedback
already.
D
So
I'm
thinking
the
single
bit
is
not
granular
enough
because
it
in
different
parts
of
the
dns
tree,
you
don't
know
exactly
where
to
stop.
So
in
your
example,
food.bar.example.org
you're,
pretty
sure
that
you
can't
put
the
challenge
in
dot
org.
D
D
C
Yeah
this
is
rich
as
an
individual.
I
think
we
should
adopt
this
as
a
chair.
I
think
we
should
you
know,
send
this
over
to
dnsop
and
get
their
feedback
once
we've
adopted.
A
B
A
Okay,
another
one
so
yeah
we
can
do
an
adoption
call
I'd
rather
not
do
it
well
immediately
now,
but
after
we've
done,
the
other
working
group
last
calls
not
to
burden
people
with
too
many
things
at
the
same
time,
but
yeah.
I
think
we
can
do
the
adoption
call
and
then.
A
Okay,
thanks
for
that,
okay,
so
so
I
guess
the
next
step
is
the
adoption
column,
which
means
we're
almost
done
with
the
agenda,
and
we
got
to
the
open
mic
part.
A
Twice:
okay,
so
you're
getting
back
a
lot
of
your
time,
and
I
just
want
to
thank
rich
for
all
the
years
of
being
a
chair
of
acme
feel
free
to
like.
A
B
Awesome
yeah,
I
was
going
to
say
thanks
rich,
I
don't
know
how
to
flip
my
camera
everyone's
looking
at
my
monitor
for
those
that
might
be
interested
in
being
a
co-chair.
Please
do
drop
me
a
note
and
to
me
and
ben,
and
we
can
sort
that
out.
Additionally,
what
would
be
helpful
for
the
working
group
is
if
we
chartered
a
little
more
specificity
into
what
the
future
work
is.
For
example,
we
have
a
we
have
some
drafts
we're
talking
about.
We
have
some
drafts
adopted,
we
don't
have
necessarily
milestones.
B
I
see
that
there's
some
drafts
that
that
are
related
and
we
don't
even
have
on
the
agenda
to
talk
about.
So
if
we
just
had
some
dates
for
when
we
think
we're
going
to
be
done,
and
we
have
some
notion
of
when
we
will
be
done
and
what
classes
of
extensions
we
want
to,
we
want
to
cover.
So
it's
basically
a
matter
of.
B
A
Meeting
okay,
thank
you
anything
else
for
open
mic.
A
Okay,
so
thank
you
all
and
getting
back
20
minutes
of
your
life
back.