►
From YouTube: IETF112-ACME-20211111-1430
Description
ACME meeting session at IETF112
2021/11/11 1430
https://datatracker.ietf.org/meeting/112/proceedings/
A
B
Now
it's
4
30
in
the
afternoon.
B
B
So
welcome
everyone.
This
is
the
acme
session
at
itf
112.
That
is
not
in
madrid,
so
I
think
you've
seen
this
thing,
I'm
not
going
to
bother
reading
it
out
to
you,
and
this
is
the
other
half
so,
and
here's
the
new
thing
living
with
this
coc
we're
not
going
to
read
that
one
out
to
you
either,
but
we've
been
asked
to
all
working
roof
chairs
have
been
asked
to
display
these
things
at
the
start
of
meetings.
B
B
B
Thank
you,
and
as
for
jet
prescribe,
we
usually
don't
need
those
in
virtual
meetings,
but
just
in
case
I
am
following
the
jabber
room.
So
if
you
want
anything
relayed
in
on
the
well
room
mic
whatever
that
means
here
and
just
prefix
it
with
mick,
and
we
will
read
it
out
so
we'll
have
the
traditional
document
update
and
followed
by
presentations
for
dta
node
id
ari
integration
subdomains
and
then,
if
we
have
time
any
other
business,
any
agenda
bashing.
B
So,
thank
you
all
to
joron,
diego
antonio
and
thomas,
for
doing
the
work
see
that
pretty
much
none
of
them
is
here.
D
B
To
them
you
can
watch
this
watch
me
saying.
Thank
you
on
youtube.
So
the
authority
token
draft
zero,
seven
draft
zero
seven
was
published
at
zero.
Six
there's
a
little
additional
text,
some
yana
considerations.
B
Right
the
authority.
Token
tnoth
list
was
not
modified
since
the
last
itf,
the
end
user,
client
and
code
signing
draft
got
two
new
revisions
and
didn't
get
a
lot
of
discussion
on
the
list
that
one
review
but
well
buy
a
chair.
So
that
doesn't
count
all
right.
So
we've
had
two
two
updates
of
dtn
node
id.
We
have
ongoing
discussions
with
roman
and
they
have
a
presentation.
B
So
not
a
lot
to
say
about
that
integrations
had
one
new
version
also
have
a
presentation
and
subdomains
also
have
a
print
station
and
they've
been
adopted
and
resubmitted
as
a
working
group
draft,
so
zero
zero
draft
any
comments.
E
Hey
yo,
I
just
wanted
to
kind
of
repeat
our
working
plan.
We
have
one
of
the
tn
auth
documents,
the
auth,
token
documents
and
last
call
we
have
the
other
one
through
last
call,
but
we've
had
it
parked
now
for
a
number
of
months
waiting
for
the
other
one.
So,
when
the
when,
when
the
authority
token
draft
drops
out
of
itf
last
call
I'll
be
batching
both
of
them
and
bringing
them
to
the
isg.
B
Okay,
so
with
that
it's
time
for
the
dtn
node
id
draft,
and
I
should
have
written
who's
doing
them
right,
I
guess
yeah!
So
could
you
do
you
want
to
control
the
slides
by
yourself.
D
D
So
the
dtn's
tcpcl
document
is
now
almost
in
the
off
48
state
and
thanks
to
russ
hussley
and
others,
we
were
able
to
get
that
document
into
a
a
good
state
with
a
new
subject:
alternative
name
oid
allocation,
and
that
is
now
reflected
in
the
acme
draft.
D
So
before
where
it
was
using
the
uri
san
form,
it
is
now
using
a
specific
bundle,
eid,
san
and
so
that
was
really
a
search
and
replace
in
the
the
acme
document,
just
using
a
different
certificate
field
and
using
a
different
acme
identifier
name
to
relate
to
that
field,
then
there
was
another
change
that
was
made
to
clarify
multi-perspective
validation,
to
really
make
it
a
first
class
use
of
this
validation
method,
in
the
same
way
that
the
htp
and
dns
allow
multi-perspective
validation
and
provide
some
guidance
about
how
to
do
that
and
requirements
about
what
must
be
done.
D
In
that
case,
there
was
a
clarification
of
the
the
node
id
definition
to
be
able
to
just
make
sure
that
the
acme
server
is
doing
the
right
logic
in
the
right
places
and
cleaning
up
client
inputs,
and
then
the
one
structural
change
was
that
the
previous
version
of
this
document
updated
a
2b
rfc
from
the
dtn
working
group
and
those
updates
have
been
now
moved
into
a
separate
document.
D
That's
awaiting
the
dtn
working
groups,
adoption
that
will
be
discussed
tomorrow
actually,
and
so
this
acme
document
now
is
purely
acme,
and
it's
also
at
the
experimental
level
just
because
this
is
new
behavior,
whereas
the
other
updating
document
is
at
the
standards
level,
and
then
there
still
are
three
remaining
typo
level
issues
in
the
document
that
I
was
waiting
on
after
the
itf.
D
D
There
still
are
two
uses
of
the
uri
name
in
the
iana
registrations
that
that
need
to
be
replaced
by
bundled
eid,
that's
a
simple
fix,
also
and
then
the
example
bundles
in
appendix
b.
This
is
a
very
minor
knit
that
they
should
use
a
different
encoding
form
for
the
array,
a
definite
versus
indefinite
form
in
sibor
terms,
which
is
also
it
doesn't
affect
the
interpretation
it
just
affects
the
encoding
form,
so
it's
very
minor
and
then
one
last
open
question.
This
is
just
in
terms
of
the
acme
document
for
for
acme
purposes.
D
D
So
it's
just
an
open
question
of
what
makes
the
most
sense
for
understanding
what's
happening.
Dtn
node
id
makes
it
more
clear
that
it's
a
dtn
term,
but
it
could
potentially
be
confusing
because
a
node
id
can
actually
have
two
different
uri
forms,
an
ipn
uri
or
a
dtn
uri.
So
dtn
is
a
little
overloaded
in
that
represents
both
the
broad
topic
area,
the
working
group
and
a
specific
uri
form.
D
I
don't
have
really
strong
feelings
about
this
either
way
it's
it's
purely
a
terminology
and
making
sure
that
people
understand
what
is
being
referred
to
other
than
just
saying.
Node
id.
D
D
I
just
noticed
that
in
other
cases,
the
eid
is
called
a
bundle
eid,
and
this
is
where
the
reason
why
it
came
up
is
because
I
was
looking
at
the
the
the
challenge
types
and,
like
the
other
challenge,
types
aren't
really
qualified.
In
the
same
way,
the
email
challenge
type
is
just
called
email
that
the
dns
is
just
called
dns.
D
F
Eric
but
as
I
was
reading
this
draft
and
providing
feedback
on
things
like
the
multi-perspective,
it
was
very
helpful
to
me
to
have
dtn
node
id
every
single
time.
It's
just
like
right.
It's
just
you
that
I,
as
an
acme
person,
don't
need
to
fully
understand
like
I
I
could
sort
of
encapsulate
it
and
so
that
that
nomenclature
worked
well
for
me,
for
whatever
that's
worth.
B
Roman
in
the
chat
that
assuming
everything
is
resolved
and
fixed,
it
could
be
in
the
chat
as
soon
as
december,
2nd
so.
E
Yeah,
that's
right.
That
was
my
comments,
you're
exactly
right,
yeah
or
for
the
authority
token
draft.
So
the
etn
after
we
get
this
straightforward
thing
resolved.
Thank
you
for
all
the
edits,
brian.
We
can
go
last
call,
and
so
that's
that's
gonna
be
at
least
two
week
delay.
So
I
haven't
looked
at
the
calendar.
I
think
the
december
16th
telechat
is
more
realistic.
B
Yeah,
that's
fine
good,
so
we
might
even
have
another
rfc
by
by
next
itf.
D
The
the
only
thing
that
would
hold
up
the
final
approval
is
that
this
document
now
relies
on
the
dtn
working
group
document,
which
has
not
yet
been
adopted,
so
they
would
end
up
needing
to
be
in
the
same
cluster
in
the
editor's
queue.
F
I
think
the
slides
are
up.
Yep
yeah
awesome
fantastic,
so
this
draft
is
completely
new
from
acme
or
from
ietf
111.
I
did
give
a
presentation
about
it
at
the
interim,
but
I
think
we
had
a
slightly
smaller
group
there.
So
hopefully
folks
have
have
read
this
draft.
I'm
not
gonna
be
going
over
the
entire
thing,
like
I
did
at
the
interim
since
that
acne
interim
I've
published
a
new
version
version
zero
one
of
the
draft
I'll
go
over.
F
What's
in
that,
in
just
a
moment,
we've
deployed
an
initial
server
implementation
in
let's
encrypt
staging
environment,
so
code
which
implements
this
draft
spec,
is
written
and
deployed.
It's
not
particularly
intelligent
yet,
but
it
does
work
and
it
does
abide
by
the
draft
and
an
initial
client
implementation
in
cert
bot
has
been,
has
been
begun,
but
is
not
yet
actually
landed
in
cert
bot
trunk,
so
that
piece
is
still
in
progress
changes
since
version
0
that
was
presented
at
the
interim,
the
based
on
feedback.
F
F
The
majority
of
the
acme
endpoints
require
post
as
get
even
for
item
potent
get
like
things,
but
we
don't
have
to
follow
that
with
new
extensions
to
the
acme
protocol,
with
with
new
endpoints
being
added
and
practical
experience
has
shown
that
that's
actually
kind
of
a
pain
because
it
makes
caching
really
difficult
and
so
for
things
that
don't
require
any
authentication.
There's
no
need
to
carry
that
forward,
and
so
this
says,
hey
we're.
F
Only
going
to
use,
get
I've
added
small
pieces
of
clarifying
behavior
for
how
clients
should
behave
in
certain
circumstances,
for
example,
if
they
don't
get
a
ari
response
at
all,
if
they
get
a
malformed
ari
response,
if
they
get
a
response
that
doesn't
mesh
nicely
with
the
frequency
at
which
the
client
tends
to
wake
up,
because,
as
we
know,
many
clients
are
implemented
as
cron
jobs,
not
as
long-running
demons
and
a
bunch
of
small
formatting
cleanups
that
are
barely
worth
mentioning.
F
So
the
renewal
info
url
it
used
to
be
in
draft
zero,
zero
that
a
finalized
order
object.
In
addition
to
having
a
here's,
where
you
should
go
download
your
certificate
from
url
would
also
have
a
and
here's
where
you
should
check
for
your
renewal
info
url
in
it.
So
a
acme
client
would
finalize
an
order,
save
that
renewal
info
url
locally
somewhere
cache.
F
It
write
it
to
disk
something
like
that
and
then
would
query
that
url
over
and
over
again,
however,
feedback
that
we
got
said
a
caching
that
url
is
kind
of
a
pain
for
certain
kinds
of
clients,
and
also
external
monitoring.
Services
would
like
to
be
able
to
construct
these
urls
directly
and
external
monitoring
services.
Obviously,
don't
have
access
to
order
objects,
so
we've
changed
it
so
that
the
order
resource
is
now
completely
untouched
and
unchanged.
F
Instead,
we've
added
a
new
field
to
the
directory
renewal
info
listing
the
base
url
for
the
renewal
info
resource
type.
So
any
client
can
fetch
the
directory
and
see
where
renewal
info
will
be
surfaced
and
then
the
remainder
of
the
renewal
info
url,
which
is
just
a
a
path
blob
effectively.
F
It
could
be
query
parameters
or
something
like
that,
but
we're
going
with
a
path
blob
for
now
is
constructed
from
case
insensitive
hex
encodings
of
the
sha
one
hash
of
the
issuer,
key
the
sha1
hash
of
the
issuer
name
and
the
certificate
serial
number.
F
Hashes
is
the
oh,
I'm
forgetting
the
name
of
the
rfc
now,
but
it's
the
ocsp
for
resource
constrained
or
for
high
volume
environments,
where
it
mandates
sha-1,
instead
of
allowing
the
the
client
to
specify
what
hash
it's
using
when
it
hashes
the
issue
or
key
an
issue
or
name
so
any
client
that
is
capable
of
requesting
ocsp
is
capable
of
constructing
these
three
parameters,
and
we
have
industry-wide
acceptance
that
these
three
parameters
are
sufficient
to
uniquely
identify
a
certificate
and
therefore
that's
what
we're
going
with
for
uniquely
identifying
a
certificate
for
this
renewal
info
as
well.
F
So
you
make
a
get
request
to
the
renewal
info
base
path
from
the
directory
concatenated.
With
these
three
path,
elements
computed
like
ocsp
and
you
get
back
the
same
renewal
info
object
that
the
initial
draft
zero
zero
had
there's
still
some
open
questions.
F
Obviously
more
questions
might
arise
as
the
initial
client
implementations
are
written
and
deployed,
but
right
now
the
known,
open
questions
that
I
would
love
feedback
for
at
some
point
are
one
pulling
semantics
right
now,
as
you
can
see
in
this
response,
the
renewal
info
response
comes
with
a
retry
after
header
saying,
hey
I've,
given
you
the
renewal
info,
please
don't
check
back
for
at
least
this
long,
but
that
only
gives
us
half
of
the
semantics
that
we
actually
want.
F
So
thinking
about
changing
the
semantics
of
this,
whether
we
want
to
continue
doing
it
with
a
header
or
whether
we
want
to
incorporate
the
suggested
polling
window
into
the
renewal
info
response,
whether
we
want
to
incorporate
it
into
like
the
meta
section
of
the
directory,
or
something
like
that.
So
if
people
have
feedback
on
that,
I
would
love
to
hear
it.
Yes,
I
see
in
chat,
I
see,
there's
been
some
discussion
in
chat.
F
I
will
read
that
in
more
detail
momentarily,
but
yes,
not
quite
instantaneously,
but
quickly
as
quickly
as
is
reasonable.
We've
been
talking
about
things
like
on
the
order
of
six
hours
or
one
hour.
The
second
consideration
is
a
larger
change.
We've
been
thinking
about
the
idea
of
there
being
a
callback,
endpoint,
basically
a
way
for
clients
to
say
hey.
You
told
me
that
I
should
renew
this
cert
at
this
time.
F
That's
done
now.
One
reason
this
would
be
helpful
is
because,
in
the
use
case,
that
is
one
of
the
motivating
use
cases
for
this
extension
in
the
use
case.
That
is
a
ca,
believes
that
it
is
about
to
revoke
a
cert,
and
it
wants
to
give
a
subscriber
an
opportunity
to
renew
that
cert
and
have
continuity
of
business
before
that
certificate
is
revoked.
Having
this
sort
of
callback
endpoint
would
let
the
client
say
yes,
it
is
safe
to
revoke
this
cert
now
or
would
let
the
ca
determine
yes,
I
know
it.
F
We're
still
just
really
thinking
about
this,
we
don't
know
if
we
definitely
want
to
do
it.
We
don't
know
what
we
want
it
to
look
like,
but
I
would
love
discussion
and
feedback
on
how
people
think
this
should
look
and
whether
it's
worth
incorporating
as
well
and
then.
Finally,
I
don't
know
how
call
for
adoption
works.
This
is
the
first
document
that
I've
brought
to
oregon
group
ever
but
after
the
acme
interim,
we
did
have
one
very
kind
and
generous
soul
on
the
mailing.
G
F
H
Hiya
welcome
to
the
itf
the
recommendation
and
it
can
be
handled
once
if
the
working
group
adopts
us
and
makes
changes
right.
Just
so
you
know,
adoption
is
means
this
document's
a
starting
point
right.
So
obviously
it's
not
frozen.
H
I
don't
see
any
reason
not
to
just
completely
lose
exactly
and
calculation
is
used
for
ocsp
everyone's
got
an
ocsp
thing,
particularly
in
places
like
let's
encrypt,
where
there's
no
revocation.
So
I
really
strongly
encourage
that,
but
again
that's
more
for
a
post-adoption
thing.
I
think
this
is
nice.
The
document
is
pretty
well
readable
and
you
did
a
good
job.
Thank
you.
A
B
So
I
think
that's
now
that
it's
been
presented
in
a
real
working
group
meeting.
We
can
ask
for
people
to
read
it
today
on
the
on
the
list
and
then
do
a
proper
adoption
call.
Rather
than
start
it
now.
C
D
G
The
only
changes
in
stratfor
russ
provided
feedback
on
the
mailer
for
draft
four.
That
was
a
major
issue
with
which
we
knew
we
knew
about,
but
we
hadn't
addressed
with
roc
70
30
sees
our
attributes
gap.
We
relied
on
using
that
for
the
ra
to
tell
the
client
what
subject
or
sound
to
include
our
c730
doesn't
actually
allow
that.
So
there
is
a
draft
that
rich
or
that
might
be
presented
at
lamps
earlier
on
this
week.
G
That
will
update
rfc
7030
to
specify
how
csr
attributes
can
be
used
by
an
ra
to
tell
a
client
attribute
values
that
it
expects
to
see
included
in
the
csr
request,
and
so
so.
The
integrations
draft
is
now
pointing
to
the
draft
and
eventually
allow
us
to
specify
how
to
handle
specifying
a
csr
attributes,
value
and
terminology
change.
G
I
just
updated
some
of
the
terminology
to
align
more
with
the
rfc
8499
dns
terminology
draft,
rather
than
to
see
a
browser
forum
terminology.
The
reason
for
that
being
that
this
draft
isn't
limited
to
web
pki
or
ca
browser
use
cases
alone,
and
so
it
makes
sense
to
align
with
the
rfc
terminology
rather
than
the
ceo
browser
technology.
G
C
C
G
That's
fair,
yeah,
the
and
the
last
draft
is
a
very
drafty
draft.
B
Okay,
so
we'll
send
a
message
to
the
list
that
we
really
want
people
to
review
this,
and
next
up
is
also
you,
so
you
can
switch
here.
G
So
it's
been
changed
since
the
previous
draft
has
been
adopted.
We've
made
some
terminology
additions,
not
terminology
changes,
we've
just
referenced,
we've
included
the
rrc
8499
and
we've
also
fixed
up
some
editorial
units.
I
think
was
iron
provided
a
bunch
of
knits
on
the
mirror
a
while
back.
We
fixed
up
all
those
and
the
big
change.
Really.
The
big
thing
I
want
to
discuss
really
is,
and
I
think
was,
martin
thompson
provided
some
feedback
on
the
adoption
call
mirror,
and
you
said
well,
why
are
we
using?
G
Why
are
we
using
domain
space,
the
name
domain
name
space
and
not
sub
domains,
and
actually
the
reason
why
we
changed?
That
initially
was
because
there
was
some
feedback
on
the
meter
that
something
means
was
a
bit
confusing,
but
so
we
changed
to
domain
namespace
to
be
more
prescriptive,
but
it
was
based
on
the
ceo
browser
definitions
and
I
think,
similar
to
active,
integrations,
acting
sub
domains
is
not
restricted
to
web
pki
or
ceo
browser
use
cases.
G
So
I
think
it
probably
makes
sense
to
align
with
the
rfc8499
definitions
and
and
therefore
probably
makes
sense
to
change
the
field
names
in
the
json
objects
back
to
what
you
originally
were
and
back
to
align
with
rfc
84.99.
So
that's
that's
the
biggest
thing
that
I'd
like
to
discuss.
We
don't
need
to
discuss
it
here,
but
just
some
consensus
on
the
mirror
as
to
which
terminology
set
to
lean
towards.
B
G
I
don't
think
it's
far
from
for
completion
at
all.
It's
it's
it's!
It's
very
close,
like
there's
been
a
lot
of
discussion
on
the
mailer
over
and
back.
It's
been
very
bursty,
but
a
lot
of
discussion
on
the
meter
about
the
details
of
the
draft
over
the
last
18
months.
So
I
think
it's
actually
close
to
completion,
but
just
the
terminology
is
the
one
thing
that
you
close
on,
but
leaving
the
terminology
aside.
G
B
Good,
so
any
anyone
else
getting
in
the
queue,
no
okay.
So
thank
you
all.
B
B
A
So
then
the
question
is:
do
you
want
to
talk
about?
What
do
you
call
those
things
milestones
that
one
that's
the
one.
A
B
B
Seems
like
nothing
and
nobody
there's
one
thing
about
the
client
certs
and
we
tried
to
stir
up
interests
and
well.
There
was
just
nothing
on
the
list.
I
It
seemed
like
you
were
asking
for
me
to
speak
with
that,
so
I
have
been
working
with
a
few
people
off
list
and
there
should
be
some
text
contributions
to
expand
the
use
cases
or
I'm
sorry,
not
the
use
cases.
The
challenge
types
for
a
code
signing
certificate
effort
that
has
been.
I
I
guess
it
was
announced
a
few
months
back,
but
they
used
their
own
method
instead
of
acme,
and
so
this
would
allow
them
to
switch
over
to
acme
and
so
not
to
create
yet
another
automated
certificate
protocol
that
vendors
would
have
to
support.
So
you
should
see
some
more
to
come
on
that
and-
and
this
was
just
raised
in
napa
as
well
one
of
their
use
cases-
they
were
trying
to
figure
out
a
way
to
solve,
because
that
effort
has
very
short.
The
code.
I
Signing
cert
effort
has
very
short-lived
certificates
like
in
the
matter
of
seconds,
so
that
they
can
only
be
used
once
and
that
might
work
for
gene
app
too.
But
that's
we'll
have
to
see
what
happens
so
you
might
see
more
and
and
we'll
see
you
know.
Obviously,
the
draft
should
only
go
forward
if
there
is
real
interest,
but
it
seems
like
a
widely
used
effort
in
the
linux
consortium.
B
B
B
B
B
Yeah,
that's
the
milestones
that
we
have,
and
obviously
all
of
the
milestones
that
are
not
marked
as
done
are
marked
with
dates
that
are.
B
So
should
probably
fix
the
april
2021
of
delay,
one
network
and
the
acme
integration.
B
As
for
the
user
client
and
code
signing
well,
we
neither
submitted
it
to
the
isg
nor
abandoned
it.
So
it's
kind
of
awaiting
adoption,
still
so
roman
d
teddy
say
what
you
think
we
should
do
with
this.
E
B
Is
really
might
as
well
pick
december
and
as
for
the
integrations.
A
B
And
then
maybe
well,
it's
too
early
to
add
them
a
milestone
for
ari,
because
we
haven't
decided
that
we
want
it
still.
But
that
might
be
the
next
just
before
the
next
itf.
A
So
what
kathleen
do
you
have
a
date
when
you
would
expect
to
see
the
client
or
code
signing
thing
solidified.
I
I
would
expect
before
the
next
meeting
cycle,
I'm
supposed
to
get
texts
within
the
next
week
or
two
from
this
other
effort,
and-
and
I
can
sync
up
with
the
gene
app
folks
pretty
easily
to
it-
to
see
if
it
works
for
them
once
they
have
a
little
bit
more
time
to
review.
I
I
Hopefully
we
can
overshoot
it
because
the
code
for
for
that
other
effort
is,
is
coming
soon.
It's
underway,
so
yeah.
A
I
Oh
you
just
reset
them,
but
I
mean
you
try
that's
why
I'm
I'm
saying
I'm
hoping
for
working
group
last
call
by
the
next
meeting,
but
I
guess
you
have
has
had
experience
that
says
it
should
go
longer.
So
whatever
you
want
to
do
is
fine.
I'm
going
to
try
to
overshoot
it.