►
From YouTube: IETF112-ACME-20211111-1430
Description
ACME meeting session at IETF112
2021/11/11 1430
https://datatracker.ietf.org/meeting/112/proceedings/
A
B
B
So
welcome
everyone.
This
is
the
acme
session
at
itf
112.
That
is
not
in
madrid,
so
I
think
you've
seen
this
thing,
I'm
not
going
to
bother
reading
it
out
to
you,
and
this
is
the
other
half
so,
and
here's
the
new
thing
living
with
this
coc
we're
not
going
to
read
that
one
out
to
you
either,
but
we've
been
asked
to
all
working
roof
chairs
have
been
asked
to
display
these
things
at
the
start
of
meetings.
B
B
B
Thank
you,
and
as
for
jet
prescribe,
we
usually
don't
need
those
in
virtual
meetings,
but
just
in
case
I
am
following
the
jabber
room.
So
if
you
want
anything
relayed
in
on
the
well
room
mic
whatever
that
means
here
and
just
prefix
it
with
mick,
and
we
will
read
it
out
so
we'll
have
the
traditional
document
update
and
followed
by
presentations
for
dta
node
id
ari
integration
subdomains
and
then,
if
we
have
time
any
other
business,
any
agenda
bashing.
D
B
B
Right
the
authority.
Token
tnoth
list
was
not
modified
since
the
last
itf,
the
end
user,
client
and
code
signing
draft
got
two
new
revisions
and
didn't
get
a
lot
of
discussion
on
the
list
that
one
review
but
well
buy
a
chair.
So
that
doesn't
count
all
right.
So
we've
had
two
two
updates
of
dtn
node
id.
We
have
ongoing
discussions
with
roman
and
they
have
a
presentation.
E
Hey
yo,
I
just
wanted
to
kind
of
repeat
our
working
plan.
We
have
one
of
the
tn
auth
documents,
the
auth,
token
documents
and
last
call
we
have
the
other
one
through
last
call,
but
we've
had
it
parked
now
for
a
number
of
months
waiting
for
the
other
one.
So,
when
the
when,
when
the
authority
token
draft
drops
out
of
itf
last
call
I'll
be
batching
both
of
them
and
bringing
them
to
the
isg.
B
D
D
There
still
are
two
uses
of
the
uri
name
in
the
iana
registrations
that
that
need
to
be
replaced
by
bundled
eid,
that's
a
simple
fix,
also
and
then
the
example
bundles
in
appendix
b.
This
is
a
very
minor
knit
that
they
should
use
a
different
encoding
form
for
the
array,
a
definite
versus
indefinite
form
in
sibor
terms,
which
is
also
it
doesn't
affect
the
interpretation
it
just
affects
the
encoding
form,
so
it's
very
minor
and
then
one
last
open
question.
This
is
just
in
terms
of
the
acme
document
for
for
acme
purposes.
D
D
So
it's
just
an
open
question
of
what
makes
the
most
sense
for
understanding
what's
happening.
Dtn
node
id
makes
it
more
clear
that
it's
a
dtn
term,
but
it
could
potentially
be
confusing
because
a
node
id
can
actually
have
two
different
uri
forms,
an
ipn
uri
or
a
dtn
uri.
So
dtn
is
a
little
overloaded
in
that
represents
both
the
broad
topic
area,
the
working
group
and
a
specific
uri
form.
D
D
I
just
noticed
that
in
other
cases,
the
eid
is
called
a
bundle
eid,
and
this
is
where
the
reason
why
it
came
up
is
because
I
was
looking
at
the
the
the
challenge
types
and,
like
the
other
challenge,
types
aren't
really
qualified.
In
the
same
way,
the
email
challenge
type
is
just
called
email
that
the
dns
is
just
called
dns.
F
Eric
but
as
I
was
reading
this
draft
and
providing
feedback
on
things
like
the
multi-perspective,
it
was
very
helpful
to
me
to
have
dtn
node
id
every
single
time.
It's
just
like
right.
It's
just
you
that
I,
as
an
acme
person,
don't
need
to
fully
understand
like
I
I
could
sort
of
encapsulate
it
and
so
that
that
nomenclature
worked
well
for
me,
for
whatever
that's
worth.
E
Yeah,
that's
right.
That
was
my
comments,
you're
exactly
right,
yeah
or
for
the
authority
token
draft.
So
the
etn
after
we
get
this
straightforward
thing
resolved.
Thank
you
for
all
the
edits,
brian.
We
can
go
last
call,
and
so
that's
that's
gonna
be
at
least
two
week
delay.
So
I
haven't
looked
at
the
calendar.
I
think
the
december
16th
telechat
is
more
realistic.
F
I
think
the
slides
are
up.
Yep
yeah
awesome
fantastic,
so
this
draft
is
completely
new
from
acme
or
from
ietf
111.
I
did
give
a
presentation
about
it
at
the
interim,
but
I
think
we
had
a
slightly
smaller
group
there.
So
hopefully
folks
have
have
read
this
draft.
I'm
not
gonna
be
going
over
the
entire
thing,
like
I
did
at
the
interim
since
that
acne
interim
I've
published
a
new
version
version
zero
one
of
the
draft
I'll
go
over.
F
What's
in
that,
in
just
a
moment,
we've
deployed
an
initial
server
implementation
in
let's
encrypt
staging
environment,
so
code
which
implements
this
draft
spec,
is
written
and
deployed.
It's
not
particularly
intelligent
yet,
but
it
does
work
and
it
does
abide
by
the
draft
and
an
initial
client
implementation
in
cert
bot
has
been,
has
been
begun,
but
is
not
yet
actually
landed
in
cert
bot
trunk,
so
that
piece
is
still
in
progress
changes
since
version
0
that
was
presented
at
the
interim,
the
based
on
feedback.
F
F
The
majority
of
the
acme
endpoints
require
post
as
get
even
for
item
potent
get
like
things,
but
we
don't
have
to
follow
that
with
new
extensions
to
the
acme
protocol,
with
with
new
endpoints
being
added
and
practical
experience
has
shown
that
that's
actually
kind
of
a
pain
because
it
makes
caching
really
difficult
and
so
for
things
that
don't
require
any
authentication.
There's
no
need
to
carry
that
forward,
and
so
this
says,
hey
we're.
F
So
the
renewal
info
url
it
used
to
be
in
draft
zero,
zero
that
a
finalized
order
object.
In
addition
to
having
a
here's,
where
you
should
go
download
your
certificate
from
url
would
also
have
a
and
here's
where
you
should
check
for
your
renewal
info
url
in
it.
So
a
acme
client
would
finalize
an
order,
save
that
renewal
info
url
locally
somewhere
cache.
F
It
write
it
to
disk
something
like
that
and
then
would
query
that
url
over
and
over
again,
however,
feedback
that
we
got
said
a
caching
that
url
is
kind
of
a
pain
for
certain
kinds
of
clients,
and
also
external
monitoring.
Services
would
like
to
be
able
to
construct
these
urls
directly
and
external
monitoring
services.
Obviously,
don't
have
access
to
order
objects,
so
we've
changed
it
so
that
the
order
resource
is
now
completely
untouched
and
unchanged.
F
F
F
So
thinking
about
changing
the
semantics
of
this,
whether
we
want
to
continue
doing
it
with
a
header
or
whether
we
want
to
incorporate
the
suggested
polling
window
into
the
renewal
info
response,
whether
we
want
to
incorporate
it
into
like
the
meta
section
of
the
directory,
or
something
like
that.
So
if
people
have
feedback
on
that,
I
would
love
to
hear
it.
Yes,
I
see
in
chat,
I
see,
there's
been
some
discussion
in
chat.
F
I
will
read
that
in
more
detail
momentarily,
but
yes,
not
quite
instantaneously,
but
quickly
as
quickly
as
is
reasonable.
We've
been
talking
about
things
like
on
the
order
of
six
hours
or
one
hour.
The
second
consideration
is
a
larger
change.
We've
been
thinking
about
the
idea
of
there
being
a
callback,
endpoint,
basically
a
way
for
clients
to
say
hey.
You
told
me
that
I
should
renew
this
cert
at
this
time.
F
That's
done
now.
One
reason
this
would
be
helpful
is
because,
in
the
use
case,
that
is
one
of
the
motivating
use
cases
for
this
extension
in
the
use
case.
That
is
a
ca,
believes
that
it
is
about
to
revoke
a
cert,
and
it
wants
to
give
a
subscriber
an
opportunity
to
renew
that
cert
and
have
continuity
of
business
before
that
certificate
is
revoked.
Having
this
sort
of
callback
endpoint
would
let
the
client
say
yes,
it
is
safe
to
revoke
this
cert
now
or
would
let
the
ca
determine
yes,
I
know
it.
F
We're
still
just
really
thinking
about
this,
we
don't
know
if
we
definitely
want
to
do
it.
We
don't
know
what
we
want
it
to
look
like,
but
I
would
love
discussion
and
feedback
on
how
people
think
this
should
look
and
whether
it's
worth
incorporating
as
well
and
then.
Finally,
I
don't
know
how
call
for
adoption
works.
This
is
the
first
document
that
I've
brought
to
oregon
group
ever
but
after
the
acme
interim,
we
did
have
one
very
kind
and
generous
soul
on
the
mailing.
G
F
H
H
I
don't
see
any
reason
not
to
just
completely
lose
exactly
and
calculation
is
used
for
ocsp
everyone's
got
an
ocsp
thing,
particularly
in
places
like
let's
encrypt,
where
there's
no
revocation.
So
I
really
strongly
encourage
that,
but
again
that's
more
for
a
post-adoption
thing.
I
think
this
is
nice.
The
document
is
pretty
well
readable
and
you
did
a
good
job.
Thank
you.
A
B
C
D
G
The
only
changes
in
stratfor
russ
provided
feedback
on
the
mailer
for
draft
four.
That
was
a
major
issue
with
which
we
knew
we
knew
about,
but
we
hadn't
addressed
with
roc
70
30
sees
our
attributes
gap.
We
relied
on
using
that
for
the
ra
to
tell
the
client
what
subject
or
sound
to
include
our
c730
doesn't
actually
allow
that.
So
there
is
a
draft
that
rich
or
that
might
be
presented
at
lamps
earlier
on
this
week.
G
That
will
update
rfc
7030
to
specify
how
csr
attributes
can
be
used
by
an
ra
to
tell
a
client
attribute
values
that
it
expects
to
see
included
in
the
csr
request,
and
so
so.
The
integrations
draft
is
now
pointing
to
the
draft
and
eventually
allow
us
to
specify
how
to
handle
specifying
a
csr
attributes,
value
and
terminology
change.
G
I
just
updated
some
of
the
terminology
to
align
more
with
the
rfc
8499
dns
terminology
draft,
rather
than
to
see
a
browser
forum
terminology.
The
reason
for
that
being
that
this
draft
isn't
limited
to
web
pki
or
ca
browser
use
cases
alone,
and
so
it
makes
sense
to
align
with
the
rfc
terminology
rather
than
the
ceo
browser
technology.
G
C
G
So
it's
been
changed
since
the
previous
draft
has
been
adopted.
We've
made
some
terminology
additions,
not
terminology
changes,
we've
just
referenced,
we've
included
the
rrc
8499
and
we've
also
fixed
up
some
editorial
units.
I
think
was
iron
provided
a
bunch
of
knits
on
the
mirror
a
while
back.
We
fixed
up
all
those
and
the
big
change.
Really.
The
big
thing
I
want
to
discuss
really
is,
and
I
think
was,
martin
thompson
provided
some
feedback
on
the
adoption
call
mirror,
and
you
said
well,
why
are
we
using?
G
Why
are
we
using
domain
space,
the
name
domain
name
space
and
not
sub
domains,
and
actually
the
reason
why
we
changed?
That
initially
was
because
there
was
some
feedback
on
the
meter
that
something
means
was
a
bit
confusing,
but
so
we
changed
to
domain
namespace
to
be
more
prescriptive,
but
it
was
based
on
the
ceo
browser
definitions
and
I
think,
similar
to
active,
integrations,
acting
sub
domains
is
not
restricted
to
web
pki
or
ceo
browser
use
cases.
G
So
I
think
it
probably
makes
sense
to
align
with
the
rfc8499
definitions
and
and
therefore
probably
makes
sense
to
change
the
field
names
in
the
json
objects
back
to
what
you
originally
were
and
back
to
align
with
rfc
84.99.
So
that's
that's
the
biggest
thing
that
I'd
like
to
discuss.
We
don't
need
to
discuss
it
here,
but
just
some
consensus
on
the
mirror
as
to
which
terminology
set
to
lean
towards.
B
G
I
don't
think
it's
far
from
for
completion
at
all.
It's
it's
it's!
It's
very
close,
like
there's
been
a
lot
of
discussion
on
the
mailer
over
and
back.
It's
been
very
bursty,
but
a
lot
of
discussion
on
the
meter
about
the
details
of
the
draft
over
the
last
18
months.
So
I
think
it's
actually
close
to
completion,
but
just
the
terminology
is
the
one
thing
that
you
close
on,
but
leaving
the
terminology
aside.
G
B
B
A
A
B
B
I
I
I
guess
it
was
announced
a
few
months
back,
but
they
used
their
own
method
instead
of
acme,
and
so
this
would
allow
them
to
switch
over
to
acme
and
so
not
to
create
yet
another
automated
certificate
protocol
that
vendors
would
have
to
support.
So
you
should
see
some
more
to
come
on
that
and-
and
this
was
just
raised
in
napa
as
well
one
of
their
use
cases-
they
were
trying
to
figure
out
a
way
to
solve,
because
that
effort
has
very
short.
The
code.
I
Signing
cert
effort
has
very
short-lived
certificates
like
in
the
matter
of
seconds,
so
that
they
can
only
be
used
once
and
that
might
work
for
gene
app
too.
But
that's
we'll
have
to
see
what
happens
so
you
might
see
more
and
and
we'll
see
you
know.
Obviously,
the
draft
should
only
go
forward
if
there
is
real
interest,
but
it
seems
like
a
widely
used
effort
in
the
linux
consortium.