IETF
acme
acme@jabber.ietf.org
Wednesday, March 25, 2015< ^ >
Room Configuration
Room Occupants

GMT+0
[16:54:41] ilari.liusvaara joins the room
[19:54:02] Aaron Falk joins the room
[20:01:05] Aaron Falk leaves the room
[20:11:18] wilma joins the room
[20:11:21] Meetecho joins the room
[20:11:24] Meetecho leaves the room
[20:11:28] Aaron Falk joins the room
[20:11:48] smemery joins the room
[20:12:38] Joe Hall joins the room
[20:12:45] Aaron Falk leaves the room
[20:14:23] Joe Hall leaves the room: Replaced by new connection
[20:14:25] Joe Hall joins the room
[20:16:37] <Joe Hall> https://datatracker.ietf.org/meeting/92/agenda/acme/
[20:16:43] Szilveszter Nadas joins the room
[20:17:05] Linhui Sun joins the room
[20:17:48] Meetecho joins the room
[20:17:56] Cullen Jennings joins the room
[20:19:05] Aaron Zauner joins the room
[20:19:39] <Joe Hall> meetecho: http://ietf92streaming.dnsalias.net/ietf/ietf928.m3u
[20:19:54] Linhui Sun leaves the room
[20:20:06] Stefan Santesson joins the room
[20:20:32] <Joe Hall> (I'm going to do some transcription since I don't have links to slides)
[20:20:44] Shaun Cooley joins the room
[20:21:00] Linhui Sun joins the room
[20:21:05] Aaron Falk joins the room
[20:21:12] Jim Bieda joins the room
[20:21:23] <Aaron Zauner> no video/audio via meetech
[20:21:25] <Aaron Zauner> ?
[20:21:26] Valery Smyslov joins the room
[20:21:54] jcooter joins the room
[20:21:57] <Joe Hall> relayed to chairs, working on it, thanks
[20:22:11] <Aaron Zauner> thx
[20:22:17] <Joe Hall> meetecho:
[20:22:21] <Aaron Falk> Jabber people: note well.  that is all.
[20:22:31] <Shaun Cooley> I have audio, video, and slides...
[20:22:32] Karen O'Donoghue joins the room
[20:22:37] <Joe Hall> it's up?
[20:22:37] Szilveszter N joins the room
[20:22:40] rbarnes joins the room
[20:22:40] <Joe Hall> great
[20:22:50] <rbarnes > meetecho: we good to go?
[20:22:52] Hugo Kobayashi joins the room
[20:22:59] <Shaun Cooley> fine for me
[20:22:59] Szilveszter N leaves the room
[20:23:01] Steve Olshansky joins the room
[20:23:05] <rbarnes > sweet
[20:23:19] <Joe Hall> EKR now on motivating requirements, then PHB on industry reqs, review of the acme-01, then discussion
[20:23:22] Aaron Zauner leaves the room
[20:23:37] <Joe Hall> agenda bashing
[20:23:48] <Joe Hall> not a working-group forming BOF
[20:23:54] Aaron Zauner joins the room
[20:24:06] <Joe Hall> however, think about the work and how it fits into the IETF and how IETF could contribute to this effort
[20:24:08] <Joe Hall> EKR up now
[20:24:22] <Joe Hall> Title: ACME Objectives
[20:24:54] <Joe Hall> what problem are we trying to solve?
[20:25:01] <Joe Hall> problem: not enough TLS on the net
[20:25:11] Aaron Zauner leaves the room
[20:25:16] <Joe Hall> 30% of page loads over https, 65% transactions
[20:25:20] <Joe Hall> should be 100%
[20:25:37] <Joe Hall> one reason, hard to get certs
[20:25:47] <Joe Hall> slide: "getting a cert is no fun"
[20:26:00] <Joe Hall> (IM chat transcript from fluffy taking 45m to get a cert)
[20:26:04] <Joe Hall> hilarity ensues
[20:26:15] Randy Bush joins the room
[20:26:15] <Joe Hall> want to automate this process
[20:26:18] Ben Schumacher joins the room
[20:26:21] <Joe Hall> universal SSL from CloudFlare
[20:26:22] Mark Nottingham joins the room
[20:26:29] <Mark Nottingham> #fixfluffy
[20:26:30] <Joe Hall> node.ja package that does it… ssl something or other
[20:27:03] <rbarnes > node.js :)
[20:27:04] <Joe Hall> bunch of partners have developed let's encrypt https://letsencrypt.org/
[20:27:10] <Joe Hall> (yeah, smartass)
[20:27:11] <rbarnes > node — ja ja!
[20:27:24] <Joe Hall> we need automation of all the major operations
[20:27:38] <Joe Hall> registrations, verification of domain control, reissuance/renewal
[20:27:45] Aaron Zauner joins the room
[20:27:45] <rbarnes > SSLMate
[20:28:03] <Joe Hall> seamless: requires mi. operator intervention, set up once, permanent operation
[20:28:08] <Joe Hall> ty rlb
[20:28:23] JeffH joins the room
[20:28:26] <Joe Hall> flexible: adapts to different CA policies and practices
[20:28:26] Kathleen Moriarty joins the room
[20:28:44] sftcd joins the room
[20:28:55] <Joe Hall> Slide: "Example: Cert lifetimes"
[20:29:12] <Joe Hall> currently certs are long-lived… 1y, 5y, 10y
[20:29:20] yan joins the room
[20:29:22] <Joe Hall> rely on OCSP verification… "you're going to hav a bad day"
[20:29:32] <Joe Hall> no browser hard fails on OCSP verif
[20:29:34] Bill Mills joins the room
[20:29:51] <Joe Hall> lots of talk on "must staple"… stuffing an OCSP response into tls handshake
[20:30:05] <Joe Hall> short lived certs
[20:30:19] <Joe Hall> natural fit for automatic renewal (woo!)
[20:30:35] <Joe Hall> result: CA can tune cert lifetime
[20:30:57] <Joe Hall> Slide: "Example: new algorithms"
[20:30:59] <yan> are the slides up womewhere?
[20:31:01] <yan> *somewhere
[20:31:09] <Joe Hall> (not that I know of, I'll get them to you)
[20:31:13] <yan> thanks
[20:31:19] <Joe Hall> right now servers support RSA and maybe ECDSA
[20:31:29] <Joe Hall> but, new curves? edDSA?
[20:31:38] <Joe Hall> this can be done automajically
[20:31:48] <Joe Hall> Slide: "Example: Delegated issuance"
[20:32:00] <Joe Hall> datacenter with a lot of servers
[20:32:06] <Joe Hall> many servers for the same domain
[20:32:14] <Joe Hall> many domains for the same server
[20:32:16] richsalz joins the room
[20:32:16] <rbarnes > yan: https://datatracker.ietf.org/meeting/92/materials.html
[20:32:20] <Joe Hall> very painful to revalidate for all of this
[20:32:21] <yan> thanks richard
[20:32:44] <Joe Hall> authentication key in acme is tied to a set of domains
[20:32:45] <Joe Hall> woo
[20:33:09] <Joe Hall> http://www.ietf.org/proceedings/92/slides/slides-92-acme-3.pdf
[20:33:17] <Joe Hall> I'll stop transcribing now
[20:33:26] <Joe Hall> unless someone finds it helpful
[20:33:31] <yan> the recording quality is quite good, so not really
[20:33:36] <Joe Hall> awesome sauce
[20:33:52] <Aaron Zauner> no need here
[20:34:03] <Joe Hall> questions? please append "MIC" to things you want me to relay in the room
[20:34:05] Stefans joins the room
[20:34:26] wseltzer joins the room
[20:36:31] <Randy Bush> Mic: server with names in two domains? e.g. foo.bar.com and foux.feen.com
[20:36:32] <Shaun Cooley> in response to the last question, code is at: https://github.com/letsencrypt/ and could be easily used on-prem for a private CA
[20:37:11] hildjj joins the room
[20:37:28] <Shaun Cooley> Randy: as long as you have DV'd on both, there is nothing preventing a CA from giving you a cert with SANs for different domains
[20:37:49] Gabriel Montenegro joins the room
[20:37:55] <Shaun Cooley> LetsEncrypt is planning (at least last time we talked) to explicitly support this case - as it is very important for UCC certs that Cisco needs
[20:38:23] <Joe Hall> still mic randy?
[20:38:31] <Randy Bush> nope
[20:39:47] <Joe Hall> PHB http://www.ietf.org/proceedings/92/slides/slides-92-acme-2.pdf
[20:40:16] rbarnes leaves the room
[20:41:27] rbarnes joins the room
[20:41:55] Szilveszter Nadas leaves the room
[20:42:08] rbarnes leaves the room
[20:42:34] rbarnes joins the room
[20:43:46] Sean Turner joins the room
[20:45:47] <Joe Hall> slide 6, industry reqs. II
[20:46:37] yzheng joins the room
[20:47:29] <Stefans> I love the idea to make cert issuance automated as a means to reduce certificate lifetime and get rid of revocation
[20:47:42] <Joe Hall> slide 7, some technical points
[20:48:57] safa al joins the room
[20:49:15] Aaron Falk leaves the room
[20:49:26] <Joe Hall> slide 8, IPR issues
[20:50:28] <Joe Hall> questions?
[20:50:29] rbarnes leaves the room
[20:50:50] <Joe Hall> next up, Richard Barnes on the draft: http://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
[20:50:56] <Aaron Zauner> yea, let's get rid of revocation schemes, they dont work anyway
[20:51:06] <sftcd> well, richard barnes on the pink rectangle
[20:51:08] YI Zheng joins the room
[20:51:30] <Joe Hall> https://tools.ietf.org/html/draft-barnes-acme-01
[20:51:31] C Peters joins the room
[20:51:40] <Stefans> Revocation is outdated in many cases when we have the capacity to reissue fresh credentials on a regular basis
[20:51:51] Aaron Falk joins the room
[20:51:53] <Joe Hall> (slide 3)
[20:52:32] safa al leaves the room
[20:52:41] Aaron Falk leaves the room: Replaced by new connection
[20:52:42] Aaron Falk joins the room
[20:52:48] <Joe Hall> (slide 4)
[20:53:13] Aaron Falk leaves the room
[20:56:14] <Joe Hall> (slide 5)
[20:56:56] <Joe Hall> (slide 6)
[20:57:56] <Joe Hall> (slide 7)
[20:59:20] <yan> to add to rbarnes' answer, the current doc also has DVSNI validation
[20:59:28] <yan> (in addition to SImple HTTPS and DNS validation)
[20:59:36] <Joe Hall> (slide 8)
[21:00:02] <Joe Hall> (slide 9)
[21:01:59] Aaron Falk joins the room
[21:02:06] <Joe Hall> we have appeared to ungracefully segued into questions
[21:02:16] <Joe Hall> so holla holla if you want a MIC
[21:02:19] <Joe Hall> oops
[21:02:25] Dan Wing joins the room
[21:02:27] <Joe Hall> clarifiying qs only
[21:02:52] Aaron Falk leaves the room: Replaced by new connection
[21:02:53] Aaron Falk joins the room
[21:03:00] <Joe Hall> (slide 9) for reals this time
[21:03:33] <Joe Hall> further clarifying questions
[21:04:54] <Joe Hall> moving on… 15m for discussion
[21:05:08] <Joe Hall> first topic: do people find this work and the scope presented interesting? other use cases?
[21:05:40] <richsalz> @yan -- you want to ask someone to raise the wildcard issue?
[21:05:56] <Stefans> The only problem with this is that it is not already done….
[21:06:33] <Aaron Zauner> not sure about wildcard
[21:07:06] <yan> yeah, i'm wondering how people generally feel about support for issuing wildcard DV certs in ACME
[21:07:18] <Stefans> You don't need wildcards if you have an efficient automated process for each needed subdomain
[21:07:18] <Joe Hall> ok, I'll MIC it
[21:07:25] <yan> are there ppl in the session who would really like wildcards? what are their use cases?
[21:07:53] <yan> stefans: we've heard from a few people for whom that wouldn't work
[21:08:06] Rob Hamilton joins the room
[21:08:11] <yan> ex: randomly-generated domain names on the fly
[21:08:24] pde joins the room
[21:08:31] <Stefans> OK, would be interested to learn more about those cases.
[21:08:38] <pde> to answer Nick Sullivan's question...
[21:09:17] <Stefans> Makes sense
[21:09:21] <pde> I think it should be fine to have your central provisioning box make the ACME request, then (possibly) RPC out to the particular front end webserve to pass a challenge, if necessary
[21:09:24] <Joe Hall> (EKR was talking when I said that, so you may want to ping him and barnes off line)
[21:09:39] Hugo Kobayashi leaves the room
[21:09:39] <pde> In other works, when ekr said "we might have screwed it up".... I don't think we have
[21:09:43] hallam joins the room
[21:09:54] <Shaun Cooley> yan: with certs being free from some (or all?) CAs and available via an API, it seems like the need for wildcards is gone [my opinion]
[21:10:03] <Joe Hall> I suspect the cloudflare guy misunderstood what key was being sent and how often
[21:10:06] <yan> shaun, stefans: see https://github.com/letsencrypt/acme-spec/issues/64
[21:10:20] Mark Nottingham leaves the room
[21:10:32] <Stefans> Thanks
[21:11:03] <smemery> [Justin Richer] Any time you end up doing a self-signed certificate just to get an encryption/signing mechanism up and running, you've got a use case for bare keys like I was talking about here. ACME could, maybe, help with that, so could POSH.
[21:11:04] <Shaun Cooley> Thanks Yan.  That is certainly an interesting use case
[21:11:47] <Joe Hall> word up
[21:12:02] Rob Hamilton leaves the room
[21:12:09] <Aaron Zauner> or we let dane die
[21:12:13] <Aaron Zauner> :)
[21:12:20] <Stefans> I want this over DANE
[21:12:25] <Aaron Zauner> certainly
[21:12:26] Rob Hamilton joins the room
[21:12:40] <Aaron Zauner> I get why email people really want DANE
[21:12:53] <pde> As an co-author of this protocol,
[21:12:55] <hallam> If you want DANE then you want to use OmniPublish instead.
[21:13:10] <Stefans> What about letting the fittest survive :)
[21:13:16] <hallam> But DANE unfortunately have alienated their deployment constituency
[21:13:18] <richsalz> IMHO: if you know enough to be able to deploy dane, then you're not the target audience here
[21:13:19] <pde> I'd say that DANE does have some theoretical advantages over ACME,
[21:13:24] <pde> but they're 5+ years out
[21:13:47] <pde> and there are probably ways for us to add those security benefits down the road with ACME
[21:13:48] <hallam> PDE, no transition path
[21:14:28] <hallam> PDE, sure, if people set up a LRA inside their enterprise, connect it to their DNS server, it can automate everything.
[21:14:36] <Aaron Zauner> I think DANE is a dead end
[21:15:23] <Aaron Zauner> DANE is actually a really nice protocol, but it still builds on DNSSEC
[21:15:50] <hallam> DNSSEC is a dog that puts ICANN in charge as the root of roots with no way to replace them
[21:16:01] <Aaron Zauner> not only that
[21:16:12] <hallam> Unless they change that and let people specify their own root of trust it is dangerous
[21:16:12] <Aaron Zauner> TLDs as well
[21:16:21] Mark Nottingham joins the room
[21:16:23] <pde> though hallam, ICANN is already in control of all DV
[21:16:32] <pde> so I don't think that's in any way a point against DANE
[21:16:42] <hallam> PDE, by the difference is validating against an ICANN key
[21:16:53] Sean Turner leaves the room
[21:16:53] Joe Hall leaves the room
[21:16:53] Aaron Falk leaves the room
[21:17:17] <hallam> IF ICANN screw up even more without DNSSEC, say they hike the price for DNS names to $1000/year to pay for the CEO's bigger yacht
[21:17:20] rbarnes joins the room
[21:17:24] <Aaron Zauner> let me know when it's possible to resolve DANE/DNSSEC on linux :P
[21:17:52] <hallam> Today we have recourse. If there are a billion devices that have ICANN root keys embedded and checking against them then our switching costs are $billions
[21:18:06] Mark Nottingham leaves the room
[21:18:07] <Stefans> hummm
[21:18:11] <Aaron Zauner> *read*
[21:18:21] <Shaun Cooley> (Y)
[21:18:24] <Stefans> hand
[21:18:25] <Aaron Zauner> *on the mailing list*
[21:18:37] <hallam> AZ, kind of sad even Linux does not have that today.
[21:19:05] <Aaron Zauner> after 15yrs of talk about DNSSEC
[21:19:07] <Randy Bush> hummmmm
[21:19:08] <Shaun Cooley> hummmmm
[21:19:08] <Stefans> hummmm
[21:19:10] <Jim Bieda> hummmmm
[21:19:12] <Aaron Zauner> hummmmm
[21:20:06] rbarnes leaves the room
[21:20:09] <Stefans> We should revive PKIX and do it there :D
[21:20:19] rbarnes joins the room
[21:20:21] <pde> Can someone in the room vote for another BOF for me, please?
[21:20:24] <Shaun Cooley> charter: hummmmm
[21:20:33] <Shaun Cooley> [early]
[21:20:45] rbarnes leaves the room
[21:21:12] <pde> Adam Langley more or less has my point -- we'd want to get one working implementation before standardisation
[21:21:22] <Aaron Zauner> yep +1
[21:21:25] rbarnes joins the room
[21:21:40] <Stefans> +1
[21:22:01] hallam leaves the room
[21:22:06] <Stefans> hummmm
[21:22:06] <Shaun Cooley> wg+: hummmmm
[21:22:09] rbarnes leaves the room
[21:22:10] rbarnes joins the room
[21:22:10] <Jim Bieda> hummmmm
[21:22:12] Rob Hamilton leaves the room
[21:22:14] Kathleen Moriarty leaves the room
[21:22:17] rbarnes leaves the room
[21:22:17] Steve Olshansky leaves the room
[21:22:20] <Aaron Zauner> thanks for the BOF
[21:22:24] Meetecho leaves the room
[21:22:27] Randy Bush leaves the room
[21:22:30] wilma leaves the room
[21:22:30] Linhui Sun leaves the room
[21:22:31] jcooter leaves the room
[21:22:41] Jim Bieda leaves the room
[21:22:46] Shaun Cooley leaves the room
[21:23:23] Valery Smyslov leaves the room
[21:24:26] Dan Wing leaves the room
[21:24:50] Aaron Zauner leaves the room
[21:24:51] Cullen Jennings leaves the room
[21:24:56] Gabriel Montenegro leaves the room
[21:25:23] sftcd leaves the room
[21:25:33] yan leaves the room
[21:25:41] Stefan Santesson leaves the room
[21:26:44] Karen O'Donoghue leaves the room
[21:28:43] jcooter joins the room
[21:28:49] jcooter leaves the room
[21:31:18] smemery leaves the room
[21:31:23] hildjj leaves the room
[21:33:08] richsalz joins the room
[21:35:17] YI Zheng leaves the room
[21:37:23] wseltzer leaves the room
[21:37:27] richsalz leaves the room
[21:39:02] richsalz joins the room
[21:42:01] Aaron Falk joins the room
[21:42:36] richsalz leaves the room
[21:43:12] Steve Olshansky joins the room
[21:43:36] hallam joins the room
[21:45:20] hallam leaves the room
[21:45:29] richsalz leaves the room
[21:46:20] Aaron Falk leaves the room
[21:48:52] rbarnes joins the room
[21:49:36] rbarnes leaves the room
[21:49:48] rbarnes joins the room
[21:49:55] rbarnes leaves the room
[21:50:18] Stefans leaves the room: Disconnected: closed
[21:50:56] Joe Hall joins the room
[21:51:13] <Joe Hall> sorry xmpp.rg.net kicked me off and takes forever to reauth…
[21:51:13] Joe Hall leaves the room
[21:52:00] Dan Wing joins the room
[21:52:23] Steve Olshansky leaves the room
[21:52:46] C Peters leaves the room
[21:52:53] Dan Wing leaves the room
[21:53:00] Dan Wing joins the room
[21:54:21] hallam joins the room
[21:54:52] Kathleen Moriarty joins the room
[21:54:57] hallam leaves the room
[21:55:00] Kathleen Moriarty leaves the room
[21:55:00] Steve Olshansky joins the room
[21:56:39] Karen O'Donoghue joins the room
[21:59:57] Sean Turner joins the room
[22:00:02] Dan Wing leaves the room
[22:01:14] Sean Turner leaves the room
[22:10:25] wseltzer joins the room
[22:10:31] hallam joins the room
[22:17:11] yzheng leaves the room
[22:19:44] richsalz joins the room
[22:19:58] richsalz leaves the room
[22:34:47] Stefans joins the room
[22:40:26] Karen O'Donoghue leaves the room
[22:41:37] hallam leaves the room
[22:42:30] Mark Nottingham joins the room
[22:42:57] Mark Nottingham leaves the room: Disconnected: closed
[22:43:08] Mark Nottingham joins the room
[22:45:14] Steve Olshansky joins the room
[22:45:24] Steve Olshansky leaves the room
[22:46:36] Steve Olshansky leaves the room
[22:50:40] Mark Nottingham leaves the room
[22:57:29] Ben Schumacher leaves the room
[23:03:31] Stefans leaves the room
[23:25:20] pde leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!