[Servercert-wg] Fw: New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
Paul van Brouwershaven
Paul.vanBrouwershaven at entrust.com
Thu Jul 6 15:21:35 UTC 2023
I just submitted the initial draft for ACME auto-discovery to the ACME working group as discussed during the latest face-to-face meeting at the IETF.
We encourage everyone to provide feedback on the draft and to consider showing their support for this draft within the IETF. Your active participation and endorsement will contribute to the advancement and adoption of this proposal that is needed for the broader adoption of automation through ACME.
From: internet-drafts at ietf.org <internet-drafts at ietf.org>
Sent: Thursday, July 6, 2023 16:39
To: Mike Ounsworth <Mike.Ounsworth at entrust.com>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>
Subject: [EXTERNAL] New Version Notification for draft-vanbrouwershaven-acme-auto-discovery-00.txt
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
A new version of I-D, draft-vanbrouwershaven-acme-auto-discovery-00.txt
has been successfully submitted by Paul van Brouwershaven and posted to the
Title: Auto-discovery mechanism for ACME client configuration
Document date: 2023-07-06
Group: Individual Submission
A significant impediment to the widespread adoption of the Automated
Certificate Management Environment (ACME) [RFC8555] is that ACME
clients need to be pre-configured with the URL of the ACME server to
be used. This often leaves domain owners at the mercy of their
hosting provider as to which Certification Authorities (CAs) can be
used. This specification provides a mechanism to bootstrap ACME
client configuration from a domain's DNS CAA Resource Record
[RFC8659], thus giving control of which CA(s) to use back to the
Specifically, this document specifies two new extensions to the DNS
CAA Resource Record: the "discovery" and "priority" parameters.
Additionally, it registers the URI "/.well-known/acme" at which all
compliant ACME servers will host their ACME directory object. By
retrieving instructions for the ACME client from the authorized
CA(s), this mechanism allows for the domain owner to configure
multiple CAs in either load-balanced or fallback prioritizations
which improves user preferences and increases diversity in
The IETF Secretariat
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg