Re: [Acme] Fwd: New Version Notification for draft-mattsson-acme-use-cases-00.txt

Rob Stradling <rob.stradling@comodo.com> Tue, 10 March 2015 10:50 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868B21A8752 for <acme@ietfa.amsl.com>; Tue, 10 Mar 2015 03:50:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9QVIyFS0GFN for <acme@ietfa.amsl.com>; Tue, 10 Mar 2015 03:50:25 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E1E71A802A for <acme@ietf.org>; Tue, 10 Mar 2015 03:50:25 -0700 (PDT)
Received: (qmail 15420 invoked by uid 1004); 10 Mar 2015 10:50:23 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Tue, 10 Mar 2015 10:50:23 +0000
Received: (qmail 24870 invoked by uid 1000); 10 Mar 2015 10:50:23 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Tue, 10 Mar 2015 10:50:23 +0000
Message-ID: <54FECC6E.7040609@comodo.com>
Date: Tue, 10 Mar 2015 10:50:22 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Bernd Eckenfels <ecki@zusammenkunft.net>, acme@ietf.org
References: <20150309195754.10053.23071.idtracker@ietfa.amsl.com> <A8DC2625-13D7-4DDF-A4F0-DD288495DBEF@ericsson.com> <54FE12A8.8090108@comodo.com> <20150310010415.000059e3.ecki@zusammenkunft.net>
In-Reply-To: <20150310010415.000059e3.ecki@zusammenkunft.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/1xSifXKCbCXFtkAG2eENqsoR_Ss>
Subject: Re: [Acme] Fwd: New Version Notification for draft-mattsson-acme-use-cases-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 10:50:29 -0000

On 10/03/15 00:04, Bernd Eckenfels wrote:
> Hello,
>
> I don't think it is a good idea to add any functionality which tries to
> move/copy the private key (and with some hardware protection it should
> also not possible). And it is not really needed. Just request a new one.
>
> The ACME credentials might be transported, but I am not sure you want
> to do that via untrusted (ACME) servers...

Hi Bernd.  I agree, but I'd be interested to hear John's point of view.

IIUC, John's motivation is (emphasis mine)...
   "A newly deployed HTTPS server replacing or complementing an existing
    HTTPS server should import an existing certificate *instead of buying
    a new*"

I'd like to think that there could be better ways (than moving/copying 
private keys) to avoid having to buy a new cert for each server.  e.g. 
Perhaps some CAs might be willing to charge you for your first cert for 
x.y.com, but then let you have additional certs for the same domain name 
for free (as long as you authenticate with the same ACME credentials 
each time).

> Gruss
> Bernd
>
>
>   Am Mon, 09 Mar 2015 21:37:44 +0000 schrieb Rob Stradling
> <rob.stradling@comodo.com>om>:
>
>> John, how would a "newly deployed HTTPS server replacing or
>> complementing an existing HTTPS server" obtain a copy of the private
>> key that is associated with the "existing certificate" that it
>> desires to "import" ?
>>
>> IINM, whilst the current ACME draft handles proving possession of a
>> private key, there's no mechanism for backing up a private key to an
>> ACME server and/or for transferring a private key from one ACME
>> client to another ACME client.
>> Do you think ACME should provide these facilities?
>> If not, is there any real gain to adding your proposed "Certificate
>> Download" function, given that there would presumably be just as many
>> "people flying back and forth just to manually transfer" private keys?
>>
>> Thanks.
>>
>> On 09/03/15 20:37, John Mattsson wrote:
>>> Hi all,
>>>
>>> I strongly support the ACME work. Certificate management is
>>> something that really benefits from standardization and
>>> automatization.
>>>
>>> We have some additional use cases that we think should be included
>>> and that clearly falls into the ACME use case "obtaining
>>> certificates for Web sites".
>>>
>>> I wrote a short draft that illustrates the scenarios. Please
>>> comment. Would be happy to give a short (5min?) presentation at the
>>> BoF.
>>>
>>> Cheers,
>>>
>>> John
>>>
>>>> Begin forwarded message:
>>>>
>>>> *From: *<internet-drafts@ietf.org
>>>> <mailto:internet-drafts@ietf.org>> *To: *John Mattsson
>>>> <john.mattsson@ericsson.com <mailto:john.mattsson@ericsson.com>>,
>>>> John Mattsson <john.mattsson@ericsson.com
>>>> <mailto:john.mattsson@ericsson.com>>, Robert Skog
>>>> <robert.skog@ericsson.com <mailto:robert.skog@ericsson.com>>,
>>>> "Robert Skog" <robert.skog@ericsson.com
>>>> <mailto:robert.skog@ericsson.com>> *Subject: **New Version
>>>> Notification for draft-mattsson-acme-use-cases-00.txt*
>>>> *Date: *9 Mar 2015 20:57:54 CET
>>>>
>>>>
>>>> A new version of I-D, draft-mattsson-acme-use-cases-00.txt
>>>> has been successfully submitted by John Mattsson and posted to the
>>>> IETF repository.
>>>>
>>>> Name:draft-mattsson-acme-use-cases
>>>> Revision:00
>>>> Title:Additional Use Cases for Automatic Certificate Management
>>>> (ACME) Document date:2015-03-09
>>>> Group:Individual Submission
>>>> Pages:6
>>>> URL:
>>>> http://www.ietf.org/internet-drafts/draft-mattsson-acme-use-cases-00.txt
>>>> Status:
>>>> https://datatracker.ietf.org/doc/draft-mattsson-acme-use-cases/
>>>> Htmlized:
>>>> http://tools.ietf.org/html/draft-mattsson-acme-use-cases-00
>>>>
>>>>
>>>> Abstract:
>>>>    Contacting a CA is just one way in which a newly deployed HTTPS
>>>>    server can get hold of the certificate to use.  This document
>>>>    describes additional (and common) use cases that fall into the
>>>> major guiding use case for ACME as stated by [I-D.barnes-acme],
>>>> "obtaining certificates for Web sites".
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org
>>>> <http://tools.ietf.org>.
>>>>
>>>> The IETF Secretariat
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.