Re: [Acme] Add a special token parameter in ACME registration
"Andy Ligg" <andy@startssl.com> Tue, 16 August 2016 15:07 UTC
Return-Path: <andy@startssl.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4B412D883 for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 08:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jv7lPybrTQb2 for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 08:07:38 -0700 (PDT)
Received: from p3plsmtpa06-10.prod.phx3.secureserver.net (p3plsmtpa06-10.prod.phx3.secureserver.net [173.201.192.111]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D79512D87F for <acme@ietf.org>; Tue, 16 Aug 2016 08:07:37 -0700 (PDT)
Received: from RWNBPC ([111.205.211.10]) by p3plsmtpa06-10.prod.phx3.secureserver.net with id Xr7a1t00P0E0z7T01r7cjb; Tue, 16 Aug 2016 08:07:37 -0700
From: Andy Ligg <andy@startssl.com>
To: "'J.C. Jones'" <jjones@mozilla.com>
References: <236F64DDDC83C742A24E89E6E215CFC7E4CFB7@mx3.startssl.com> <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com>
In-Reply-To: <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com>
Date: Tue, 16 Aug 2016 23:07:29 +0800
Message-ID: <00f401d1f7cf$e95a1160$bc0e3420$@startssl.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00F5_01D1F812.F7820C50"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHUgsHpiadxpcCJIvj+/hUpvZDM/gKPoY2JoDIaxdA=
Content-Language: zh-cn
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/291wxDZpzx7P2gVNgU0cWfNDpt8>
Cc: Acme@ietf.org
Subject: Re: [Acme] Add a special token parameter in ACME registration
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 15:07:40 -0000
Currently, we called it as API token if you want to use StartAPI, it is a string like this: tk_dc09cfc9aff5409ea98227e212858669. We use this API Token together with the API authentication certificate to call our API. So if we can add this API Token in the ACME registration, then we can bind this customer to his/her StartSSL account, then we know his/her account validation level to issue the correct validation level SSL certificate. If his/her account is Class 4 validation, then we can issue EV SSL certificate. No more change need in ACME protocol, but for more flexible, we can add a cert type parameter to let the Class 4 validation subscriber can choose to issue EV SSL, OV SSL and DV SSL. Please advise, thanks. Andy From: J.C. Jones [mailto:jjones@mozilla.com] Sent: Monday, August 15, 2016 11:53 PM To: Andy Ligg <andy@startssl.com> Cc: Acme@ietf.org Subject: Re: [Acme] Add a special token parameter in ACME registration Hi Andy, I'm not sure I follow exactly what the format of this token would be, or what message(s) in the protocol you'd like to add it to. Perhaps you can make some specific recommendations - even if they're tentative examples - for the WG to look at and reason through? Thanks! J.C. On Sun, Aug 14, 2016 at 9:10 PM, Andy Ligg <andy@startssl.com <mailto:andy@startssl.com> > wrote: Hi all, StartCom plan to use ACME protocol for StartEncrypt, we need to identify the client's validation level, so the subscriber administration can generate a special token in the StartSSL.com account that send this token to the email address used in the ACME registration. At the registration, user need to enter email and this token with the certificate to let the CA system know this customer's validation level. After the CA system receive the email, the token and signing certificate, CA system know what type of certificate we can issue to this client; if this client account is class 4 validated, then the client can get EV SSL certificate, not DV SSL. please add this a parameter to the ACME protocol, thanks. Best Regards, Andy Ligg StartCom _______________________________________________ Acme mailing list Acme@ietf.org <mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
- Re: [Acme] Add a special token parameter in ACME … Andrew Ayer
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Martin Thomson
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … J.C. Jones
- [Acme] Add a special token parameter in ACME regi… Andy Ligg