Re: [Acme] Fwd: New Version Notification for draft-mattsson-acme-use-cases-00.txt

Bernd Eckenfels <ecki@zusammenkunft.net> Tue, 10 March 2015 00:04 UTC

Return-Path: <ecki@zusammenkunft.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF82E1ACE0C for <acme@ietfa.amsl.com>; Mon, 9 Mar 2015 17:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmxD_t-apvwd for <acme@ietfa.amsl.com>; Mon, 9 Mar 2015 17:04:20 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D801ACE22 for <acme@ietf.org>; Mon, 9 Mar 2015 17:04:20 -0700 (PDT)
Received: by wibbs8 with SMTP id bs8so26155101wib.4 for <acme@ietf.org>; Mon, 09 Mar 2015 17:04:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=XXxjAMYXGbkitrLNjUC0JRmMih05KgXI0uG6uSkMN3g=; b=df1wrri1Q/fRYSHWVSL6UJRrJfSy9Rtm4l8OlZI5I/bgU+iRRhd3udOJNm8uA8U8SC KMe20QZiYtxFHIDVtH88YusQRSCpX680JYX5x41+vhoQBQ6QyDXfYnmJw0ugieA5pqML iMFYWl+EFk289+Na15W/5H0sQV/NI4+XNE4i3qUXABOXFudvWFZe71wNCIRdfZON5IfE dD3BYRlahzH74bQdGdFpX+GF/g8Eqi8v1kOFG7skEhyNHgk9X4yKeVBhN2wlXLA2ypj0 qW0OMtIOGmnTgWeYOcrE80dqDwIxaXj5g9em0UY6aDgfrp0l8RVPm+WWVnFym+Abe2XG gDaw==
X-Gm-Message-State: ALoCoQnJXpYklJfwPvyv+RZbdqTN3VuY7pPrTSIMlv9e5vXfxpF5mqyX3ojMSFx+dJnErMa7L0nD
X-Received: by 10.180.85.103 with SMTP id g7mr105445330wiz.19.1425945859065; Mon, 09 Mar 2015 17:04:19 -0700 (PDT)
Received: from localhost (HSI-KBW-046-005-194-024.hsi8.kabel-badenwuerttemberg.de. [46.5.194.24]) by mx.google.com with ESMTPSA id s19sm1379075wik.18.2015.03.09.17.04.18 for <acme@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Mar 2015 17:04:18 -0700 (PDT)
Date: Tue, 10 Mar 2015 01:04:15 +0100
From: Bernd Eckenfels <ecki@zusammenkunft.net>
To: acme@ietf.org
Message-ID: <20150310010415.000059e3.ecki@zusammenkunft.net>
In-Reply-To: <54FE12A8.8090108@comodo.com>
References: <20150309195754.10053.23071.idtracker@ietfa.amsl.com> <A8DC2625-13D7-4DDF-A4F0-DD288495DBEF@ericsson.com> <54FE12A8.8090108@comodo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/CY1eQef1uvZ5ZCprhil92BiuilA>
Subject: Re: [Acme] Fwd: New Version Notification for draft-mattsson-acme-use-cases-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 00:04:23 -0000

Hello,

I don't think it is a good idea to add any functionality which tries to
move/copy the private key (and with some hardware protection it should
also not possible). And it is not really needed. Just request a new one.

The ACME credentials might be transported, but I am not sure you want
to do that via untrusted (ACME) servers...

Gruss
Bernd


 Am Mon, 09 Mar 2015 21:37:44 +0000 schrieb Rob Stradling
<rob.stradling@comodo.com>om>:

> John, how would a "newly deployed HTTPS server replacing or 
> complementing an existing HTTPS server" obtain a copy of the private
> key that is associated with the "existing certificate" that it
> desires to "import" ?
> 
> IINM, whilst the current ACME draft handles proving possession of a 
> private key, there's no mechanism for backing up a private key to an 
> ACME server and/or for transferring a private key from one ACME
> client to another ACME client.
> Do you think ACME should provide these facilities?
> If not, is there any real gain to adding your proposed "Certificate 
> Download" function, given that there would presumably be just as many 
> "people flying back and forth just to manually transfer" private keys?
> 
> Thanks.
> 
> On 09/03/15 20:37, John Mattsson wrote:
> > Hi all,
> >
> > I strongly support the ACME work. Certificate management is
> > something that really benefits from standardization and
> > automatization.
> >
> > We have some additional use cases that we think should be included
> > and that clearly falls into the ACME use case "obtaining
> > certificates for Web sites".
> >
> > I wrote a short draft that illustrates the scenarios. Please
> > comment. Would be happy to give a short (5min?) presentation at the
> > BoF.
> >
> > Cheers,
> >
> > John
> >
> >> Begin forwarded message:
> >>
> >> *From: *<internet-drafts@ietf.org
> >> <mailto:internet-drafts@ietf.org>> *To: *John Mattsson
> >> <john.mattsson@ericsson.com <mailto:john.mattsson@ericsson.com>>,
> >> John Mattsson <john.mattsson@ericsson.com
> >> <mailto:john.mattsson@ericsson.com>>, Robert Skog
> >> <robert.skog@ericsson.com <mailto:robert.skog@ericsson.com>>,
> >> "Robert Skog" <robert.skog@ericsson.com
> >> <mailto:robert.skog@ericsson.com>> *Subject: **New Version
> >> Notification for draft-mattsson-acme-use-cases-00.txt*
> >> *Date: *9 Mar 2015 20:57:54 CET
> >>
> >>
> >> A new version of I-D, draft-mattsson-acme-use-cases-00.txt
> >> has been successfully submitted by John Mattsson and posted to the
> >> IETF repository.
> >>
> >> Name:draft-mattsson-acme-use-cases
> >> Revision:00
> >> Title:Additional Use Cases for Automatic Certificate Management
> >> (ACME) Document date:2015-03-09
> >> Group:Individual Submission
> >> Pages:6
> >> URL:
> >> http://www.ietf.org/internet-drafts/draft-mattsson-acme-use-cases-00.txt
> >> Status:
> >> https://datatracker.ietf.org/doc/draft-mattsson-acme-use-cases/
> >> Htmlized:
> >> http://tools.ietf.org/html/draft-mattsson-acme-use-cases-00
> >>
> >>
> >> Abstract:
> >>   Contacting a CA is just one way in which a newly deployed HTTPS
> >>   server can get hold of the certificate to use.  This document
> >>   describes additional (and common) use cases that fall into the
> >> major guiding use case for ACME as stated by [I-D.barnes-acme],
> >> "obtaining certificates for Web sites".
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission
> >> until the htmlized version and diff are available at tools.ietf.org
> >> <http://tools.ietf.org>.
> >>
> >> The IETF Secretariat
> >>
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>