Re: [Acme] Considerations about ACME BoF

Scott Rea <Scott.Rea@DigiCert.com> Tue, 31 March 2015 08:22 UTC

Return-Path: <scott.rea@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42E61AC3EC for <acme@ietfa.amsl.com>; Tue, 31 Mar 2015 01:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.212
X-Spam-Level:
X-Spam-Status: No, score=-4.212 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytP41YnO-rf4 for <acme@ietfa.amsl.com>; Tue, 31 Mar 2015 01:22:16 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF511A1B87 for <acme@ietf.org>; Tue, 31 Mar 2015 01:22:16 -0700 (PDT)
Message-ID: <551A5937.1070608@DigiCert.com>
Date: Tue, 31 Mar 2015 02:22:15 -0600
From: Scott Rea <Scott.Rea@DigiCert.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Yaron Sheffer <yaronf.ietf@gmail.com>, <acme@ietf.org>
References: <551569F6.8020507@openca.org> <55157164.80805@cs.tcd.ie> <5519A5B6.9010707@DigiCert.com> <551A162F.9020105@gmail.com>
In-Reply-To: <551A162F.9020105@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [63.248.148.11]
X-ClientProxiedBy: EX2.corp.digicert.com (10.12.0.6) To EX2.corp.digicert.com (10.12.0.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Hj0FNSfd7p5T6AHkpeIZ1xkZrnk>
Subject: Re: [Acme] Considerations about ACME BoF
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 08:22:17 -0000

G'day Yaron,

I will make 2 brief observations:

a) Max and I actually proposed some usability focused work around TLS
certs to the PKIX WG about 6 or 7 years ago, when PKIX was still going
strong, and we were told that usability is not the purvey of IETF, its
purely bits on the wire. So when did IETF morph from bits on the wire to
now include usability?

b) Getting a server certificate for a cloud server within seconds, and
with no manual intervention is possible today with a little scripting on
the server and an appropriate API from one of the existing CAs. If your
current provider cannot do that for you, then I suggest you shop around
a little.

Regards,
_Scott

On 3/30/2015 9:36 PM, Yaron Sheffer wrote:
>>>> *Overstepping the Technical Boundaries.* As it was pointed out during
>>>> the BoF, the proposed initiative does not address any technical issue,
>>>> but, instead, is pushing a specific BUSINESS model. I found very
>>>> inappropriate the examples of "I could not get my certificates in 45
>>>> minutes.." as this is a NON argument.
>>> With all due respect to Cullen, I agree:-) I think it's used as a
>>> humorous anecdote basically and I've seen that done in quite a few
>>> contexts in the IETF. But that one non-argument was raised is not
>>> a procedural issue for me.
>> I agree with Max that this should be a non-argument, and happy to hear
>> that you agree Stephen
>>>
>
> For me ACME is purely about usability, so Cullen's anecdote is
> actually the only thing that matters. As a user, I want to be able to
> get a server certificate for a cloud server within seconds, and with
> no manual intervention. And if that breaks someone's business model,
> so be it.
>
> And by the way, ACME with *email* certs could make S/MIME viable
> again, for those of us still using mail clients.
>
> Thanks,
>     Yaron

-- 
Scott Rea, MSc, CISSP
VP GOV/EDU Relations & Sr. PKI Architect
DigiCert, Inc.
2600 West Executive Parkway
Suite 500
Lehi, Utah 84043
http://www.digicert.com
(800) 896-7973

Em Scott@DigiCert.com
Ph#(801) 701-9636
Ce#(801) 874-4114