[Acme] ACME Account Management / Mutation / Transfers?

Christian Gartmann <cg@cyon.ch> Wed, 15 July 2015 14:57 UTC

Return-Path: <cg@cyon.ch>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CBEA1ACC85 for <acme@ietfa.amsl.com>; Wed, 15 Jul 2015 07:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w33Imx3ls0Oa for <acme@ietfa.amsl.com>; Wed, 15 Jul 2015 07:57:18 -0700 (PDT)
Received: from web1.cyon.ch (web1.cyon.ch [194.126.200.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A1191ACC83 for <acme@ietf.org>; Wed, 15 Jul 2015 07:57:18 -0700 (PDT)
Received: from [192.168.200.230] (port=55147 helo=mail.cyon.ch) by web1.cyon.ch with esmtp (Exim 4.85) (envelope-from <cg@cyon.ch>) id 1ZFO7Y-0003yB-24 for acme@ietf.org; Wed, 15 Jul 2015 16:57:16 +0200
Message-ID: <55A674C9.3010400@cyon.ch>
Date: Wed, 15 Jul 2015 16:57:13 +0200
From: Christian Gartmann <cg@cyon.ch>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: acme@ietf.org
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.cyon.ch
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cyon.ch
X-Get-Message-Sender-Via: web1.cyon.ch: acl_c_relayhosts_text_entry: -unknown-@cyon.ch|cyon.ch
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/LU4OKhYW08PpfTjBS8JcHN3yDGc>
Subject: [Acme] ACME Account Management / Mutation / Transfers?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 14:57:56 -0000

Hi there,

In the following context speaking of "ACME" means any able ACME server 
integration (but first and foremost Let's Encrypt).

We're a web hosting company interested in providing our customers with a 
one-click Let's Encrypt / ACME solution. Since we're in control of the 
web server, customer data and DNS we can present the user with the TOS 
and do all the other stuff automatically afterwards.

So far this whole ACME thing sounds awesome and we've started 
implementing the auth challenge workflow successfully.

But:

We as a hosting company will have to integrate / recover ACME accounts 
into our infrastructure to communicate with their respective ACME 
accounts. This presents us with the following issues:

- How would a customer transfer his / her ACME account including all 
certificates if (s)he wants to move from another hoster to us? What's 
the general plan for ACME account transfers here?

- How does a customer transfer a certificate / general ACME resource 
from one ACME account to another?

- How is it possible to have an ACME account and using a couple 
different hosting providers with the same one if you'd always have to 
regenerate a key pair and recover the account after switching hosters?

- How will payment be handled in the future if an existing cert provider 
implements ACME?

- Is it correct that in the future working with multiple ACME providers 
will mean working with multiple account key pairs / ID's etc.?

So in short: as long as an existing customer of ours does not possess an 
ACME account yet we're fine and dandy. The problem arises with longer 
term considerations and migration / mutation processes regarding 
existing ACME accounts.

-- 
Freundliche Grüsse
  
Christian Gartmann
Developer
  
--
cyon GmbH, Aeschengraben 6, CH – 4051 Basel
Hotline: +41 800 840 840
https://www.cyon.ch