Re: [Acme] Current Charter language

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 06 June 2015 18:05 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B53A1AC443 for <acme@ietfa.amsl.com>; Sat, 6 Jun 2015 11:05:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.123
X-Spam-Level: ****
X-Spam-Status: No, score=4.123 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MrHccBLW09Yw for <acme@ietfa.amsl.com>; Sat, 6 Jun 2015 11:05:44 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF7E71A3BA6 for <acme@ietf.org>; Sat, 6 Jun 2015 11:05:43 -0700 (PDT)
Received: by lbbtu8 with SMTP id tu8so45461108lbb.2 for <acme@ietf.org>; Sat, 06 Jun 2015 11:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=phN6B1lbZruw70eMfbRsysGa2RCRosTx+5o4w9FGQ6E=; b=PP2rEFHTaM4g9MFXlR3vHC09u60yMr97cq24jCPXq07fp+6vXfVtUCZ3M2ByWGP2zP kRtqTIAGanYfqmO8NBjmgaQKNdvbl0lILwh7uxgtXj6d5ueHShzXOSSDHePzZCEAnmM6 czQZB66fTKoB1RnybNm0kV21/4IBoPTE8vAVl++/IhRTNl2RMnhZCeZlUyQN9zP0uW91 /Tg3rPCFoTs2+d4W/DM+wlaB7iWSNYvaLBRg5JNeopxOYWfE6M8a/PT/FG9VwcyDY50Y Go+IjVTdX7wZ4l2UA9SMOBlriVado1h4DvImDiKUo3IzcqwJ4/mZJpYEBqh9+CdM+jGn XtNw==
MIME-Version: 1.0
X-Received: by 10.112.185.100 with SMTP id fb4mr8796246lbc.79.1433613942090; Sat, 06 Jun 2015 11:05:42 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Sat, 6 Jun 2015 11:05:42 -0700 (PDT)
In-Reply-To: <CA+9kkMBvwLexviH97=dqj40-3-6i6+UMp7hFVzfCpY5_WJAaFQ@mail.gmail.com>
References: <CA+9kkMBvwLexviH97=dqj40-3-6i6+UMp7hFVzfCpY5_WJAaFQ@mail.gmail.com>
Date: Sat, 6 Jun 2015 14:05:42 -0400
X-Google-Sender-Auth: -XAGVqiS09rrhU552Gysf_4Ax38
Message-ID: <CAMm+LwjH5yt65mY+8M91udmpecK=SAnR7TDx7QMT4cTnDKf0Mw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c3ca22c372bf0517dd41b8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/T7_cTdieAgO7oeikok8qkKRafUg>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Current Charter language
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 18:05:46 -0000

On Fri, May 15, 2015 at 12:48 PM, Ted Hardie <ted.ietf@gmail.com>; wrote:

> Okay, with the discussion so far, the charter looks like this:
>
> Automated Certificate Management Environment (ACME)
>
> Historically, issuance of certificates for Internet applications
> (e.g., web servers) has involved many manual identity validation steps
> by the certification authority (CA).  The ACME WG will specify
> conventions for automated X.509 certificate management, including
> validation of control over an identifier, certificate issuance,
> certificate renewal, and certificate revocation.  The initial focus of
> the ACME WG will be on domain name certificates (as used by web
> servers), but other uses of certificates can be considered as work
> progresses.
>
> ACME certificate management must allow the CA to verify, in an
> automated manner, that the party requesting a certificate has authority
> over the requested identifiers, including the subject and subject
> alternative names.  The processing must also confirm that the requesting
> party has access to the private key that corresponds to the public key
> that will appear in the certificate.  All of the processing must be done
> in a manner that is compatible with common service deployment
> environments, such as hosting environments.
>
> ACME certificate management must, in an automated manner, allow an
> authorized party to request revocation of a certificate.
>
> The ACME working group is specifying ways to automate certificate
> issuance, validation, revocation and renewal.  The ACME working
> group is not reviewing or producing certificate policies or
> practices.
>
> The starting point for ACME WG discussions shall be draft-barnes-acme.
>
> I think we know of two milestones now, a first draft-ietf and submitting
> the protocol draft for proposed standard.  To give dates for those, how
> about:
>
> Milestones:
>
> August 2015   Initial working group draft
> March 2016    Submit working group to IESG as Proposed Standard
>
> Any other obvious edits needed?
>
>
I think the charter should say 'a starting point' rather than 'the'. The
reason I have not been pushing my OmniPublish spec was that IETF has done
cert reg so many times before I hesitated to make the proposal.

For me the most important thing in ACME is that it is designed to support
the needs of 'TLS everywhere'.

TLS everywhere requires us to have an automated process for cert management
and renewal which in turn requires us to have a process for automating
validation.

Right now we are looking at just the traditional use case of user starts a
Web Site on their machine, wants a cert for it. Which is obviously the
lowest hanging fruit.

If we are going to fully satisfy TLS everywhere we have to support
mechanisms that allow embedded devices to acquire certs both automatically
and with local admin override.

So I am happy with a timeline that says deliver something in March 2016 but
I think we have to expect to do more if we are going to fully support TLS
everywhere.