Re: [Acme] Add a special token parameter in ACME registration
Jacob Hoffman-Andrews <jsha@eff.org> Mon, 15 August 2016 16:34 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F55412D192 for <acme@ietfa.amsl.com>; Mon, 15 Aug 2016 09:34:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.249
X-Spam-Level:
X-Spam-Status: No, score=-8.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSaWUoCvM5_Y for <acme@ietfa.amsl.com>; Mon, 15 Aug 2016 09:34:54 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B4C12D08D for <Acme@ietf.org>; Mon, 15 Aug 2016 09:34:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=gG0L2GkYEbKn4ESYuQdbJaOOw2KRX4h79TXy5sPxeb0=; b=BrNlSkyKY+EPbgKEtbb33ckqDU4MDygwgvb9wPIwDWiBJp7wZ/Uei+uabitn2EL3fxgYN/PzOpJ8z2mtRc6a4YjECvHK8SPdJdWz7CU8Sil2fbDaI7hT8BEV21JSPpna5IClIDM3qKuc4m1/a6INDtmYUGwvjiqv8/vAdLGryTY=;
Received: ; Mon, 15 Aug 2016 09:34:53 -0700
To: "J.C. Jones" <jjones@mozilla.com>, Andy Ligg <andy@startssl.com>
References: <236F64DDDC83C742A24E89E6E215CFC7E4CFB7@mx3.startssl.com> <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <d729f81d-44a7-7e64-a528-a43df5e6dd69@eff.org>
Date: Mon, 15 Aug 2016 09:34:51 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D3456F4C26AD650B3524221F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TNtACVBmu7lNIXe_73Spgfu28iw>
Cc: "Acme@ietf.org" <Acme@ietf.org>
Subject: Re: [Acme] Add a special token parameter in ACME registration
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 16:34:57 -0000
One possibility would to make it the client's responsibility to request EV by including the desired O, OU, etc. fields in the Subject DN of the CSR. It would then be the server's responsibility to accept or reject the request based on whether the account has a sufficient validation level (and payment). One of the big open questions in ACME is how paid CAs will manage the connection between existing accounts and accounts as defined by ACME. It sounds like that's a need you're likely to have. Do you have any particular ideas about how you'd like to manage it? On 08/15/2016 08:53 AM, J.C. Jones wrote: > Hi Andy, > > I'm not sure I follow exactly what the format of this token would be, > or what message(s) in the protocol you'd like to add it to. Perhaps > you can make some specific recommendations - even if they're tentative > examples - for the WG to look at and reason through? > > Thanks! > J.C. > > On Sun, Aug 14, 2016 at 9:10 PM, Andy Ligg <andy@startssl.com > <mailto:andy@startssl.com>> wrote: > > Hi all, > > StartCom plan to use ACME protocol for StartEncrypt, we need to > identify the client's validation level, so the subscriber > administration can generate a special token in the StartSSL.com > account that send this token to the email address used in the ACME > registration. > > At the registration, user need to enter email and this token with > the certificate to let the CA system know this customer's > validation level. > After the CA system receive the email, the token and signing > certificate, CA system know what type of certificate we can issue > to this client; if this client account is class 4 validated, then > the client can get EV SSL certificate, not DV SSL. > please add this a parameter to the ACME protocol, thanks. > > Best Regards, > > Andy Ligg > StartCom > _______________________________________________ > Acme mailing list > Acme@ietf.org <mailto:Acme@ietf.org> > https://www.ietf.org/mailman/listinfo/acme > <https://www.ietf.org/mailman/listinfo/acme> > > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- Re: [Acme] Add a special token parameter in ACME … Andrew Ayer
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Martin Thomson
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … J.C. Jones
- [Acme] Add a special token parameter in ACME regi… Andy Ligg