Re: [Acme] Sending documents or arbitrary files via ACME from server to client?

Ted Hardie <ted.ietf@gmail.com> Mon, 13 July 2015 16:19 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA1B1A0194 for <acme@ietfa.amsl.com>; Mon, 13 Jul 2015 09:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vU9tq7ZHObJA for <acme@ietfa.amsl.com>; Mon, 13 Jul 2015 09:19:08 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4071A0169 for <acme@ietf.org>; Mon, 13 Jul 2015 09:19:07 -0700 (PDT)
Received: by wibud3 with SMTP id ud3so1104917wib.0 for <acme@ietf.org>; Mon, 13 Jul 2015 09:19:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/oJYx6cRLYsEkke2yXfp+1MD0LupvnDvUiEQi7wcuik=; b=TeYOgflBNIaLYdj9fLODutmj+NZ/8dO0P7N4M70wvDS/ktb5RBvKdOAn8CI8Qt52t2 dhOz8dRj/fulKA0EjyVkAaaePvwcdF7Nf1zsHnjdi99pzx9EShUGcYLhKOOgMN+B3wlz UBOneABWSOmmPTEj3qqqt2wtNcIS3tY5ffNUpgECDpQxSh6F4pawAtrj3uNLcg8TFc8M AiffWPJd+g6cl7Yi6L2QHdisbm8ejanHgflgzl7mCEDND81jItZxmqh8mw9Yj4rUdYBY TaKga+oeKKyCbNw4RR50ejjFw8AWd1VvQqfkSEDHuEJTft7fdSaj5jQlTBsd9LrAqXC9 QeLA==
MIME-Version: 1.0
X-Received: by 10.180.188.176 with SMTP id gb16mr23750509wic.18.1436804346369; Mon, 13 Jul 2015 09:19:06 -0700 (PDT)
Received: by 10.194.17.68 with HTTP; Mon, 13 Jul 2015 09:19:06 -0700 (PDT)
In-Reply-To: <55A39567.7030602@dfn-cert.de>
References: <55A39567.7030602@dfn-cert.de>
Date: Mon, 13 Jul 2015 09:19:06 -0700
Message-ID: <CA+9kkMCtBwcACE_jusOuY5C7HSi+8VOJxNOF6f4tqm0B3_NnnQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de>
Content-Type: multipart/alternative; boundary=001a11c261a2ad5ce3051ac414c3
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/VEh4RM8N8fz_LxQWxLFr-kJbt3g>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Sending documents or arbitrary files via ACME from server to client?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 16:19:10 -0000

On Mon, Jul 13, 2015 at 3:39 AM, Reimer Karlsen-Masur, DFN-CERT <
karlsen-masur@dfn-cert.de>; wrote:

> Hi,
>
> I read the latest draft-barnes-acme-03.txt and have a question:
>
> Is there an option for the ACME server to "send" or provide the ACME client
> a file, e.g. a PDF document that contains an invoice, contract, form etc. I
> think this is not possible with the current draft ACME spec but I want to
> be
> sure that I have not overseen that option.
>
>
I understand that the ACME server could email such a file/document to the
> email address that is associated with the registration object, but that
> seems out of band to the ACME protocol and I'd like to avoid OoB
> communication.
>
>
​The document currently has this text:

      The ACME client periodically contacts the CA to get updated
      certificates, stapled OCSP responses, or whatever else would be
      required to keep the server functional and its credentials up-to-
      date.

​
I suppose a bill or contract could fall under this rubric.  That's a
pull-based, rather than push-based mechanism, though, and I'm not sure what
your actual requirements are, as the email mechanism looks to me like it
should work unless the client loses access to the email address (which
obviously has other problems).

Can you unpack your concern a bit?  Do you need this to work before the
cert is issued so that receipt of payment is required before issuance, for
example?  That's going to get complicated pretty fast, honestly, so I'm not
sure it would be in scope.

regards,

Ted



> Any insight is much appreciated, thanks,
>
> Reimer
>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>