Re: [Acme] Considerations about ACME BoF

Phillip Hallam-Baker <> Tue, 31 March 2015 17:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A3D311A1B8C for <>; Tue, 31 Mar 2015 10:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.423
X-Spam-Level: *
X-Spam-Status: No, score=1.423 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VJiW_GiKkSON for <>; Tue, 31 Mar 2015 10:20:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3B4C61A1B74 for <>; Tue, 31 Mar 2015 10:20:29 -0700 (PDT)
Received: by lagg8 with SMTP id g8so18065069lag.1 for <>; Tue, 31 Mar 2015 10:20:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=6xkBFz+LYA9cHPUDVHwKvEGWYQDCvNphfOLdqmPfTpg=; b=05/3UgdK6AcejnlTZ7RCzRcEG3bqeXqnuqkRweD4/HUJ6sn3vySpdbB6wvtFtMbjWM 9tXoRcnUzI0A5Fb0WypuLC47Uqme+bCoTajifQvv+RIRzIkNkXNrwda0dfyxerfeo7mp t0QnBgULfx+5R7w+RyvjAlIsmqc4LKa4xubkjUcK9vN5ThcG35ZJWgm+GIZ0190ohTTu PqJsR9s5+v8JDMbdVWReH8L+mPVOVCxl837d+aCp9lAh0cRcl2L3JswFCpeRCpu172oB Kd/mFDi/fbvCl50LpM128B8jm7ho74LgjCgDuVM67lx4ac/7OkYatkfM2lyMjbeHW3+p O4Kg==
MIME-Version: 1.0
X-Received: by with SMTP id o13mr24955215lal.79.1427822427762; Tue, 31 Mar 2015 10:20:27 -0700 (PDT)
Received: by with HTTP; Tue, 31 Mar 2015 10:20:27 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Tue, 31 Mar 2015 13:20:27 -0400
X-Google-Sender-Auth: O6fQ0YGHCmZSYkziGczylLCKIfg
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Yaron Sheffer <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: Scott Rea <>, "" <>
Subject: Re: [Acme] Considerations about ACME BoF
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Mar 2015 17:20:30 -0000

On Tue, Mar 31, 2015 at 11:03 AM, Yaron Sheffer <> wrote:
> Hi Scott,
> On 03/31/2015 01:22 AM, Scott Rea wrote:
>> G'day Yaron,
>> I will make 2 brief observations:
>> a) Max and I actually proposed some usability focused work around TLS
>> certs to the PKIX WG about 6 or 7 years ago, when PKIX was still going
>> strong, and we were told that usability is not the purvey of IETF, its
>> purely bits on the wire. So when did IETF morph from bits on the wire to
>> now include usability?
> The IETF works on bits on the wire that are necessary to achieve business
> goals. And those goals certainly include usability.
>> b) Getting a server certificate for a cloud server within seconds, and
>> with no manual intervention is possible today with a little scripting on
>> the server and an appropriate API from one of the existing CAs. If your
>> current provider cannot do that for you, then I suggest you shop around
>> a little.
> I tried that and failed, I guess I should try some more. But anyway, as a
> customer I would like a standard interface so that this "little scripting"
> doesn't lock me into a single vendor.

"with a little scripting".

You can protect the golden gate bridge as well, all it takes is "a
little paint".

The problem with "a little scripting" is that if you are serious about
code quality and maintenance it is never so simple. Who is going to be
responsible for this code? Who is going to maintain it? Where is it
going to sit in source control?

Before you can write one line of code, you have to read the
documentation and before you can do that you have to find out where it

Sure, it is not rocket science. But it is several hours worth of
effort and that means $3,000+ in a commercial environment and $1.4
million in the US Govt.

And before you start complaining that if people can't write code they
are incompetent etc, first recognize that working out whether someone
is competent or not is itself a very difficult proposition for a
manager and second go spend some time in a usability lab watching some
people trying to use computers to solve 'simple' problems. It is quite
an eye opener.

You will see folk fat fingering commands and looking up documentation
for stuff they think they do every day and know off by heart. But it
isn't actually that simple because the way the brain works, it tends
to equate ability to plan with ability to execute and it is vastly
over-optimistic in estimating time taken to do things.