Re: [Acme] Proposed ACME Charter Language

Russ Housley <housley@vigilsec.com> Wed, 13 May 2015 19:51 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 512F81A8877 for <acme@ietfa.amsl.com>; Wed, 13 May 2015 12:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUcqPOjmiwNd for <acme@ietfa.amsl.com>; Wed, 13 May 2015 12:51:48 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id C020E1A87EF for <acme@ietf.org>; Wed, 13 May 2015 12:51:48 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 4DB1D9A404A; Wed, 13 May 2015 15:51:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id wXs4Ens4CXFf; Wed, 13 May 2015 15:51:17 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-145-93.washdc.fios.verizon.net [96.255.145.93]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 5BEB99A4020; Wed, 13 May 2015 15:51:17 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=utf-8
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <87d225qwbq.fsf@latte.josefsson.org>
Date: Wed, 13 May 2015 15:51:06 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <B30EDBDF-0803-4AB0-9EBB-DD726F617C5B@vigilsec.com>
References: <6A9C3116-8CC9-472C-8AA8-F555D060834C@vigilsec.com> <55351EAB.1060905@cs.tcd.ie> <E81896AA-245F-48B7-9B38-86AC30D2F82A@vigilsec.com> <553523E4.2090808@cs.tcd.ie> <84718B26-1DA3-4D46-8B6F-B615806229D7@vigilsec.com> <CABcZeBOy2yBEMGMxcDy=E3fvc+OF1sZfvOV7twJHAvKqtrxtLg@mail.gmail.com> <28919F11-9336-41F6-9922-4E3E2DC4E935@gmail.com> <BD7B96B1-CD50-408F-AA06-49C20AB102A6@vigilsec.com> <CA+9kkMAH+U25ZhLq1HhGFHKMAECu+Y1ZJH-h4bOrEXaUQ15LjQ@mail.gmail.com> <87d225qwbq.fsf@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>, Ted Hardie <ted.ietf@gmail.com>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/_PSvAYhIDYo_JNuuJFyrN6jKPfY>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Proposed ACME Charter Language
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 19:51:50 -0000

Ted and Simon:

> Ted Hardie <ted.ietf@gmail.com>; writes:
> 
>>> In order to facilitate deployment by CAs, the ACME protocol must be
>>> compatible with common industry standards for the operation of a CA,
>>> for example the CA/Browser Forum Baseline Requirements [0].
>>> 
>>> 
>> ​I don't really like the language "the ACME protocol must be
>> compatible with common industry standards for the operation of a CA,
>> for example the CA/Browser Forum Baseline Requirements [0]." Proving
>> compatibility with an unbounded set of standards seems likely to
>> generate a lot of wrangling on what "common industry standards".
>> Also, the point of the effort, after all, is to be better than *some* of
>> the current
>> operations of a CA.
>> 
>> Would the following work?
>> 
>> "The ACME working group is focused on automating certificate issuance,
>> validation,
>> revocation and renewal.  Review of other industry practices are not within
>> scope for this working group."
> 
> +1
> 
> The reference to CA/B and saying ACME must be compatible with it appear
> restrictive to me.  If we want to improve state-of-the-art, we can't be
> limited by compatibility with the lowest common denominator in the
> industry.


I think the point of this paragraph was to create a protocol that is compatible with existing CA policies and practices.

How about this?

The ACME working group is specifying ways to automate certificate
issuance, validation, revocation and renewal.  The ACME working
group is not reviewing or producing certificate policies or
practices.

Russ