Re: [Acme] ACME or EST?

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Tue, 25 November 2014 22:17 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA6F91A854B for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:17:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOnIGqsXWj7N for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:17:47 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CE911A7003 for <acme@ietf.org>; Tue, 25 Nov 2014 14:17:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1348; q=dns/txt; s=iport; t=1416953868; x=1418163468; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=rD/P8ZWg9SkI52YuTP/2c/8VflYGZ7/2fu8XloAIbUE=; b=Hdtl+YRn8n3vGSFTFZ/N708A4kgeeMKMAQ4XbQ+lQ5FAvY63WbkxetaP 5dm+ttauhu45N37TXhgKE6mkhHB9+uY/ljF8URaq9CR3n7nl9YOLIs4m9 /eyKpkFMRgaYqpRV6omG2UCqtBH7OVzVeP7vkCe6V940xbFiZve7R3mCI k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: An0IAPj+dFStJA2E/2dsb2JhbABbgwZSVwSDAcNriQQCHHQWAQEBAQF9hAMBAQQjEUUQAgEIDgwCJgICAjAVEAIEAQ0FiEC7K5ZVAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4Euj00Hgng2gR8BBJJjjBmXHIN8d4EIJByBAgEBAQ
X-IronPort-AV: E=Sophos;i="5.07,458,1413244800"; d="scan'208";a="372154572"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-9.cisco.com with ESMTP; 25 Nov 2014 22:17:48 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id sAPMHkSM031697 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 25 Nov 2014 22:17:46 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.204]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0195.001; Tue, 25 Nov 2014 16:17:46 -0600
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: Richard Barnes <rlb@ipv.sx>, Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: [Acme] ACME or EST?
Thread-Index: AQHQCPjaSOTiIOtL1U66R1BPQr7fWZxyR8uA//+QxYA=
Date: Tue, 25 Nov 2014 22:17:46 +0000
Message-ID: <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
In-Reply-To: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/15.4.0.141110
x-originating-ip: [10.129.24.242]
Content-Type: text/plain; charset="utf-8"
Content-ID: <24C2042303B31B40A2E4D853D6A3E0AE@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/_TS0l6Ij4N185dTNwx3hCVQr4cg
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 22:17:49 -0000

On 11/25/14, 9:55 PM, "Richard Barnes" <rlb@ipv.sx> wrote:

>A few things off the top of my head:
>
>* If nothing else, much less ASN.1.  (Cf. JOSE vs. CMS)
>
>* Support for other certificate management functions, e.g., revocation
>
>* Validation of possession of identifiers
>
>* Cleaner use of HTTP

Although I sympathize with less ASN.1 and better HTTP use, the other two 
points are stronger technical differentiators, so in future answers to 
this question it might be better to focus more on those.  

I personally would like to make sure we have mapped whatever use cases are 
in EST to see if there are edges that ACME hasn't yet considered.  I would 
also like to ensure that the operational model that is implied by ACME is 
congruent enough with EST that an operator might be able to use both in 
parallel - if possible.  If it's not possible, I would like to have a 
crisp answer as to why we think that is a good thing.

-- 
Joe Hildebrand