[Acme] ACME for pre-ACME CAs

Richard Barnes <rlb@ipv.sx> Tue, 22 December 2015 20:02 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237FF1A8AF9 for <acme@ietfa.amsl.com>; Tue, 22 Dec 2015 12:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlssCNW5YvGy for <acme@ietfa.amsl.com>; Tue, 22 Dec 2015 12:02:52 -0800 (PST)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00D091A8AEF for <acme@ietf.org>; Tue, 22 Dec 2015 12:02:51 -0800 (PST)
Received: by mail-vk0-x230.google.com with SMTP id j66so123494928vkg.1 for <acme@ietf.org>; Tue, 22 Dec 2015 12:02:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=NzAAkDRDsA8qG7/3N5KDQ2PAC/uH/rACd8kEbyBLe04=; b=tCfekzNlDc+uBno5UVNqAqH9imPmUg+roJ3IylU/atshX7U6iE39ep6g+rkA0yOwFG bnJDeCRQzZnkyDArPos+Uc2dMhkntF2DNbltaIPPzZ++qXKulYCBHsdRmGFj4cd1pc6n Ew9P0Wyl4vsHpveni/qbMxENun/JvFmuXmNX0PtjwY0W0x4njXCP2bD/1A8VDWTv1rao HbHIOmOdEdm1n7osG7eWNboifvyeIIB4i2cdM3/5NDf4RhnyH877UzoMJg4LMr8nzKQY y638wldM/WsTzyEvOtq1jWq5T9xoi3gShI9f4FhMxQFE7FcyuZCRu5DbNazhY41GKIFL FMVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=NzAAkDRDsA8qG7/3N5KDQ2PAC/uH/rACd8kEbyBLe04=; b=el8LbbBY495/pQYJnFPpNfZD2V++tSCy2NivaCa4qnkQ+5hbGxlfsFgkKsmj/UMDfC HpK2YUZMp2B/56LpWUVlDn2SWpyND9QI0b1TeWmdqqRgSc67VrWed7RNrMkajEFUz9dx neeOtZRNIPQhyHEfpTjf0onPL0uQ+Ps7MKrAxEuD4dDx018MSljeiyU1akr3ElhQzkxp WxTnzM3qO7JgHPjHnmio3CqkstzfddFDQiCnbQNC4c8mzhAIzBkzIWHcU4ZnES8x7G9Q g2hFJkFKGz1ctGp78Qx5lxUKtr57GIlz9Xx/RqbpqcRfffIGAubDw7gGACh+u51rNf7d bXsg==
X-Gm-Message-State: ALoCoQm+/WonWjHQKarjqQuuuIyt3OU+UyPS8qwCVCmRbkLx9LDi8ssqFmZ60K9L5lvZC7zHZQa2De05/YygOjzlUr+T42A9Dw==
MIME-Version: 1.0
X-Received: by 10.31.21.210 with SMTP id 201mr17466088vkv.132.1450814571125; Tue, 22 Dec 2015 12:02:51 -0800 (PST)
Received: by 10.31.11.81 with HTTP; Tue, 22 Dec 2015 12:02:51 -0800 (PST)
Date: Tue, 22 Dec 2015 15:02:51 -0500
Message-ID: <CAL02cgQnXOZFwpbRcbdDAzBjeM2pyqOkoTv3WbXWf_BVT5SdBg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/aP-7f7H6_4pqjDE4Dm4hXhH397c>
Subject: [Acme] ACME for pre-ACME CAs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 20:02:53 -0000

Hey all,

I mentioned at the IETF meeting that a major next milestone for ACME
is to get it to the point where it can be used by current CAs,
including ones that require clients to pay for certificates.  I've
been chatting with Andrew Ayer and a few other folks about how to do
this, and have come up with the following loose proposal (in a Gist
because it's a little long):

https://gist.github.com/bifurcation/8c955b99bd0daec8673d

tl;dr:
- Add an "order" resource type that can group certificates
- Reinforce the distinction between certificate requests and certificates
- Add an "activation" action or an "out-of-band" challenge type

If we can get to some agreement on the list about what the right
overall form is, we can start making some PRs in the new year.

Thanks!

--Richard