[Acme] Supporting off-line (manual) validation

"Salz, Rich" <rsalz@akamai.com> Mon, 27 July 2015 20:06 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7E11B336F for <acme@ietfa.amsl.com>; Mon, 27 Jul 2015 13:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id leqDezU1X0fO for <acme@ietfa.amsl.com>; Mon, 27 Jul 2015 13:06:17 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id 10A9A1B336D for <acme@ietf.org>; Mon, 27 Jul 2015 13:06:17 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 213492910E for <acme@ietf.org>; Mon, 27 Jul 2015 20:06:16 +0000 (GMT)
Received: from prod-mail-relay06.akamai.com (prod-mail-relay06.akamai.com [172.17.120.126]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id 01E25290FD for <acme@ietf.org>; Mon, 27 Jul 2015 20:06:16 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=akamai.com; s=a1; t=1438027576; bh=FljJt++nmvyQRbJZr9giNWi/h9OcTnafLvj/YsLlLXg=; h=From:To:Subject:Date:From; b=M1xfGGSKi80QEdl40aXz/5CR+zRJjsV3lJ/uKOCzKcNgJH47cOH3S1OA4WQAWz1Vy 2FFOfK1s/LZxjg4QmGQs6NnBhRjYTUHHwtLWOWqYfYKZXMzJZmZMSqOMn+RLNtH46O CyRbDDKEMtMpCoH8b3u5/ibNaa6YEw8D8AM1rwcY=
Received: from email.msg.corp.akamai.com (ustx2ex-cas3.msg.corp.akamai.com [172.27.25.32]) by prod-mail-relay06.akamai.com (Postfix) with ESMTP id DA7712027 for <acme@ietf.org>; Mon, 27 Jul 2015 20:06:15 +0000 (GMT)
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb2.msg.corp.akamai.com (172.27.27.102) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 27 Jul 2015 15:06:15 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.1076.000; Mon, 27 Jul 2015 15:06:15 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Supporting off-line (manual) validation
Thread-Index: AdDIpxau18mKWy42SjGct0wDJn83uw==
Date: Mon, 27 Jul 2015 20:06:14 +0000
Message-ID: <cdd7588d86884d81a68e104823b65dcc@ustx2ex-dag1mb2.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.243]
Content-Type: multipart/alternative; boundary="_000_cdd7588d86884d81a68e104823b65dccustx2exdag1mb2msgcorpak_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/dexdhT9frN09xS7pGVzRF5QhJCw>
Subject: [Acme] Supporting off-line (manual) validation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 20:06:20 -0000

Suppose we add a new challenge "offline/xxxx" where /xxxx is an IANA registry (first-come first-served).  The ACME client then stops doing online protocol, communicates with its human who does the appropriate credential validation with the CA. Ultimately (hours, days, weeks, months later), the protocol continues and the "offline" challenge gets its response which is a base64 string.

For the current CA's, what manual process could not be served by this type of challenge?

                /r$

--
Senior Architect, Akamai Technologies
IM: richsalz@jabber.at Twitter: RichSalz