Re: [Acme] ACME or EST?

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 25 November 2014 22:50 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D331A1A64 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:50:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SA_itd6reIMe for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:50:15 -0800 (PST)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 294A61A1B29 for <acme@ietf.org>; Tue, 25 Nov 2014 14:50:15 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sAPMoDtB038207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Nov 2014 15:50:14 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
Date: Tue, 25 Nov 2014 14:50:13 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5761985-AD8C-4CA3-9E55-D1AC33BB55E6@vpnc.org>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/eOYwGeac2PhLu-rk_Uxuf-qHdQs
Cc: acme@ietf.org
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 22:50:19 -0000

On Nov 25, 2014, at 1:55 PM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> A few things off the top of my head:
> 
> * If nothing else, much less ASN.1.  (Cf. JOSE vs. CMS)

The JOSE message structure has been much more problem-laden than CMS ever was. Yes, ASN.1 is ugly; many people feel the same (or worse) about JOSE.

> * Support for other certificate management functions, e.g., revocation

That seems like a good point.

> * Validation of possession of identifiers

And that seems like another good one, one that I had missed in EST.

> * Cleaner use of HTTP

That's quite debatable. The current ACME draft is likely to change when more requests are filled in. Personally, I prefer the HTTP used in EST, but both will probably converge after a while.

I think the "we can revoke certs, and get reissued certs more cleanly" and "we inherently are showing possession of identifiers" are good enough arguments to drop the discussion of EST for this use case.

--Paul Hoffman