Re: [Acme] Proposed ACME Charter Language

Ted Hardie <ted.ietf@gmail.com> Tue, 12 May 2015 21:34 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABF21A9127 for <acme@ietfa.amsl.com>; Tue, 12 May 2015 14:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zmH-sTPki77 for <acme@ietfa.amsl.com>; Tue, 12 May 2015 14:34:50 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA781A9120 for <acme@ietf.org>; Tue, 12 May 2015 14:34:50 -0700 (PDT)
Received: by wgnd10 with SMTP id d10so21768205wgn.2 for <acme@ietf.org>; Tue, 12 May 2015 14:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Iuc4ezYApK/6HzDZA5p5RLtXhJVyiCynuWpSxeZCZuw=; b=0naSEGxzwf+oTZBqy0rGa1NRaL2e1z1FJlnzjhEb7DJDx6FKMOwUlheVYNFadLTP6z ADyYyWT2oKifs8fAeNULcckZpOC+gp/5f2Zkyix5zQz+H09rYr/hZ4egbzTmonUsqzlP 35U5Yq3DeCXMQUWfCUa01343Oqwzs49RIoxRbrJRoyJTL4nltV0Rtk0mImQahnn2sGVQ AO4t+lNQ0tK9chTKlZmNqDjraNd/BrMIKQPzxqn1CzggEYVkd6XksJAsGuQKH2+NC2Wv DQBS34lh0vCQpC3LVSgfHkHR67xBmjMBcKbNBmceNnI0MUXrYM09rgWyRZByt/7uQJSl Fi1Q==
MIME-Version: 1.0
X-Received: by 10.194.185.107 with SMTP id fb11mr34400445wjc.9.1431466488945; Tue, 12 May 2015 14:34:48 -0700 (PDT)
Received: by 10.194.185.171 with HTTP; Tue, 12 May 2015 14:34:48 -0700 (PDT)
In-Reply-To: <BD7B96B1-CD50-408F-AA06-49C20AB102A6@vigilsec.com>
References: <6A9C3116-8CC9-472C-8AA8-F555D060834C@vigilsec.com> <55351EAB.1060905@cs.tcd.ie> <E81896AA-245F-48B7-9B38-86AC30D2F82A@vigilsec.com> <553523E4.2090808@cs.tcd.ie> <84718B26-1DA3-4D46-8B6F-B615806229D7@vigilsec.com> <CABcZeBOy2yBEMGMxcDy=E3fvc+OF1sZfvOV7twJHAvKqtrxtLg@mail.gmail.com> <28919F11-9336-41F6-9922-4E3E2DC4E935@gmail.com> <BD7B96B1-CD50-408F-AA06-49C20AB102A6@vigilsec.com>
Date: Tue, 12 May 2015 14:34:48 -0700
Message-ID: <CA+9kkMAH+U25ZhLq1HhGFHKMAECu+Y1ZJH-h4bOrEXaUQ15LjQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary=047d7bae465e94e1370515e943a6
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/eOr7ZSW_dTodnzZ-fKml-ITdlXQ>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Proposed ACME Charter Language
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 21:34:53 -0000

Stepping back in time to this point in the thread...

On Sat, Apr 25, 2015 at 2:46 PM, Russ Housley <housley@vigilsec.com>; wrote:

> Here is the currrent language ...
>
> Russ
>
> = = = = = = = = = =
>
>
> Automated Certificate Management Environment (ACME)
>
> Historically, issuance of certificates for Internet applications
> (e.g., web servers) has involved many manual identity validation steps
> by the certification authority (CA).  The ACME WG will specify
> conventions for automated X.509 certificate management, including
> validation of control over an identifier, certificate issuance,
> certificate renewal, and certificate revocation.  The initial focus of
> the ACME WG will be on domain name certificates (as used by web
> servers), but other uses of certificates can be considered as work
> progresses.
>
> ACME certificate management must allow the CA to verify, in an
> automated manner, that the party requesting a certificate has authority
> over the requested identifiers, including the subject and subject
> alternative names.  The processing must also confirm that the requesting
> party has access to the private key that corresponds to the public key
> that will appear in the certificate.  All of the processing must be done
> in a manner that is compatible with common service deployment
> environments, such as hosting environments.
>
> ACME certificate management must, in an automated manner, allow a
> party that has previously requested a certificate to subsequently
> request revocation of that certificate.
>
> In order to facilitate deployment by CAs, the ACME protocol must be
> compatible with common industry standards for the operation of a CA,
> for example the CA/Browser Forum Baseline Requirements [0].
>
>
​I don't really like the language "the ACME protocol must be
compatible with common industry standards for the operation of a CA,
for example the CA/Browser Forum Baseline Requirements [0]." Proving
compatibility with an unbounded set of standards seems likely to
generate a lot of wrangling on what "common industry standards".
Also, the point of the effort, after all, is to be better than *some* of
the current
operations of a CA.

Would the following work?

"The ACME working group is focused on automating certificate issuance,
validation,
revocation and renewal.  Review of other industry practices are not within
scope for this working group."

regards,

Ted



> The starting point for ACME WG discussions shall be draft-barnes-acme.
>
> [0] https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>