Re: [Acme] Considerations about ACME BoF

Richard Barnes <rlb@ipv.sx> Tue, 31 March 2015 12:42 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83FA1A92E5 for <acme@ietfa.amsl.com>; Tue, 31 Mar 2015 05:42:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5Efl4B-AF4A for <acme@ietfa.amsl.com>; Tue, 31 Mar 2015 05:42:01 -0700 (PDT)
Received: from mail-la0-f46.google.com (mail-la0-f46.google.com [209.85.215.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456631A92AD for <acme@ietf.org>; Tue, 31 Mar 2015 05:42:01 -0700 (PDT)
Received: by lajy8 with SMTP id y8so11565994laj.0 for <acme@ietf.org>; Tue, 31 Mar 2015 05:41:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FSE6nbnnZWt6fj6S86sjkJ3gmobV+Sx76/A1t6Wt/6Y=; b=hIrlAW39ESKIgy/IfNeVeWn+60fA/l7rHjOHqkkn4Fdsa9R70WR0dHbub5jnOGrOj1 rBVKSP4DN3carXwodssRJM8RfPHVPWh6v1Wm3nqu5WuAR/gikpF4uYLwgdLU5LgkgG37 BVfaDlEUCjUkhXYTGVpbNNxhqHbMyg7iaWGy7U10OKl4qKJvfzwnXowDac1+qR1M9NrH I/Inyfv6ic6hd/IrcEgyRsMNj4mCF/trGKcnM9z1TNpEMZos4mkj7xbXp2aMCCGwaAFF Yr3NTDm5XDzx7R5f65fhgwDr1mByvbk3iCYCDqbAJxfzSKRif4OHZKHR1ouWkpbciqzB JfAQ==
X-Gm-Message-State: ALoCoQmjZd3hpbP9NNzwlaPT8L4raR5fOWIcZK0skMMCNpelLRAfmjwAQXVzPm6gGLzz/KiX4qwd
MIME-Version: 1.0
X-Received: by 10.112.199.36 with SMTP id jh4mr29961544lbc.49.1427805719339; Tue, 31 Mar 2015 05:41:59 -0700 (PDT)
Received: by 10.25.135.139 with HTTP; Tue, 31 Mar 2015 05:41:59 -0700 (PDT)
In-Reply-To: <551A5937.1070608@DigiCert.com>
References: <551569F6.8020507@openca.org> <55157164.80805@cs.tcd.ie> <5519A5B6.9010707@DigiCert.com> <551A162F.9020105@gmail.com> <551A5937.1070608@DigiCert.com>
Date: Tue, 31 Mar 2015 08:41:59 -0400
Message-ID: <CAL02cgRm2-+SCECYPRD9H3qdOAWb2Ht+aXBgZ4H_+FZe-F7JJA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Scott Rea <Scott.Rea@digicert.com>
Content-Type: multipart/alternative; boundary=001a11c3437ab5bce3051294ecbc
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/ncc0PBouy4TEDycucB9BVo6lAMQ>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Considerations about ACME BoF
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 12:42:03 -0000

On Tue, Mar 31, 2015 at 4:22 AM, Scott Rea <Scott.Rea@digicert.com> wrote:

> G'day Yaron,
>
> I will make 2 brief observations:
>
> a) Max and I actually proposed some usability focused work around TLS
> certs to the PKIX WG about 6 or 7 years ago, when PKIX was still going
> strong, and we were told that usability is not the purvey of IETF, its
> purely bits on the wire. So when did IETF morph from bits on the wire to
> now include usability?
>

This is getting silly.  At some level, the entire Internet is about
usability.  After all, you could order plane tickets over the phone before
Expedia showed up, right?

Protocols are about automating interactions.  The interaction by which a CA
validates an applicant's control over a domain name is one for which we
don't have good standard automation right now.



> b) Getting a server certificate for a cloud server within seconds, and
> with no manual intervention is possible today with a little scripting on
> the server and an appropriate API from one of the existing CAs.


If you like, you can view ACME as simply a collation and standardization of
those proprietary APIs, so that hosting providers (and server vendors,
etc.) don't have to get locked in to one.

--Richard



> If your
> current provider cannot do that for you, then I suggest you shop around
> a little.
>
> Regards,
> _Scott
>
> On 3/30/2015 9:36 PM, Yaron Sheffer wrote:
> >>>> *Overstepping the Technical Boundaries.* As it was pointed out during
> >>>> the BoF, the proposed initiative does not address any technical issue,
> >>>> but, instead, is pushing a specific BUSINESS model. I found very
> >>>> inappropriate the examples of "I could not get my certificates in 45
> >>>> minutes.." as this is a NON argument.
> >>> With all due respect to Cullen, I agree:-) I think it's used as a
> >>> humorous anecdote basically and I've seen that done in quite a few
> >>> contexts in the IETF. But that one non-argument was raised is not
> >>> a procedural issue for me.
> >> I agree with Max that this should be a non-argument, and happy to hear
> >> that you agree Stephen
> >>>
> >
> > For me ACME is purely about usability, so Cullen's anecdote is
> > actually the only thing that matters. As a user, I want to be able to
> > get a server certificate for a cloud server within seconds, and with
> > no manual intervention. And if that breaks someone's business model,
> > so be it.
> >
> > And by the way, ACME with *email* certs could make S/MIME viable
> > again, for those of us still using mail clients.
> >
> > Thanks,
> >     Yaron
>
> --
> Scott Rea, MSc, CISSP
> VP GOV/EDU Relations & Sr. PKI Architect
> DigiCert, Inc.
> 2600 West Executive Parkway
> Suite 500
> Lehi, Utah 84043
> http://www.digicert.com
> (800) 896-7973
>
> Em Scott@DigiCert.com
> Ph#(801) 701-9636
> Ce#(801) 874-4114
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>