Re: [Acme] Supporting off-line (manual) validation

"Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Thu, 30 July 2015 09:04 UTC

Return-Path: <karlsen-masur@dfn-cert.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20EB51B2D65 for <acme@ietfa.amsl.com>; Thu, 30 Jul 2015 02:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.339
X-Spam-Level:
X-Spam-Status: No, score=0.339 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPZIPJfUQLd8 for <acme@ietfa.amsl.com>; Thu, 30 Jul 2015 02:04:34 -0700 (PDT)
Received: from mail1.dfn-cert.de (mail1.dfn-cert.de [IPv6:2001:638:714:2811:5::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5944E1B2D62 for <acme@ietf.org>; Thu, 30 Jul 2015 02:04:34 -0700 (PDT)
Message-ID: <55B9E89F.5040708@dfn-cert.de>
Date: Thu, 30 Jul 2015 11:04:31 +0200
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de>
MIME-Version: 1.0
To: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
References: <cdd7588d86884d81a68e104823b65dcc@ustx2ex-dag1mb2.msg.corp.akamai.com>
In-Reply-To: <cdd7588d86884d81a68e104823b65dcc@ustx2ex-dag1mb2.msg.corp.akamai.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/qsAugp8e19ZIN4HnhrFHcvL0Kbo>
Subject: Re: [Acme] Supporting off-line (manual) validation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 09:04:36 -0000

Salz, Rich wrote on 27.07.2015 22:06:
> Suppose we add a new challenge “offline/xxxx” where /xxxx is an IANA
> registry (first-come first-served).  The ACME client then stops doing online
> protocol, communicates with its human who does the appropriate credential
> validation with the CA. Ultimately (hours, days, weeks, months later), the
> protocol continues and the “offline” challenge gets its response which is a
> base64 string.
> 
>  
> 
> For the current CA’s, what manual process could not be served by this type
> of challenge?

In my "Sending documents or arbitrary files via ACME from server to client?"
post to this list I had at least a partly manual process in mind where the
CA provides some documents to the ACME client's human that needed to be
returned to the CA. So I had looked for a method to transport PDFs within
the ACME protocol to the client.

>From what I understand now, ACME's agreement URI could be used to tell the
ACME client's human to download a PDF that waits at that URI.

I don't want to send the documents via email to the associated email address
because I see there is room for spoofed/faked mails with faked documents.

So to answer your question: The agreement URI could be used to get
(challenge) docs, invoices or applications forms to the client when an
offline challenge is indicated but it does not seem the right fit. I do like
the possibility to take validation/authorisation off-line because it would
make it easier to use ACME clients with our current work-flows. On the other
hand since the PDF form (challenge) is delivered on-line, the response could
be off-line, e.g. a signed form sent to the CA. In this scenario the ACME
client would not need to continuously poll for the issued certificate, just
a few times per day to check if the CA received and accepted the response
and issued the certificate.

Reimer