IETF Logo Mail Archive

Re: [Acme] ACME signature mechanics

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 17 December 2014 20:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5E51A86F7 for <acme@ietfa.amsl.com>; Wed, 17 Dec 2014 12:17:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8LmUITBdv8M for <acme@ietfa.amsl.com>; Wed, 17 Dec 2014 12:17:14 -0800 (PST)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C71321A9007 for <acme@ietf.org>; Wed, 17 Dec 2014 12:17:12 -0800 (PST)
Received: by mail-lb0-f182.google.com with SMTP id f15so14618521lbj.27 for <acme@ietf.org>; Wed, 17 Dec 2014 12:17:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Mq+2URTXxjO+ZB1fGJYYGUKWzp7R42DLSafKV38vqDY=; b=C3JvhiKi6lwcGBPt8K0CNLxhsKaBxCQoCjn+cxdlld0LQGXPQhT9x0NFO0QcwYnbDK XGQlMG+uDpMDSAVQPVQIRwHMh6cG8pEjfKt1+H41JQi3F1sk7RZjlB6i5oAcQOxm6JP9 vuwtSrjxIk9d7M6/5Brhau8L4JzFRd9L/SoW51w1RBnLtwUD92VvoBhDqmkmvGxOzKRm +yytV3ybeTr50XaDd5KWV/DkGaFTSzs0/Wddl6MBDF96x5f1fYaaWDlAsVXtDPoZMRAe rnYKRgGAWy1zbdAxJCnLQN7PYw/8gpsrRdcmp9o3bbhutDOIGCAmx7KFyNVJ1wjM2+d1 fSJA==
MIME-Version: 1.0
X-Received: by 10.112.27.133 with SMTP id t5mr43104068lbg.45.1418847431274; Wed, 17 Dec 2014 12:17:11 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Wed, 17 Dec 2014 12:17:11 -0800 (PST)
In-Reply-To: <006c01d01a33$2b086890$811939b0$@icloud.com>
References: <548FF9E3.1020703@gmail.com> <CAL02cgT9iYqtX2Ui5XQYnj=yeF_QnSkKn-jE0D5d56WMzB5bBg@mail.gmail.com> <CAMm+LwjwG0dPTkByu5WZ_ev3xNxAMwunoc-A_VK4sKPSZXRYDw@mail.gmail.com> <006c01d01a33$2b086890$811939b0$@icloud.com>
Date: Wed, 17 Dec 2014 15:17:11 -0500
X-Google-Sender-Auth: GuFewj3Vc3UQ5ZbEGe0l0d2Dqvk
Message-ID: <CAMm+LwhaUM4vC0UwSghV_P=rL3e2BdtzzGr-R5HFj=oOZ9oqpQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Trevor Freeman <trevor.freeman99@icloud.com>
Content-Type: multipart/alternative; boundary="001a1133b04a21b6f0050a6f29d7"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/rEl2UhAM8fwPvnkv6CIBCWg5Aqk
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>, Anders Rundgren <anders.rundgren.net@gmail.com>
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 20:17:18 -0000

On Wed, Dec 17, 2014 at 2:53 PM, Trevor Freeman <trevor.freeman99@icloud.com
> wrote:
>
> Hi Richard,
>
>
>
> There is an alternative to using PKCS#10 as the CSR structure. The ACME
> request is using TLS as a transport. You could use the client certificate
> portion of TLS to send an X.509 certificate containing the ACME client
> public key to the ACME server. All the data the ACME server needs is in the
> X.509 structure. You can sign the X.509 certificate containing the leaf
> certificate with the authorization public key in the normal X.509 way.
> There is just as much X.509 certificate creation code out there as pkcs#10
> creation code so I don’t see that as a big issue. An upside to this is you
> also get a meaningful POP in that the ACME client submitting the request
> has to use the private key as part of the TLS negotiation which is a better
> proof they actually have the private key. Also all of the ASN.1 structures
> and the signatures for the request would be part of the TLS protocol.
>
>
>
Not in .NET there isn't. Certificate creation is only supported in the C++
stuff.

v2.23.0 | Report a Bug | By Email