Re: [Acme] ACME or EST?

Richard Barnes <rlb@ipv.sx> Tue, 25 November 2014 21:55 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58FFC1A1AB6 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 13:55:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCfZgJqp6H80 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 13:55:52 -0800 (PST)
Received: from mail-vc0-f173.google.com (mail-vc0-f173.google.com [209.85.220.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68D1F1A0277 for <acme@ietf.org>; Tue, 25 Nov 2014 13:55:52 -0800 (PST)
Received: by mail-vc0-f173.google.com with SMTP id im17so718926vcb.18 for <acme@ietf.org>; Tue, 25 Nov 2014 13:55:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SJrkoiJK6AGLsWjvR2Fzy07kQtC6aXtptMW85Yw2CO4=; b=E670V0K8yQjs+wmVX/Ad65bFeVrzQK+F3fK5PUNt0Mv64PqGaRuDodqfjMFQDIb4cT U21aJtXy6CPPf56guJB3QWH5nO+qpn8JqTIgc2LQR7h9k8wHSDaRp063pBwFSebXi4Au QxsUcRQ2eUFlzzPpELAmHNPrziXDi32VPI0L9NCnZP65vPaJds2zhDaFO1OHlt66DoTA 7xOyRg4ZUvTtEtfNn7WDyAlwravOwlL7lY14eAXQy//yAQ6yfWdwjiidZxMfffwwe4UZ nMpQwIx8rptIfmReJb25MFx6QBBO+lUysh0Ib0ssgRD1MIfxhobaSrQNd9MMNw/AzNTF B05g==
X-Gm-Message-State: ALoCoQlCrlJcp+dNy3DVAdqYSt41XNxAiufseC6jaQK5/DBuRF4RQRRjrL/FKv5R/ms+MI4Jrlwe
MIME-Version: 1.0
X-Received: by 10.52.10.198 with SMTP id k6mr2340320vdb.38.1416952551638; Tue, 25 Nov 2014 13:55:51 -0800 (PST)
Received: by 10.31.149.1 with HTTP; Tue, 25 Nov 2014 13:55:51 -0800 (PST)
In-Reply-To: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org>
Date: Tue, 25 Nov 2014 16:55:51 -0500
Message-ID: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary=20cf30334e25811f0e0508b5f991
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/uj2LVbQTeCHh9gsSzUimnmB1V4M
Cc: acme@ietf.org
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 21:55:54 -0000

A few things off the top of my head:

* If nothing else, much less ASN.1.  (Cf. JOSE vs. CMS)
* Support for other certificate management functions, e.g., revocation
* Validation of possession of identifiers
* Cleaner use of HTTP



On Tue, Nov 25, 2014 at 4:41 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Greetings again. The abstract of the ACME pre-draft at
> https://github.com/letsencrypt/acme-spec (which Richard will hopefully
> publish as a real draft soon) says:
>
>    This
>    document describes a protocol that a certificate authority (CA) and a
>    applicant can use to automate the process of verification and
>    certificate issuance. The protocol also provides facilities for
>    other certificate management functions, such as certificate
>    revocation.
>
> This overlaps a lot with "Enrollment over Secure Transport" (EST), <
> https://tools.ietf.org/html/rfc7030>gt;.
>
> For many people who saw last week's announcement, the main use case of
> ACME is "make it easy to create a client that can create a key, get it
> enrolled with a server, get the new certificate back, and install that
> certificate in a web server". What does/will ACME offer that EST does not
> already?
>
> --Paul Hoffman
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>