IETF Logo Mail Archive

Re: [Acme] Add a special token parameter in ACME registration

"Andy Ligg" <andy@startssl.com> Tue, 16 August 2016 15:14 UTC

Return-Path: <andy@startssl.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 427DF12D884 for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 08:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rb11z5mkcvkp for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 08:14:26 -0700 (PDT)
Received: from p3plsmtpa06-07.prod.phx3.secureserver.net (p3plsmtpa06-07.prod.phx3.secureserver.net [173.201.192.108]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A7212D880 for <acme@ietf.org>; Tue, 16 Aug 2016 08:14:26 -0700 (PDT)
Received: from RWNBPC ([111.205.211.10]) by p3plsmtpa06-07.prod.phx3.secureserver.net with id XrEN1t0090E0z7T01rEPHR; Tue, 16 Aug 2016 08:14:25 -0700
From: Andy Ligg <andy@startssl.com>
To: 'Jacob Hoffman-Andrews' <jsha@eff.org>, "'J.C. Jones'" <jjones@mozilla.com>
References: <236F64DDDC83C742A24E89E6E215CFC7E4CFB7@mx3.startssl.com> <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com> <d729f81d-44a7-7e64-a528-a43df5e6dd69@eff.org>
In-Reply-To: <d729f81d-44a7-7e64-a528-a43df5e6dd69@eff.org>
Date: Tue, 16 Aug 2016 23:14:16 +0800
Message-ID: <010e01d1f7d0$dcd3c7a0$967b56e0$@startssl.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_010F_01D1F813.EAFBC290"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHUgsHpiadxpcCJIvj+/hUpvZDM/gKPoY2JAhb4dTWgIWWmQA==
Content-Language: zh-cn
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vXbvRFAPpunoYiM-XucvZHi-Fcw>
Cc: Acme@ietf.org
Subject: Re: [Acme] Add a special token parameter in ACME registration
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 15:14:28 -0000

See below inline, thanks.

 

From: Jacob Hoffman-Andrews [mailto:jsha@eff.org] 
Sent: Tuesday, August 16, 2016 12:35 AM
To: J.C. Jones <jjones@mozilla.com>; Andy Ligg <andy@startssl.com>
Cc: Acme@ietf.org
Subject: Re: [Acme] Add a special token parameter in ACME registration

 

One possibility would to make it the client's responsibility to request EV
by including the desired O, OU, etc. fields in the Subject DN of the CSR. It
would then be the server's responsibility to accept or reject the request
based on whether the account has a sufficient validation level (and
payment).



A: StartCom issued the certificate not based on CSR info, we don't care
about the info in the CSR, we issue the certificate based on this account
validated level and validated identity information. This mode don't work,
CSR is not enough to identify the certificate type.


One of the big open questions in ACME is how paid CAs will manage the
connection between existing accounts and accounts as defined by ACME. It
sounds like that's a need you're likely to have. Do you have any particular
ideas about how you'd like to manage it?

A: Yes, our API call is the same way as ACME registration - using client
certificate for authentication. In my last email, we need to add a API Token
in the ACME registration, then all are OK for paid CA.
Sure, if the paid CA is not this way but like to use ACME, then they need to
change the API system.

Thanks.

Andy 

 

On 08/15/2016 08:53 AM, J.C. Jones wrote:

Hi Andy,

I'm not sure I follow exactly what the format of this token would be, or
what message(s) in the protocol you'd like to add it to. Perhaps you can
make some specific recommendations - even if they're tentative examples -
for the WG to look at and reason through?

Thanks!

J.C.

 

On Sun, Aug 14, 2016 at 9:10 PM, Andy Ligg <andy@startssl.com
<mailto:andy@startssl.com> > wrote:

Hi all,

StartCom plan to use ACME protocol for StartEncrypt, we need to identify the
client's validation level, so the subscriber administration can generate a
special token in the StartSSL.com account that send this token to the email
address used in the ACME registration.

At the registration, user need to enter email and this token with the
certificate to let the CA system know this customer's validation level.
After the CA system receive the email, the token and signing certificate, CA
system know what type of certificate we can issue to this client; if this
client account is class 4 validated, then the client can get EV SSL
certificate, not DV SSL.
please add this a parameter to the ACME protocol, thanks.

Best Regards,

Andy Ligg
StartCom
_______________________________________________
Acme mailing list
Acme@ietf.org <mailto:Acme@ietf.org> 
https://www.ietf.org/mailman/listinfo/acme

 






_______________________________________________
Acme mailing list
Acme@ietf.org <mailto:Acme@ietf.org> 
https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email