Re: [Acme] ACME or EST?
Michael Jenkins <m.jenkins.364706@gmail.com> Wed, 26 November 2014 01:20 UTC
Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9321A874B for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 17:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pU15z0IIbrhQ for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 17:20:27 -0800 (PST)
Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D11B1A86E1 for <acme@ietf.org>; Tue, 25 Nov 2014 17:20:27 -0800 (PST)
Received: by mail-qa0-f49.google.com with SMTP id s7so1261076qap.36 for <acme@ietf.org>; Tue, 25 Nov 2014 17:20:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fNJol02WJnvTr01G7MSIloFiFwhj9HjuKQisoF0ldpA=; b=ZExKKUllFmkkW7cEdUrIAPensDZ5p/8oJZ88HSjl8A+s7IkD37cNkJho6S1ngNPR5U HzVaIhfG6tXOQjshqIfhU9J3NxslqLNIIBXyUBQfkuDDI54sN8jDWyLpkPXAkIl48Ifa gdJ/2gJnuZ+0OdWnO2sPiGvjtIWHtTQhLlqt2gY8TWQvxPoIy0q3qHzpnrEtfJtsQqCY IEYnwAYPPDByb5EJ75u6v6UQX2fqKqYfyPKcoMQf5hHB93WAeLEinqiIhJt2vatCzH/C 0tEI1NDYlePgCkoHix/zY1QD8ah0TK6KFmfhXC6iUqXi4Cnto65YCgYmPbZoVnWBe1E5 7VXg==
MIME-Version: 1.0
X-Received: by 10.224.2.135 with SMTP id 7mr42791503qaj.64.1416964824649; Tue, 25 Nov 2014 17:20:24 -0800 (PST)
Received: by 10.229.161.208 with HTTP; Tue, 25 Nov 2014 17:20:24 -0800 (PST)
In-Reply-To: <CAMm+Lwje44G2CZLfYJQAAR41CBw7+SCZNwdNPy+zO-VOeHZvkw@mail.gmail.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <CAMm+Lwje44G2CZLfYJQAAR41CBw7+SCZNwdNPy+zO-VOeHZvkw@mail.gmail.com>
Date: Tue, 25 Nov 2014 20:20:24 -0500
Message-ID: <CAC2=hncOrmH9GGZLfQtBcwZHTyB1bb8EMJQSs9J8yj0sZCgAMQ@mail.gmail.com>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="001a11c3defa0890220508b8d50e"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/wlShDrYoK50Ceiy8cJ1-SJsjLdU
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 01:20:29 -0000
Setting aside the technical differences for a moment, the intents of EST and ACME are different; EST was intended to support enrollment of arbitrary types of devices that are more-or-less already known to the CA, whereas ACME is for provisioning the web servers of domain owners. This difference of intent explains, for instance, why ACME supports "validation of possession of identifiers", while EST has the notion of "authorization". Without having read ACME in depth, I suspect EST is a bit more general. That's not to say ACME couldn't be made more general - and certainly not to claim that generality is necessarily good :) but it serves some cases. On Tue, Nov 25, 2014 at 7:34 PM, Phillip Hallam-Baker <phill@hallambaker.com > wrote: > How about XKMS? It has much less ASN.1, its all angle brackets. > > Stephen F. knows about it, he was the WG chair. > > > Less ASN.1 is always good. > > > On Tue, Nov 25, 2014 at 4:55 PM, Richard Barnes <rlb@ipv.sx> wrote: > > A few things off the top of my head: > > > > * If nothing else, much less ASN.1. (Cf. JOSE vs. CMS) > > * Support for other certificate management functions, e.g., revocation > > * Validation of possession of identifiers > > * Cleaner use of HTTP > > > > > > > > On Tue, Nov 25, 2014 at 4:41 PM, Paul Hoffman <paul.hoffman@vpnc.org> > wrote: > >> > >> Greetings again. The abstract of the ACME pre-draft at > >> https://github.com/letsencrypt/acme-spec (which Richard will hopefully > >> publish as a real draft soon) says: > >> > >> This > >> document describes a protocol that a certificate authority (CA) and a > >> applicant can use to automate the process of verification and > >> certificate issuance. The protocol also provides facilities for > >> other certificate management functions, such as certificate > >> revocation. > >> > >> This overlaps a lot with "Enrollment over Secure Transport" (EST), > >> <https://tools.ietf.org/html/rfc7030>. > >> > >> For many people who saw last week's announcement, the main use case of > >> ACME is "make it easy to create a client that can create a key, get it > >> enrolled with a server, get the new certificate back, and install that > >> certificate in a web server". What does/will ACME offer that EST does > not > >> already? > >> > >> --Paul Hoffman > >> _______________________________________________ > >> Acme mailing list > >> Acme@ietf.org > >> https://www.ietf.org/mailman/listinfo/acme > > > > > > > > _______________________________________________ > > Acme mailing list > > Acme@ietf.org > > https://www.ietf.org/mailman/listinfo/acme > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > -- Mike Jenkins mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk m.jenkins.364706@gmail.com - to read everywhere else 443-634-3951
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson