Re: [Acme] ACME or EST?

Michael Jenkins <m.jenkins.364706@gmail.com> Wed, 26 November 2014 01:20 UTC

Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9321A874B for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 17:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pU15z0IIbrhQ for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 17:20:27 -0800 (PST)
Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D11B1A86E1 for <acme@ietf.org>; Tue, 25 Nov 2014 17:20:27 -0800 (PST)
Received: by mail-qa0-f49.google.com with SMTP id s7so1261076qap.36 for <acme@ietf.org>; Tue, 25 Nov 2014 17:20:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fNJol02WJnvTr01G7MSIloFiFwhj9HjuKQisoF0ldpA=; b=ZExKKUllFmkkW7cEdUrIAPensDZ5p/8oJZ88HSjl8A+s7IkD37cNkJho6S1ngNPR5U HzVaIhfG6tXOQjshqIfhU9J3NxslqLNIIBXyUBQfkuDDI54sN8jDWyLpkPXAkIl48Ifa gdJ/2gJnuZ+0OdWnO2sPiGvjtIWHtTQhLlqt2gY8TWQvxPoIy0q3qHzpnrEtfJtsQqCY IEYnwAYPPDByb5EJ75u6v6UQX2fqKqYfyPKcoMQf5hHB93WAeLEinqiIhJt2vatCzH/C 0tEI1NDYlePgCkoHix/zY1QD8ah0TK6KFmfhXC6iUqXi4Cnto65YCgYmPbZoVnWBe1E5 7VXg==
MIME-Version: 1.0
X-Received: by 10.224.2.135 with SMTP id 7mr42791503qaj.64.1416964824649; Tue, 25 Nov 2014 17:20:24 -0800 (PST)
Received: by 10.229.161.208 with HTTP; Tue, 25 Nov 2014 17:20:24 -0800 (PST)
In-Reply-To: <CAMm+Lwje44G2CZLfYJQAAR41CBw7+SCZNwdNPy+zO-VOeHZvkw@mail.gmail.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <CAMm+Lwje44G2CZLfYJQAAR41CBw7+SCZNwdNPy+zO-VOeHZvkw@mail.gmail.com>
Date: Tue, 25 Nov 2014 20:20:24 -0500
Message-ID: <CAC2=hncOrmH9GGZLfQtBcwZHTyB1bb8EMJQSs9J8yj0sZCgAMQ@mail.gmail.com>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary=001a11c3defa0890220508b8d50e
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/wlShDrYoK50Ceiy8cJ1-SJsjLdU
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 01:20:29 -0000

Setting aside the technical differences for a moment, the intents of EST
and ACME are different; EST was intended to support enrollment of arbitrary
types of devices that are more-or-less already known to the CA, whereas
ACME is for provisioning the web servers of domain owners. This difference
of intent explains, for instance, why ACME supports "validation of
possession of identifiers", while EST has the notion of "authorization".

Without having read ACME in depth, I suspect EST is a bit more general.
That's not to say ACME couldn't be made more general - and certainly not to
claim that generality is necessarily good :) but it serves some cases.


On Tue, Nov 25, 2014 at 7:34 PM, Phillip Hallam-Baker <phill@hallambaker.com
> wrote:

> How about XKMS? It has much less ASN.1, its all angle brackets.
>
> Stephen F. knows about it, he was the WG chair.
>
>
> Less ASN.1 is always good.
>
>
> On Tue, Nov 25, 2014 at 4:55 PM, Richard Barnes <rlb@ipv.sx> wrote:
> > A few things off the top of my head:
> >
> > * If nothing else, much less ASN.1.  (Cf. JOSE vs. CMS)
> > * Support for other certificate management functions, e.g., revocation
> > * Validation of possession of identifiers
> > * Cleaner use of HTTP
> >
> >
> >
> > On Tue, Nov 25, 2014 at 4:41 PM, Paul Hoffman <paul.hoffman@vpnc.org>
> wrote:
> >>
> >> Greetings again. The abstract of the ACME pre-draft at
> >> https://github.com/letsencrypt/acme-spec (which Richard will hopefully
> >> publish as a real draft soon) says:
> >>
> >>    This
> >>    document describes a protocol that a certificate authority (CA) and a
> >>    applicant can use to automate the process of verification and
> >>    certificate issuance. The protocol also provides facilities for
> >>    other certificate management functions, such as certificate
> >>    revocation.
> >>
> >> This overlaps a lot with "Enrollment over Secure Transport" (EST),
> >> <https://tools.ietf.org/html/rfc7030>.
> >>
> >> For many people who saw last week's announcement, the main use case of
> >> ACME is "make it easy to create a client that can create a key, get it
> >> enrolled with a server, get the new certificate back, and install that
> >> certificate in a web server". What does/will ACME offer that EST does
> not
> >> already?
> >>
> >> --Paul Hoffman
> >> _______________________________________________
> >> Acme mailing list
> >> Acme@ietf.org
> >> https://www.ietf.org/mailman/listinfo/acme
> >
> >
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> >
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>



-- 
Mike Jenkins
mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk
m.jenkins.364706@gmail.com - to read everywhere else
443-634-3951