[Acme] How automated should ACME be?
Trevor Freeman <trevor.freeman99@icloud.com> Mon, 01 December 2014 21:01 UTC
Return-Path: <trevor.freeman99@icloud.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638401A910B for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 13:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id daobixYjPoax for <acme@ietfa.amsl.com>; Mon, 1 Dec 2014 13:01:28 -0800 (PST)
Received: from mr11p24im-asmtp001.me.com (mr11p24im-asmtp001.me.com [17.110.78.41]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B7991A1AA2 for <acme@ietf.org>; Mon, 1 Dec 2014 13:01:27 -0800 (PST)
Received: from Den (c-67-183-152-156.hsd1.wa.comcast.net [67.183.152.156]) by mr11p24im-asmtp001.me.com (Oracle Communications Messaging Server 7.0.5.33.0 64bit (built Aug 27 2014)) with ESMTPSA id <0NFX00DGX92D3PC0@mr11p24im-asmtp001.me.com> for acme@ietf.org; Mon, 01 Dec 2014 21:01:26 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2014-12-01_04:2014-12-01,2014-12-01,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1408290000 definitions=main-1412010200
From: Trevor Freeman <trevor.freeman99@icloud.com>
To: acme@ietf.org
References:
In-reply-to:
Date: Mon, 01 Dec 2014 13:01:20 -0800
Message-id: <000b01d00da9$f5cc37a0$e164a6e0$@icloud.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_000C_01D00D66.E7A993E0"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AdANqL0JWP9CCDbzSf6tzMqX5TAglwAAS/kg
Content-language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/wnvidbFAnLr9IJQOa7FyjGnELqE
Subject: [Acme] How automated should ACME be?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 21:01:30 -0000
To digress from the ASN.1 woes discussion, I would like to ask some higher level question: How automated should ACME be? What are the set of automated scenarios we want ACME to support? If I am managing n servers, how automated can I expect the management of those n servers to be? If I wanted to add a new type of certificate to my servers, how many places do I need to visit to make that happen? What I don't see in ACME at the preset is the management request\response pair that would for instance exchange information to enable an ACME client to create certificate requests e.g. what algorithm, parameters etc. ACME is establishing DV scoped RAs. Tying the authentication of the RA to a specific form of authentication seems a little retro. We need a strong form of authentication for the RA, but why don't we tokenize the RA authentication to make ACME support multiple ways to authenticate? Trevor
- [Acme] How automated should ACME be? Trevor Freeman
- Re: [Acme] How automated should ACME be? Phillip Hallam-Baker