Re: [Acme] ACME or EST?

Nico Williams <nico@cryptonector.com> Tue, 25 November 2014 22:37 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E101A7003 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:37:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WqEPtE6ZQ3Y for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 14:37:18 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 7A06D1A1A64 for <acme@ietf.org>; Tue, 25 Nov 2014 14:37:18 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 393C426C063; Tue, 25 Nov 2014 14:37:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=cXNFqJI9M4iXpU jEW7JrM7mnHKQ=; b=GB+4YGcC6DAO8o7w80bZ/Qj/IdJWzWMfJPcIQ/Bj+ajx36 67gxXQhEym5wINwdSypPbYGk6pJ0xtb1S5t3pGoVSpc5hdrUZtE08SuZNyg535pw 2mCCptNx0Kqk+BgkFLqfhLRJ+I9fCHCVab6mdqDu0canxSbWZ/jJ9gzMiNo3s=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id D7B5726C05E; Tue, 25 Nov 2014 14:37:17 -0800 (PST)
Date: Tue, 25 Nov 2014 16:37:17 -0600
From: Nico Williams <nico@cryptonector.com>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20141125223715.GV3200@localhost>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/yrzHKIM8TBlwcYpaAGPunpodxmk
Cc: acme@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 22:37:19 -0000

On Tue, Nov 25, 2014 at 04:55:51PM -0500, Richard Barnes wrote:
> On Tue, Nov 25, 2014 at 4:41 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> > This overlaps a lot with "Enrollment over Secure Transport" (EST), <
> > https://tools.ietf.org/html/rfc7030>gt;.
> >
> > For many people who saw last week's announcement, the main use case of
> > ACME is "make it easy to create a client that can create a key, get it
> > enrolled with a server, get the new certificate back, and install that
> > certificate in a web server". What does/will ACME offer that EST does not
> > already?
>
> A few things off the top of my head:
> 
> * If nothing else, much less ASN.1.  (Cf. JOSE vs. CMS)

RFC7030 defines very few new ASN.1 types... oh.  It uses the ASN.1 IOS.
Eww.  Yeah, OK, I see your point.

That ugly ASN.1 in RFC7030 is for the response to a "request
required/desired attributes" request.  Your I-D doesn't have this
feature, presumably because there's no real need for it.  Can you
confirm?

A request for supported attributes might be useful, but probably only
for purposes _other_ than HTTPS servers.

(If there were a need for such a thing then defining ASN.1 types that
don't use the IOS would be trivial.  Using JSON would be fine too, and
since that's what you prefer, go for it.)

> * Support for other certificate management functions, e.g., revocation

And rollover?  And re-certification?

I mean, one of the most useful features would be to have fresh and/or
short-lived cert management to avoid revocation: re-certify the
EE's cert frequently, even when there is no key rollover.

Among other things it'd make OCSP stapling less necessary.

> * Validation of possession of identifiers
> * Cleaner use of HTTP

"
   All requests for a given ACME server are sent to the same HTTPS URI.
"

I'd expect different kinds of requests to use differen URIs (that seems
to be best practice, but then again, you're not claiming that ACME is
RESTful, so hey).

"
   It is assumed that clients are configured with this URI out of band.
"

Clients could learn it via RFC5988 link relations, no?

"
   ACME requests MUST use the POST method, and since they carry JSON
   ...
"

Er, are there no requests for information?  E.g., OCSP Responses,
acceptable attributes (for CSRs), ...?

Nico
--