On 10/03/15 00:04, Bernd Eckenfels wrote:
Hello,
I don't think it is a good idea to add any functionality which tries to
move/copy the private key (and with some hardware protection it should
also not possible). And it is not really needed. Just request a new one.
The ACME credentials might be transported, but I am not sure you want
to do that via untrusted (ACME) servers...
Hi Bernd. I agree, but I'd be interested to hear John's point of view.
IIUC, John's motivation is (emphasis mine)...
"A newly deployed HTTPS server replacing or complementing an existing
HTTPS server should import an existing certificate *instead of buying
a new*"
I'd like to think that there could be better ways (than moving/copying
private keys) to avoid having to buy a new cert for each server. e.g.
Perhaps some CAs might be willing to charge you for your first cert for
x.y.com, but then let you have additional certs for the same domain name
for free (as long as you authenticate with the same ACME credentials
each time).
Gruss
Bernd
Am Mon, 09 Mar 2015 21:37:44 +0000 schrieb Rob Stradling
<[email protected]>:
John, how would a "newly deployed HTTPS server replacing or
complementing an existing HTTPS server" obtain a copy of the private
key that is associated with the "existing certificate" that it
desires to "import" ?
IINM, whilst the current ACME draft handles proving possession of a
private key, there's no mechanism for backing up a private key to an
ACME server and/or for transferring a private key from one ACME
client to another ACME client.
Do you think ACME should provide these facilities?
If not, is there any real gain to adding your proposed "Certificate
Download" function, given that there would presumably be just as many
"people flying back and forth just to manually transfer" private keys?
Thanks.
On 09/03/15 20:37, John Mattsson wrote:
Hi all,
I strongly support the ACME work. Certificate management is
something that really benefits from standardization and
automatization.
We have some additional use cases that we think should be included
and that clearly falls into the ACME use case "obtaining
certificates for Web sites".
I wrote a short draft that illustrates the scenarios. Please
comment. Would be happy to give a short (5min?) presentation at the
BoF.
Cheers,
John
Begin forwarded message:
*From: *<[email protected]
<mailto:[email protected]>> *To: *John Mattsson
<[email protected] <mailto:[email protected]>>,
John Mattsson <[email protected]
<mailto:[email protected]>>, Robert Skog
<[email protected] <mailto:[email protected]>>,
"Robert Skog" <[email protected]
<mailto:[email protected]>> *Subject: **New Version
Notification for draft-mattsson-acme-use-cases-00.txt*
*Date: *9 Mar 2015 20:57:54 CET
A new version of I-D, draft-mattsson-acme-use-cases-00.txt
has been successfully submitted by John Mattsson and posted to the
IETF repository.
Name:draft-mattsson-acme-use-cases
Revision:00
Title:Additional Use Cases for Automatic Certificate Management
(ACME) Document date:2015-03-09
Group:Individual Submission
Pages:6
URL:
http://www.ietf.org/internet-drafts/draft-mattsson-acme-use-cases-00.txt
Status:
https://datatracker.ietf.org/doc/draft-mattsson-acme-use-cases/
Htmlized:
http://tools.ietf.org/html/draft-mattsson-acme-use-cases-00
Abstract:
Contacting a CA is just one way in which a newly deployed HTTPS
server can get hold of the certificate to use. This document
describes additional (and common) use cases that fall into the
major guiding use case for ACME as stated by [I-D.barnes-acme],
"obtaining certificates for Web sites".
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
