On Fri, May 15, 2015 at 12:48 PM, Ted Hardie <[email protected]> wrote:
> Okay, with the discussion so far, the charter looks like this: > > Automated Certificate Management Environment (ACME) > > Historically, issuance of certificates for Internet applications > (e.g., web servers) has involved many manual identity validation steps > by the certification authority (CA). The ACME WG will specify > conventions for automated X.509 certificate management, including > validation of control over an identifier, certificate issuance, > certificate renewal, and certificate revocation. The initial focus of > the ACME WG will be on domain name certificates (as used by web > servers), but other uses of certificates can be considered as work > progresses. > > ACME certificate management must allow the CA to verify, in an > automated manner, that the party requesting a certificate has authority > over the requested identifiers, including the subject and subject > alternative names. The processing must also confirm that the requesting > party has access to the private key that corresponds to the public key > that will appear in the certificate. All of the processing must be done > in a manner that is compatible with common service deployment > environments, such as hosting environments. > > ACME certificate management must, in an automated manner, allow an > authorized party to request revocation of a certificate. > > The ACME working group is specifying ways to automate certificate > issuance, validation, revocation and renewal. The ACME working > group is not reviewing or producing certificate policies or > practices. > > The starting point for ACME WG discussions shall be draft-barnes-acme. > > I think we know of two milestones now, a first draft-ietf and submitting > the protocol draft for proposed standard. To give dates for those, how > about: > > Milestones: > > August 2015 Initial working group draft > March 2016 Submit working group to IESG as Proposed Standard > > Any other obvious edits needed? > > I think the charter should say 'a starting point' rather than 'the'. The reason I have not been pushing my OmniPublish spec was that IETF has done cert reg so many times before I hesitated to make the proposal. For me the most important thing in ACME is that it is designed to support the needs of 'TLS everywhere'. TLS everywhere requires us to have an automated process for cert management and renewal which in turn requires us to have a process for automating validation. Right now we are looking at just the traditional use case of user starts a Web Site on their machine, wants a cert for it. Which is obviously the lowest hanging fruit. If we are going to fully satisfy TLS everywhere we have to support mechanisms that allow embedded devices to acquire certs both automatically and with local admin override. So I am happy with a timeline that says deliver something in March 2016 but I think we have to expect to do more if we are going to fully support TLS everywhere.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
