Colleagues, I encourage you to read this draft and post comments, if any, to the list.
A structure for delegation opens up ACME to a large number of use cases. On 8/27/19, 2:28 AM, "Yaron Sheffer" <[email protected]> wrote: The new version contains some significant changes: - Addition of the STIR use case. - Refinement of the CDNI use case. - Addition of the CSR template (partial, more work required). - Further security considerations (work in progress). Thanks, Yaron -------- Forwarded Message -------- Subject: New Version Notification for draft-ietf-acme-star-delegation-01.txt Date: Mon, 26 Aug 2019 23:17:15 -0700 From: [email protected] To: Yaron Sheffer <[email protected]>, Thomas Fossati <[email protected]>, Antonio Agustin Pastor Perales <[email protected]>, Antonio Pastor <[email protected]>, Diego Lopez <[email protected]> A new version of I-D, draft-ietf-acme-star-delegation-01.txt has been successfully submitted by Yaron Sheffer and posted to the IETF repository. Name: draft-ietf-acme-star-delegation Revision: 01 Title: An ACME Profile for Generating Delegated STAR Certificates Document date: 2019-08-26 Group: acme Pages: 17 URL: https://www.ietf.org/internet-drafts/draft-ietf-acme-star-delegation-01.txt Status: https://datatracker.ietf.org/doc/draft-ietf-acme-star-delegation/ Htmlized: https://tools.ietf.org/html/draft-ietf-acme-star-delegation-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-acme-star-delegation Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-star-delegation-01 Abstract: This memo proposes a profile of the ACME protocol that allows the owner of an identifier (e.g., a domain name) to delegate to a third party access to a certificate associated with said identifier. A primary use case is that of a CDN (the third party) terminating TLS sessions on behalf of a content provider (the owner of a domain name). The presented mechanism allows the owner of the identifier to retain control over the delegation and revoke it at any time by cancelling the associated STAR certificate renewal with the ACME CA. Another key property of this mechanism is it does not require any modification to the deployed TLS ecosystem. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
