thoughs in no particular order:
1. I don't think section 3's 1RTT mode works. CA already signed the
certificate if it can give out encrypted version of it, then client can
get certificate from CT log.
2. is there a reason to include just PQC algos on list of supported
algorithm endpoint? I think there is no reason to not include classical
algorithms there, as those have parameters CA may refuse (rsa keysize,
ecdsa curves)
3. LE doesn't consider CSR as proof of possession of private key (so you
need sign revoke request with certs privkey to use reason key
compromise), and TLS CA/B BR doesn't actually require to check it.
2023-08-06 오후 8:00에 Alexandre Augusto 이(가) 쓴 글:
Dear chairs and WG,
I would like to share our proposal for improving ACME with algorithm
negotiation support. The main features are:
- Flexibility: allows clients to know (in advance) if their desired
algorithm is supported by the server;
- Automated Issuance of KEM certificates: currently not supported in
ACME, our proposal specifies two ways to allow clients asking for such
a certificate.
Link: https://datatracker.ietf.org/doc/draft-giron-acme-pqcnegotiation/
If there is any interest, doubts, please let me know. I'll be happy to
discuss it with you.
Best regards,
--
Alexandre Augusto Giron
Federal University of Technology - Parana (UTFPR
<https://coenc.td.utfpr.edu.br/%7Egiron/>)
PhD Student at Federal University of Santa Catarina (UFSC)
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
