[Acme] Re: not publishing draft-ietf-acme-client

Wed, 08 Oct 2025 11:15:00 -0700 

That again could have been clearer if I’d emphasised I like the clear benefits 
of ACME and its accounts and point in time validation over either CMPv2 or EST 
based schemes.

Matt G1 – NCSC Telecoms Security Consultant (Standards)
matt...@ncsc.gov.uk

From: Matt G1 <Matt.g1=40ncsc.gov...@dmarc.ietf.org>
Sent: 08 October 2025 16:24
To: Aaron Gable <aa...@letsencrypt.org>; Matt G1 <matt...@ncsc.gov.uk>
Cc: Kathleen Moriarty <kathleen.moriarty.i...@gmail.com>; Michael Richardson 
<mcr+i...@sandelman.ca>; acme@ietf.org
Subject: RE: [Acme] Re: not publishing draft-ietf-acme-client

You don't often get email from matt.g1=40ncsc.gov...@dmarc.ietf.org. Learn why 
this is important<https://aka.ms/LearnAboutSenderIdentification>


Apologies for not being clear.

Those are noted benefits of ACME over an alternative using CMPv2 – e.g. as 
chosen as the method in 5G for managing client certs – and likely EST as 
suggested in this thread as a reason to drop work on this draft.

Matt

Matt G1 – NCSC Telecoms Security Consultant (Standards)
matt...@ncsc.gov.uk

From: Aaron Gable <aaron=40letsencrypt....@dmarc.ietf.org>
Sent: 07 October 2025 21:45
To: Matt G1 <Matt.g1=40ncsc.gov...@dmarc.ietf.org>
Cc: Kathleen Moriarty <kathleen.moriarty.i...@gmail.com>; Michael Richardson 
<mcr+i...@sandelman.ca>; acme@ietf.org
Subject: [Acme] Re: not publishing draft-ietf-acme-client

Apologies because I may just be missing context, but I don't quite understand 
some of the point being made here:

On Tue, Oct 7, 2025 at 4:16 AM Matt G1 
<Matt.g1=40ncsc.gov...@dmarc.ietf.org<mailto:40ncsc.gov...@dmarc.ietf.org>> 
wrote:
- separating account management credentials from the certificate key pairs

This has always been the case in ACME -- the account key and the certificate 
key are different objects. Adding new validation methods doesn't change the 
status quo here.

Issuing a new certificate based on control/use of the key of a previous 
certificate presents obvious headaches if that key has been compromised as well 
as the potential for cross-protocol attacks to be introduced.

None of the ACME validation methods currently in use nor proposed by this draft 
involve using a previously-issued certificate to validate issuance of a new 
one. How is this related to the acme-client draft?

Aaron

_______________________________________________
Acme mailing list -- acme@ietf.org
To unsubscribe send an email to acme-le...@ietf.org

Reply via email to