Eric Rescorla <[email protected]> wrote:
    > One thing that's not clear to me: is the expectation that you will be
    > using a public CA or that you will be using an enterprise-level one?

There are different many use cases, and it is precisely because we can't be
prescriptive about the operation of the CA involved that the WG compromised
on a solution that we know can be deployed today.
I wasn't happy with the result, but I realized that I could live with the
compromise result.  The WG did consider all the points that you have raised.

1) a private-CA internal to the ACP Registar.

2) an enterprise private-CA external to the ACP Registrar, which is embedded
   in another system, such as ActiveDirectory

3) when we started this work, it was possible to have (a) and (b) with
   anchors toward public CAs

4) an enterprise private-CA external to the ACP Registrar, which is
   operated by a third party, which might use ACME or something else to enroll

5) a small (or growing) enterprise entity that uses ACME to a public CA.
   The is no "group" policy to deploy a private CA, and there is a strong
   desire that the devices that are enrolled do not train users to think
   security exceptions are "normal".
   Obviously, the DN presented to a browser is not a rfc822Name,
   but would have to be an dnsName.  The ACP rfc822Name
   may not be the only SAN in the certificate, but it is one that
   draft-ietf-acme-email-smime-08 allow the Registrar to validate.

6) virtual corporation, where most of the systems are "hosted" systems
   in "the" cloud.  Some of these scenarios are described by
   https://datatracker.ietf.org/doc/draft-friel-anima-brski-cloud/

7) construction-site scenarios, where EE LDevID will "be left behind"
   for the eventual home owner, who could rekey into 1-6.
   see https://datatracker.ietf.org/doc/draft-fries-anima-brski-async-enroll/

--
Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-



Attachment: signature.asc
Description: PGP signature

_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima

Reply via email to