Eric Rescorla <[email protected]> wrote: > One thing that's not clear to me: is the expectation that you will be > using a public CA or that you will be using an enterprise-level one?
There are different many use cases, and it is precisely because we can't be prescriptive about the operation of the CA involved that the WG compromised on a solution that we know can be deployed today. I wasn't happy with the result, but I realized that I could live with the compromise result. The WG did consider all the points that you have raised. 1) a private-CA internal to the ACP Registar. 2) an enterprise private-CA external to the ACP Registrar, which is embedded in another system, such as ActiveDirectory 3) when we started this work, it was possible to have (a) and (b) with anchors toward public CAs 4) an enterprise private-CA external to the ACP Registrar, which is operated by a third party, which might use ACME or something else to enroll 5) a small (or growing) enterprise entity that uses ACME to a public CA. The is no "group" policy to deploy a private CA, and there is a strong desire that the devices that are enrolled do not train users to think security exceptions are "normal". Obviously, the DN presented to a browser is not a rfc822Name, but would have to be an dnsName. The ACP rfc822Name may not be the only SAN in the certificate, but it is one that draft-ietf-acme-email-smime-08 allow the Registrar to validate. 6) virtual corporation, where most of the systems are "hosted" systems in "the" cloud. Some of these scenarios are described by https://datatracker.ietf.org/doc/draft-friel-anima-brski-cloud/ 7) construction-site scenarios, where EE LDevID will "be left behind" for the eventual home owner, who could rekey into 1-6. see https://datatracker.ietf.org/doc/draft-fries-anima-brski-async-enroll/ -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
