> Eric Rescorla <[email protected]> wrote: > > One thing that's not clear to me: is the expectation that you will be > > using a public CA or that you will be using an enterprise-level one? > > There are different many use cases, and it is precisely because we can't be > prescriptive about the operation of the CA involved that the WG compromised > on a solution that we know can be deployed today. > I wasn't happy with the result, but I realized that I could live with the > compromise result. The WG did consider all the points that you have raised.
Well, strictly speaking, I believe it was others who raised the points; however, I do concur with them. In any cases, as Ben notes, this decision cannot be made by this WG alone. > 1) a private-CA internal to the ACP Registar. > > 2) an enterprise private-CA external to the ACP Registrar, which is embedded > in another system, such as ActiveDirectory I am not particularly expert on private CAs, though I see that Sean made some notes on what could be done with that software. > 3) when we started this work, it was possible to have (a) and (b) with > anchors toward public CAs .... > 5) a small (or growing) enterprise entity that uses ACME to a public CA. > The is no "group" policy to deploy a private CA, and there is a strong > desire that the devices that are enrolled do not train users to think > security exceptions are "normal". > Obviously, the DN presented to a browser is not a rfc822Name, > but would have to be an dnsName. The ACP rfc822Name > may not be the only SAN in the certificate, but it is one that > draft-ietf-acme-email-smime-08 allow the Registrar to validate. I'm assuming that by "public CA" we are talking about a CA which issues certificates which are acceptable to browsers or other generic clients. On that topic, I would make a few points: 1. It is not impossible to get CAs to issue certificates with custom extensions. For instance, DigiCert issues certificates with the Delegated Credentials extension: https://engineering.fb.com/security/delegated-credentials/ It's of course possible that otherName would be different. 2. I believe the Mozilla Root Store Policy [0] would require a CA to revoke certificates used as described in this specification. See Section 6.2 (S/MIME Certificates) [1]: For any certificate in a hierarchy capable of being used for S/MIME, CAs MUST revoke certificates upon the occurrence of any of the following events: ... 3. the CA obtains reasonable evidence that the certificate has been used for a purpose outside of that indicated in the certificate or in the CA's subscriber agreement; I imagine that other root programs have similar restrictions. Of course this wouldn't preclude a CA that wasn't subject to these restrictions issuing ACP certificates. -Ekr [0] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ [1] There are a number of other clauses which I believe would also apply, but I believe this is the most on-point.
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
