Hi Paul,
Thanks for that presentation. I'm assuming that Entrust uses External Account Binding (EAB) to link the MAC key and KeyID to the customer account. Are these the API credentials you're referring to in the presentation? Another way to look into automating for EV is asking the question: Do we need the concept of Certificate Approver? While there was probably value in this back when the EVGs were created, is there continued value of this in 2024, especially in light of the need to automate? Regards, Doug From: Servercert-wg <[email protected]> On Behalf Of Paul van Brouwershaven via Servercert-wg Sent: Thursday, February 1, 2024 12:41 PM To: CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: [Servercert-wg] EV Certificates through automation / Pre-Authorized Certificate Approver (API) As briefly introduced on the Server Certificate WG Teleconference, I would like to bring up a topic around the use of API keys that are linked to a Pre-Authorized Certificate Approver. Please find some reference slides attached. Slide 3: How I think API keys with a Pre-Authorized Certificate Approver are implemented today. Slide 4: If the API key fulfills the same requirements and is authorized by the Certificate Approver, does it matter who creates/holds the API key with authorization of the Certificate Approver? Slide 5: Does this change if the authorization was given based on a reference to an API key, like located in a well-known directory of the Cloud Service Provider (CSP)? The idea is that this could enable ACME auto discovery <https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery /> for OV and EV certificates as the Certificate Approver explicitly approves the CSP to request certificates on their behalf. It would be great to get people's thoughts on this! Paul Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
