draft-ietf-acme-integrations-02.txt   draft-ietf-acme-integrations-03.txt 
Network Working Group O. Friel Network Working Group O. Friel
Internet-Draft R. Barnes Internet-Draft R. Barnes
Intended status: Informational Cisco Intended status: Informational Cisco
Expires: May 22, 2021 R. Shekh-Yusef Expires: September 10, 2021 R. Shekh-Yusef
Auth0 Auth0
M. Richardson M. Richardson
Sandelman Software Works Sandelman Software Works
November 18, 2020 March 09, 2021
ACME Integrations ACME Integrations
draft-ietf-acme-integrations-02 draft-ietf-acme-integrations-03
Abstract Abstract
This document outlines multiple advanced use cases and integrations This document outlines multiple advanced use cases and integrations
that ACME facilitates without any modifications or enhancements that ACME facilitates without any modifications or enhancements
required to the base ACME specification. The use cases include ACME required to the base ACME specification. The use cases include ACME
integration with EST, BRSKI and TEAP. integration with EST, BRSKI and TEAP.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 22, 2021. This Internet-Draft will expire on September 10, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 19 skipping to change at page 2, line 19
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. ACME Integration with EST . . . . . . . . . . . . . . . . . . 3 3. ACME Integration with EST . . . . . . . . . . . . . . . . . . 3
4. ACME Integration with BRSKI . . . . . . . . . . . . . . . . . 6 4. ACME Integration with BRSKI . . . . . . . . . . . . . . . . . 6
5. ACME Integration with BRSKI Default Cloud Registrar . . . . . 8 5. ACME Integration with BRSKI Default Cloud Registrar . . . . . 8
6. ACME Integration with TEAP . . . . . . . . . . . . . . . . . 10 6. ACME Integration with TEAP . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
8.1. Denial of Service against ACME infrastructure . . . . . . 15 8.1. Denial of Service against ACME infrastructure . . . . . . 15
9. Informative References . . . . . . . . . . . . . . . . . . . 15 9. Informative References . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
ACME [RFC8555] defines a protocol that a certificate authority (CA) ACME [RFC8555] defines a protocol that a certificate authority (CA)
and an applicant can use to automate the process of domain name and an applicant can use to automate the process of domain name
ownership validation and X.509 (PKIX) certificate issuance. The ownership validation and X.509 (PKIX) certificate issuance. The
protocol is rich and flexible and enables multiple use cases that are protocol is rich and flexible and enables multiple use cases that are
not immediately obvious from reading the specification. This not immediately obvious from reading the specification. This
document explicitly outlines multiple advanced ACME use cases document explicitly outlines multiple advanced ACME use cases
skipping to change at page 6, line 33 skipping to change at page 6, line 33
[RFC7030] and defines how to autonomically bootstrap PKI trust [RFC7030] and defines how to autonomically bootstrap PKI trust
anchors into devices via means of signed vouchers. EST certificate anchors into devices via means of signed vouchers. EST certificate
enrollment may then optionally take place after trust has been enrollment may then optionally take place after trust has been
established. BRKSI voucher exchange and trust establishment are established. BRKSI voucher exchange and trust establishment are
based on EST extensions and the certificate enrollment part of BRSKI based on EST extensions and the certificate enrollment part of BRSKI
is fully based on EST. Similar to EST, BRSKI does not define how the is fully based on EST. Similar to EST, BRSKI does not define how the
EST RA communicates with the CA. Therefore, the mechanisms outlined EST RA communicates with the CA. Therefore, the mechanisms outlined
in the previous section for using ACME as the communications protocol in the previous section for using ACME as the communications protocol
between the EST RA and the CA are equally applicable to BRSKI. between the EST RA and the CA are equally applicable to BRSKI.
Note that BRSKI mandates that the id-kp-cmcRA extended key usage bit
is set in the Registrar (or EST RA) end entity certificate that the
Registrar uses when signing voucher request messages sent to the
MASA. Public ACME servers may not be willing to issue end entity
certificates that have the id-kp-cmcRA extended key usage bit set.
In these scenarios, the EST RA may be used by the pledge to get
issued certificates by a public ACME server, but the EST RA itself
will need an end entity certificate that has been issued by a CA
(e.g. an operator deployed private CA) and that has the id-kp-cmcRA
bit set.
The following call flow shows how ACME may be integrated into a full The following call flow shows how ACME may be integrated into a full
BRSKI voucher plus EST enrollment workflow. For brevity, it assumes BRSKI voucher plus EST enrollment workflow. For brevity, it assumes
that the EST RA has previously proven ownership of a parent domain that the EST RA has previously proven ownership of a parent domain
and that pledge certificate identifiers are a subdomain of that and that pledge certificate identifiers are a subdomain of that
parent domain. The domain ownership exchanges between the RA, ACME parent domain. The domain ownership exchanges between the RA, ACME
and DNS are not shown. Similarly, not all BRSKI interactions are and DNS are not shown. Similarly, not all BRSKI interactions are
shown and only the key protocol flows involving voucher exchange and shown and only the key protocol flows involving voucher exchange and
EST enrollment are shown. EST enrollment are shown.
Similar to the EST section above, the client calls EST /csrattrs API Similar to the EST section above, the client calls EST /csrattrs API
 End of changes. 7 change blocks. 
6 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/