draft-ietf-acme-star-10.txt   draft-ietf-acme-star-11.txt 
ACME Working Group Y. Sheffer ACME Working Group Y. Sheffer
Internet-Draft Intuit Internet-Draft Intuit
Intended status: Standards Track D. Lopez Intended status: Standards Track D. Lopez
Expires: April 15, 2020 O. Gonzalez de Dios Expires: April 26, 2020 O. Gonzalez de Dios
A. Pastor Perales A. Pastor Perales
Telefonica I+D Telefonica I+D
T. Fossati T. Fossati
ARM ARM
October 13, 2019 October 24, 2019
Support for Short-Term, Automatically-Renewed (STAR) Certificates in Support for Short-Term, Automatically-Renewed (STAR) Certificates in
Automated Certificate Management Environment (ACME) Automated Certificate Management Environment (ACME)
draft-ietf-acme-star-10 draft-ietf-acme-star-11
Abstract Abstract
Public-key certificates need to be revoked when they are compromised, Public-key certificates need to be revoked when they are compromised,
that is, when the associated private key is exposed to an that is, when the associated private key is exposed to an
unauthorized entity. However the revocation process is often unauthorized entity. However the revocation process is often
unreliable. An alternative to revocation is issuing a sequence of unreliable. An alternative to revocation is issuing a sequence of
certificates, each with a short validity period, and terminating this certificates, each with a short validity period, and terminating this
sequence upon compromise. This memo proposes an ACME extension to sequence upon compromise. This memo proposes an ACME extension to
enable the issuance of short-term and automatically renewed (STAR) enable the issuance of short-term and automatically renewed (STAR)
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 15, 2020. This Internet-Draft will expire on April 26, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 24 skipping to change at page 3, line 24
6.7. Cert-Not-Before and Cert-Not-After HTTP Headers . . . . . 22 6.7. Cert-Not-Before and Cert-Not-After HTTP Headers . . . . . 22
7. Security Considerations . . . . . . . . . . . . . . . . . . . 22 7. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7.1. No revocation . . . . . . . . . . . . . . . . . . . . . . 22 7.1. No revocation . . . . . . . . . . . . . . . . . . . . . . 22
7.2. Denial of Service Considerations . . . . . . . . . . . . 23 7.2. Denial of Service Considerations . . . . . . . . . . . . 23
7.3. Privacy Considerations . . . . . . . . . . . . . . . . . 24 7.3. Privacy Considerations . . . . . . . . . . . . . . . . . 24
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
9.1. Normative References . . . . . . . . . . . . . . . . . . 24 9.1. Normative References . . . . . . . . . . . . . . . . . . 24
9.2. Informative References . . . . . . . . . . . . . . . . . 25 9.2. Informative References . . . . . . . . . . . . . . . . . 25
Appendix A. Document History . . . . . . . . . . . . . . . . . . 27 Appendix A. Document History . . . . . . . . . . . . . . . . . . 27
A.1. draft-ietf-acme-star-10 . . . . . . . . . . . . . . . . . 27 A.1. draft-ietf-acme-star-11 . . . . . . . . . . . . . . . . . 27
A.2. draft-ietf-acme-star-09 . . . . . . . . . . . . . . . . . 27 A.2. draft-ietf-acme-star-10 . . . . . . . . . . . . . . . . . 27
A.3. draft-ietf-acme-star-08 . . . . . . . . . . . . . . . . . 27 A.3. draft-ietf-acme-star-09 . . . . . . . . . . . . . . . . . 27
A.4. draft-ietf-acme-star-07 . . . . . . . . . . . . . . . . . 27 A.4. draft-ietf-acme-star-08 . . . . . . . . . . . . . . . . . 27
A.5. draft-ietf-acme-star-06 . . . . . . . . . . . . . . . . . 27 A.5. draft-ietf-acme-star-07 . . . . . . . . . . . . . . . . . 27
A.6. draft-ietf-acme-star-05 . . . . . . . . . . . . . . . . . 27 A.6. draft-ietf-acme-star-06 . . . . . . . . . . . . . . . . . 27
A.7. draft-ietf-acme-star-04 . . . . . . . . . . . . . . . . . 28 A.7. draft-ietf-acme-star-05 . . . . . . . . . . . . . . . . . 28
A.8. draft-ietf-acme-star-03 . . . . . . . . . . . . . . . . . 28 A.8. draft-ietf-acme-star-04 . . . . . . . . . . . . . . . . . 28
A.9. draft-ietf-acme-star-02 . . . . . . . . . . . . . . . . . 28 A.9. draft-ietf-acme-star-03 . . . . . . . . . . . . . . . . . 28
A.10. draft-ietf-acme-star-01 . . . . . . . . . . . . . . . . . 28 A.10. draft-ietf-acme-star-02 . . . . . . . . . . . . . . . . . 28
A.11. draft-ietf-acme-star-00 . . . . . . . . . . . . . . . . . 28 A.11. draft-ietf-acme-star-01 . . . . . . . . . . . . . . . . . 28
A.12. draft-sheffer-acme-star-02 . . . . . . . . . . . . . . . 28 A.12. draft-ietf-acme-star-00 . . . . . . . . . . . . . . . . . 28
A.13. draft-sheffer-acme-star-01 . . . . . . . . . . . . . . . 29 A.13. draft-sheffer-acme-star-02 . . . . . . . . . . . . . . . 29
A.14. draft-sheffer-acme-star-00 . . . . . . . . . . . . . . . 29 A.14. draft-sheffer-acme-star-01 . . . . . . . . . . . . . . . 29
A.15. draft-sheffer-acme-star-lurk-00 . . . . . . . . . . . . . 29 A.15. draft-sheffer-acme-star-00 . . . . . . . . . . . . . . . 29
A.16. draft-sheffer-acme-star-lurk-00 . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
The ACME protocol [RFC8555] automates the process of issuing a The ACME protocol [RFC8555] automates the process of issuing a
certificate to a named entity (an Identifier Owner or IdO). certificate to a named entity (an Identifier Owner or IdO).
Typically, but not always, the identifier is a domain name. Typically, but not always, the identifier is a domain name.
If the IdO wishes to obtain a string of short-term certificates If the IdO wishes to obtain a string of short-term certificates
originating from the same private key (see [Topalovic] about why originating from the same private key (see [Topalovic] about why
skipping to change at page 12, line 5 skipping to change at page 12, line 5
3.3. Fetching the Certificates 3.3. Fetching the Certificates
The certificate is fetched from the star-certificate endpoint with The certificate is fetched from the star-certificate endpoint with
POST-as-GET as per [RFC8555] Section 7.4.2, unless client and server POST-as-GET as per [RFC8555] Section 7.4.2, unless client and server
have successfully negotiated the "unauthenticated GET" option have successfully negotiated the "unauthenticated GET" option
described in Section 3.4. In such case, the client can simply issue described in Section 3.4. In such case, the client can simply issue
a GET to the star-certificate resource without authenticating itself a GET to the star-certificate resource without authenticating itself
to the server as illustrated in Figure 6. to the server as illustrated in Figure 6.
GET /acme/cert/mAt3xBGaobw HTTP/1.1 GET /acme/cert/g7m3ZQeTEqa HTTP/1.1
Host: example.org Host: example.org
Accept: application/pem-certificate-chain Accept: application/pem-certificate-chain
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/pem-certificate-chain Content-Type: application/pem-certificate-chain
Link: <https://example.com/acme/some-directory>;rel="index" Link: <https://example.com/acme/some-directory>;rel="index"
Cert-Not-Before: Thu, 3 Oct 2019 00:00:00 GMT Cert-Not-Before: Thu, 3 Oct 2019 00:00:00 GMT
Cert-Not-After: Thu, 10 Oct 2019 00:00:00 GMT Cert-Not-After: Thu, 10 Oct 2019 00:00:00 GMT
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
skipping to change at page 27, line 9 skipping to change at page 27, line 9
[W3C.WD-capability-urls-20140218] [W3C.WD-capability-urls-20140218]
Tennison, J., "Good Practices for Capability URLs", World Tennison, J., "Good Practices for Capability URLs", World
Wide Web Consortium WD WD-capability-urls-20140218, Wide Web Consortium WD WD-capability-urls-20140218,
February 2014, February 2014,
<http://www.w3.org/TR/2014/WD-capability-urls-20140218>. <http://www.w3.org/TR/2014/WD-capability-urls-20140218>.
Appendix A. Document History Appendix A. Document History
[[Note to RFC Editor: please remove before publication.]] [[Note to RFC Editor: please remove before publication.]]
A.1. draft-ietf-acme-star-10 A.1. draft-ietf-acme-star-11
o One more nit re: random URL
A.2. draft-ietf-acme-star-10
IESG processing: IESG processing:
o More clarity on IANA registration (Alexey); o More clarity on IANA registration (Alexey);
o HTTP header requirements adjustments (Adam); o HTTP header requirements adjustments (Adam);
o Misc editorial (Ben) o Misc editorial (Ben)
A.2. draft-ietf-acme-star-09 A.3. draft-ietf-acme-star-09
Richard and Ryan's review resulted in the following updates: Richard and Ryan's review resulted in the following updates:
o STAR Order and Directory Meta attributes renamed slightly and o STAR Order and Directory Meta attributes renamed slightly and
grouped under two brand new "auto-renewal" objects; grouped under two brand new "auto-renewal" objects;
o IANA registration updated accordingly (note that two new o IANA registration updated accordingly (note that two new
registries have been added as a consequence); registries have been added as a consequence);
o Unbounded pre-dating of certificates removed so that STAR certs o Unbounded pre-dating of certificates removed so that STAR certs
are never issued with their notBefore in the past; are never issued with their notBefore in the past;
o Changed "recurrent" to "autoRenewal" in error codes; o Changed "recurrent" to "autoRenewal" in error codes;
o Changed "recurrent" to "auto-renewal" in reference to Orders; o Changed "recurrent" to "auto-renewal" in reference to Orders;
o Added operational considerations for HTTP caches. o Added operational considerations for HTTP caches.
A.3. draft-ietf-acme-star-08 A.4. draft-ietf-acme-star-08
o Improved text on interaction with CT Logs, responding to Mehmet o Improved text on interaction with CT Logs, responding to Mehmet
Ersue's review. Ersue's review.
A.4. draft-ietf-acme-star-07 A.5. draft-ietf-acme-star-07
o Changed the HTTP headers names and clarified the IANA o Changed the HTTP headers names and clarified the IANA
registration, following feedback from the IANA expert reviewer registration, following feedback from the IANA expert reviewer
A.5. draft-ietf-acme-star-06 A.6. draft-ietf-acme-star-06
o Roman's AD review o Roman's AD review
A.6. draft-ietf-acme-star-05 A.7. draft-ietf-acme-star-05
o EKR's AD review o EKR's AD review
o A detailed example of the timing of certificate issuance and o A detailed example of the timing of certificate issuance and
predating predating
o Added an explicit client-side parameter for predating o Added an explicit client-side parameter for predating
o Security considerations around unauthenticated GET o Security considerations around unauthenticated GET
A.7. draft-ietf-acme-star-04 A.8. draft-ietf-acme-star-04
o WG last call comments by Sean Turner o WG last call comments by Sean Turner
o revokeCert interface handling o revokeCert interface handling
o Allow negotiating plain-GET for certs o Allow negotiating plain-GET for certs
o In STAR Orders, use star-certificate instead of certificate o In STAR Orders, use star-certificate instead of certificate
A.8. draft-ietf-acme-star-03 A.9. draft-ietf-acme-star-03
o Clock skew considerations o Clock skew considerations
o Recommendations for "short" in the Web use case o Recommendations for "short" in the Web use case
o CT log considerations o CT log considerations
A.9. draft-ietf-acme-star-02 A.10. draft-ietf-acme-star-02
o Discovery of STAR capabilities via the directory object o Discovery of STAR capabilities via the directory object
o Use the more generic term Identifier Owner (IdO) instead of Domain o Use the more generic term Identifier Owner (IdO) instead of Domain
Name Owner (DNO) Name Owner (DNO)
o More precision about what goes in the order o More precision about what goes in the order
o Detail server side behavior on cancellation o Detail server side behavior on cancellation
A.10. draft-ietf-acme-star-01 A.11. draft-ietf-acme-star-01
o Generalized the introduction, separating out the specifics of o Generalized the introduction, separating out the specifics of
CDNs. CDNs.
o Clean out LURK-specific text. o Clean out LURK-specific text.
o Using a POST to ensure cancellation is authenticated. o Using a POST to ensure cancellation is authenticated.
o First and last date of recurrent cert, as absolute dates. o First and last date of recurrent cert, as absolute dates.
Validity of certs in seconds. Validity of certs in seconds.
o Use RFC7807 "Problem Details" in error responses. o Use RFC7807 "Problem Details" in error responses.
o Add IANA considerations. o Add IANA considerations.
o Changed the document's title. o Changed the document's title.
A.11. draft-ietf-acme-star-00 A.12. draft-ietf-acme-star-00
o Initial working group version. o Initial working group version.
o Removed the STAR interface, the protocol between NDC and DNO. o Removed the STAR interface, the protocol between NDC and DNO.
What remains is only the extended ACME protocol. What remains is only the extended ACME protocol.
A.12. draft-sheffer-acme-star-02 A.13. draft-sheffer-acme-star-02
o Using a more generic term for the delegation client, NDC. o Using a more generic term for the delegation client, NDC.
o Added an additional use case: public cloud services. o Added an additional use case: public cloud services.
o More detail on ACME authorization. o More detail on ACME authorization.
A.13. draft-sheffer-acme-star-01 A.14. draft-sheffer-acme-star-01
o A terminology section. o A terminology section.
o Some cleanup. o Some cleanup.
A.14. draft-sheffer-acme-star-00 A.15. draft-sheffer-acme-star-00
o Renamed draft to prevent confusion with other work in this space. o Renamed draft to prevent confusion with other work in this space.
o Added an initial STAR protocol: a REST API. o Added an initial STAR protocol: a REST API.
o Discussion of CDNI use cases. o Discussion of CDNI use cases.
A.15. draft-sheffer-acme-star-lurk-00 A.16. draft-sheffer-acme-star-lurk-00
o Initial version. o Initial version.
Authors' Addresses Authors' Addresses
Yaron Sheffer Yaron Sheffer
Intuit Intuit
EMail: yaronf.ietf@gmail.com EMail: yaronf.ietf@gmail.com
 End of changes. 21 change blocks. 
35 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/