Short-Term Certificates D R A F T - I E T F - A C M E - S T A R - 0 - - PowerPoint PPT Presentation

short term certificates
SMART_READER_LITE
LIVE PREVIEW

Short-Term Certificates D R A F T - I E T F - A C M E - S T A R - 0 - - PowerPoint PPT Presentation

May 09, 2023 383 likes •482 views

Short-Term Certificates D R A F T - I E T F - A C M E - S T A R - 0 0 Y A R O N S H E F F E R , D I E G O L O P E Z , T H O M A S F O S S A T I , O S C A R G O N Z A L E Z D E D I O S , A N T O N I O P A S T O R P E R A L E S I E T F

slide-1
SLIDE 1

Short-Term Certificates

D R A F T - I E T F - A C M E - S T A R - 0 0 Y A R O N S H E F F E R , D I E G O L O P E Z , T H O M A S F O S S A T I , O S C A R G O N Z A L E Z D E D I O S , A N T O N I O P A S T O R P E R A L E S I E T F - 9 9 , P R A G U E

slide-2
SLIDE 2

Motivation

Delegate the authorization to publish a web site Securely: owner can revoke the authorization at any time And with no change to the client side (browser) Initial use case: CDN Also identified Public Cloud and IOT use cases

2

slide-3
SLIDE 3

Document Status

Split the draft in two:

  • draft-ietf-acme-star-00: adopted by this group, an ACME extension for short-term renewable certs
  • draft-sheffer-acme-star-request-00: non-WG document, protocol for the NDC to create the initial

request NDC, Name Delegation Consumer ACME Server DNO, Domain Name Owner Request STAR Cert Request STAR Cert Periodically Retrieve Certificate

3

slide-4
SLIDE 4

The ACME Extension

We are adding a few attributes to the Order resource: { "recurrent": true, "recurrent-total-lifetime": 365, "recurrent-certificate-validity": 7 } A server that doesn’t implement the extension returns a normal unextended Order object, and the client will likely abort Open: days? Minutes? Picoseconds?

4

slide-5
SLIDE 5

Fetching the STAR Certificates

All are dispensed from the single certificate endpoint Lifetime indicated by an Expires header

  • Apparently incorrect; use a private header?
  • Or have the DNC parse the cert to extract the expiry?

5

slide-6
SLIDE 6

Revocation

Adding Order cancellation to ACME DELETE /acme/order/1 HTTP/1.1 Host: acme-server.example.org How to authenticate this request? Martin proposed to replace with a POST, and have the JWS signature take care of that

  • But semantics is iffy

6

slide-7
SLIDE 7

TODO

More cleanup to remove remnants of the NDC-to-DNO part Discussion of Certificate Transparency Additional comments from the list Simple enough to go to WGLC after -01

7

slide-8
SLIDE 8

Creating the Certificate Request: draft-sheffer-acme-star-request-00

We propose to adopt it as a WG draft, as a second step It provides context to the WG draft: why are we doing what we’re doing It is not restricted to CDNs It absolutely needs to be interoperable, because there are different entities involved The draft includes security guidance, and without it there are multiple ways to do it wrong

8

slide-9
SLIDE 9

Thank You!

9