Automatic Certificate Management Environment (ACME)
draft-ietf-acme-acme-07

Document Type Active Internet-Draft (acme WG)
Last updated 2017-06-21
Stream IETF
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream WG state In WG Last Call
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
ACME Working Group                                             R. Barnes
Internet-Draft                                                     Cisco
Intended status: Standards Track                      J. Hoffman-Andrews
Expires: December 23, 2017                                           EFF
                                                               J. Kasten
                                                  University of Michigan
                                                           June 21, 2017

          Automatic Certificate Management Environment (ACME)
                        draft-ietf-acme-acme-07

Abstract

   Certificates in PKI using X.509 (PKIX) are used for a number of
   purposes, the most significant of which is the authentication of
   domain names.  Thus, certificate authorities in the Web PKI are
   trusted to verify that an applicant for a certificate legitimately
   represents the domain name(s) in the certificate.  Today, this
   verification is done through a collection of ad hoc mechanisms.  This
   document describes a protocol that a certification authority (CA) and
   an applicant can use to automate the process of verification and
   certificate issuance.  The protocol also provides facilities for
   other certificate management functions, such as certificate
   revocation.

   DISCLAIMER: This is a work in progress draft of ACME and has not yet
   had a thorough security analysis.

   RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for
   this draft is maintained in GitHub.  Suggested changes should be
   submitted as pull requests at https://github.com/ietf-wg-acme/acme .
   Instructions are on that page as well.  Editorial changes can be
   managed in GitHub, but any substantive change should be discussed on
   the ACME mailing list (acme@ietf.org).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any

Barnes, et al.          Expires December 23, 2017               [Page 1]
Internet-Draft                    ACME                         June 2017

   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 23, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Deployment Model and Operator Experience  . . . . . . . . . .   5
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Character Encoding  . . . . . . . . . . . . . . . . . . . . .   8
   6.  Message Transport . . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  HTTPS Requests  . . . . . . . . . . . . . . . . . . . . .   9
     6.2.  Request Authentication  . . . . . . . . . . . . . . . . .   9
     6.3.  Request URL Integrity . . . . . . . . . . . . . . . . . .  10
       6.3.1.  "url" (URL) JWS header parameter  . . . . . . . . . .  11
     6.4.  Replay protection . . . . . . . . . . . . . . . . . . . .  11
       6.4.1.  Replay-Nonce  . . . . . . . . . . . . . . . . . . . .  12
       6.4.2.  "nonce" (Nonce) JWS header parameter  . . . . . . . .  12
     6.5.  Rate limits . . . . . . . . . . . . . . . . . . . . . . .  13
     6.6.  Errors  . . . . . . . . . . . . . . . . . . . . . . . . .  13
   7.  Certificate Management  . . . . . . . . . . . . . . . . . . .  15
     7.1.  Resources . . . . . . . . . . . . . . . . . . . . . . . .  15
       7.1.1.  Directory . . . . . . . . . . . . . . . . . . . . . .  17
       7.1.2.  Account Objects . . . . . . . . . . . . . . . . . . .  19
       7.1.3.  Order Objects . . . . . . . . . . . . . . . . . . . .  20
Show full document text