Automatic Certificate Management Environment (ACME)
draft-ietf-acme-acme-14
The information below is for an old version of the document | |||
---|---|---|---|
Document | Type | Active Internet-Draft (acme WG) | |
Last updated | 2018-08-30 (latest revision 2018-08-10) | ||
Stream | IETF | ||
Intended RFC status | Proposed Standard | ||
Formats | plain text pdf html bibtex | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Yoav Nir | ||
Shepherd write-up | Show (last changed 2018-04-18) | ||
IESG | IESG state | IESG Evaluation::Revised I-D Needed | |
Consensus Boilerplate | Yes | ||
Telechat date |
Has enough positions to pass. |
||
Responsible AD | Eric Rescorla | ||
Send notices to | Yoav Nir <ynir.ietf@gmail.com> | ||
IANA | IANA review state | IANA OK - Actions Needed | |
IANA action state | None |
ACME Working Group R. Barnes Internet-Draft Cisco Intended status: Standards Track J. Hoffman-Andrews Expires: February 11, 2019 EFF D. McCarney Let's Encrypt J. Kasten University of Michigan August 10, 2018 Automatic Certificate Management Environment (ACME) draft-ietf-acme-acme-14 Abstract Public Key Infrastructure X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/ietf-wg-acme/acme [1]. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the ACME mailing list (acme@ietf.org). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any Barnes, et al. Expires February 11, 2019 [Page 1] Internet-Draft ACME August 2018 time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 11, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Deployment Model and Operator Experience . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 7 5. Character Encoding . . . . . . . . . . . . . . . . . . . . . 10 6. Message Transport . . . . . . . . . . . . . . . . . . . . . . 10 6.1. HTTPS Requests . . . . . . . . . . . . . . . . . . . . . 10 6.2. Request Authentication . . . . . . . . . . . . . . . . . 11 6.3. Request URL Integrity . . . . . . . . . . . . . . . . . . 12 6.3.1. "url" (URL) JWS Header Parameter . . . . . . . . . . 13 6.4. Replay protection . . . . . . . . . . . . . . . . . . . . 13 6.4.1. Replay-Nonce . . . . . . . . . . . . . . . . . . . . 14 6.4.2. "nonce" (Nonce) JWS Header Parameter . . . . . . . . 14 6.5. Rate Limits . . . . . . . . . . . . . . . . . . . . . . . 14 6.6. Errors . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.6.1. Subproblems . . . . . . . . . . . . . . . . . . . . . 17 7. Certificate Management . . . . . . . . . . . . . . . . . . . 18 7.1. Resources . . . . . . . . . . . . . . . . . . . . . . . . 18 7.1.1. Directory . . . . . . . . . . . . . . . . . . . . . . 21 7.1.2. Account Objects . . . . . . . . . . . . . . . . . . . 23 7.1.3. Order Objects . . . . . . . . . . . . . . . . . . . . 24 7.1.4. Authorization Objects . . . . . . . . . . . . . . . . 27Show full document text