ACME Challenges Using an Authority Token
draft-ietf-acme-authority-token-05
Document | Type | Active Internet-Draft (acme WG) | |
---|---|---|---|
Authors | Jon Peterson , Mary Barnes , David Hancock , Chris Wendt | ||
Last updated | 2020-10-14 (latest revision 2020-03-09) | ||
Stream | IETF | ||
Intended RFC status | Proposed Standard | ||
Formats | plain text xml pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | Submitted to IESG for Publication (wg milestone: Apr 2020 - TNAuthlist submitted... ) | |
Document shepherd | Rich Salz | ||
Shepherd write-up | Show (last changed 2020-08-13) | ||
IESG | IESG state | AD Evaluation::Revised I-D Needed | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Roman Danyliw | ||
Send notices to | Rich Salz <rsalz@akamai.com> |
Network Working Group J. Peterson Internet-Draft Neustar Intended status: Informational M. Barnes Expires: September 10, 2020 Independent D. Hancock C. Wendt Comcast March 9, 2020 ACME Challenges Using an Authority Token draft-ietf-acme-authority-token-05 Abstract Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token challenge for ACME which supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 10, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of Peterson, et al. Expires September 10, 2020 [Page 1] Internet-Draft ACME Authority Token March 2020 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Challenges for an Authority Token . . . . . . . . . . . . . . 3 3.1. Token Type Requirements . . . . . . . . . . . . . . . . . 4 3.2. Authority Token Scope . . . . . . . . . . . . . . . . . . 4 3.3. Binding Challenges . . . . . . . . . . . . . . . . . . . 5 4. ATC tkauth-type Registration . . . . . . . . . . . . . . . . 6 5. Acquiring a Token . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Basic REST Interface . . . . . . . . . . . . . . . . . . 7 6. Using an Authority Token in a Challenge . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction ACME [RFC8555] is a mechanism for automating certificate management on the Internet. It enables administrative entities to prove effective control over resources like domain names, and automates the process of generating and issuing certificates. In some cases, proving effective control over an identifier requires an attestation from a third party who has authority over the resource, for example, an external policy administrator for a namespace other than the DNS application ACME was originally designed to support. In order to automate the process of issuing certificates for those resources, this specification defines a generic Authority Token challenge that ACME servers can issue in order to require clients to return such a token. The challenge contains a type indication that tells the client what sort of token it needs to acquire. It is expected that the Authority Token challenge will be usable for a variety of identifier types. For example, the system of [I-D.ietf-acme-authority-token-tnauthlist]Show full document text