ACME End User Client and Code Signing Certificates
draft-ietf-acme-client-02
IETF K. Moriarty
Internet-Draft Dell Technologies
Intended status: Standards Track October 5, 2020
Expires: April 8, 2021
ACME End User Client and Code Signing Certificates
draft-ietf-acme-client-02
Abstract
Automated Certificate Management Environment (ACME) core protocol
addresses the use case of web server certificates for TLS. This
document extends the ACME protocol to support end user client, device
client, and code signing certificates.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 8, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Moriarty Expires April 8, 2021 [Page 1]
Internet-Draft draft-ietf-acme-client-02 October 2020
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Identity Proofing for Client Certificates . . . . . . . . . . 2
3. End User Client Certificates . . . . . . . . . . . . . . . . 3
4. CodeSigning Certificates . . . . . . . . . . . . . . . . . . 5
5. Pre-authorization . . . . . . . . . . . . . . . . . . . . . . 8
6. Challenge Types . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. One Time Password (OTP) . . . . . . . . . . . . . . . . . 8
6.1.1. HMAC-Based One-Time Password (HOTP) . . . . . . . . . 9
6.1.2. Time-Based One-Time Password (TOTP) . . . . . . . . . 9
6.1.3. Generic One Time Password (OTP) . . . . . . . . . . . 9
6.2. Public Key Cryptography . . . . . . . . . . . . . . . . . 10
6.3. WebAuthn or Public/Private Key Pairs . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . 13
10.3. URL References . . . . . . . . . . . . . . . . . . . . . 13
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 14
Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
ACME [RFC8555] is a mechanism for automating certificate management
on the Internet. It enables administrative entities to prove
effective control over resources like domain names, and automates the
process of generating and issuing certificates.
The core ACME protocol defined challenge types specific to web server
certificates with the possibility to create extensions, or additional
challenge types for other use cases and certificate types. Client
certificates, such as end user and code signing may also benefit from
automated management to ease the deployment and maintenance of these
certificate types, thus the definition of this extension defining
challenge types specific to that usage.
2. Identity Proofing for Client Certificates
As with the TLS certificates defined in the core ACME document <xref
target="RFC8555"/>, identity proofing for ACME issued end user
client, device client, and code signing certificates is a separate
process outside of the automation of ACME. Identity proofing may be
an out-of-band process, if needed, and for this draft is likely tied
to the credentials used for the defined challenge types.
Show full document text