An Automatic Certificate Management Environment (ACME) Profile for Generating Delegated Certificates
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: The IESG <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Subject: Protocol Action: 'An ACME Profile for Generating Delegated Certificates' to Proposed Standard (draft-ietf-acme-star-delegation-09.txt) The IESG has approved the following document: - 'An ACME Profile for Generating Delegated Certificates' (draft-ietf-acme-star-delegation-09.txt) as Proposed Standard This document is the product of the Automated Certificate Management Environment Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-star-delegation/
Technical Summary This memo defines a profile of the Automatic Certificate Management Environment (ACME) protocol by which the owner of an identifier (e.g., a domain name) can allow a third party to obtain an X.509 certificate such that the certificate subject is the delegated identifier while the certified public key corresponds to a private key controlled by the third party. A primary use case is that of a Content Delivery Network (CDN, the third party) terminating TLS sessions on behalf of a content provider (the owner of a domain name). The presented mechanism allows the owner of the identifier to retain control over the delegation and revoke it at any time. A key property of this mechanism is it does not require any modification to the deployed TLS ecosystem. Working Group Summary The WG deliberations on this document were quiet. A normative CDDL representation for the CSR template was added from the AD Review as JSON Schema didn't have a usable reference. As were clarifying links to the CDNI use case. The IETF LC SECDIR review focused the text to be clearer on the services provided by the profile and to better distinguish between the STAR and long-term certificate use cases. Document Quality The document shepherd reports that at least one CDN provider would use this, and there are indications that some commercial CA's would support this, but no commitments. Personnel Rich Salz is the document shepherd. Roman Danyliw is the responsible area director.