An Automatic Certificate Management Environment (ACME) Profile for Generating Delegated Certificates

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: The IESG <>,,,,,,,
Subject: Protocol Action: 'An ACME Profile for Generating Delegated Certificates' to Proposed Standard (draft-ietf-acme-star-delegation-09.txt)

The IESG has approved the following document:
- 'An ACME Profile for Generating Delegated Certificates'
  (draft-ietf-acme-star-delegation-09.txt) as Proposed Standard

This document is the product of the Automated Certificate Management
Environment Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Technical Summary

   This memo defines a profile of the Automatic Certificate Management
   Environment (ACME) protocol by which the owner of an identifier
   (e.g., a domain name) can allow a third party to obtain an X.509
   certificate such that the certificate subject is the delegated
   identifier while the certified public key corresponds to a private
   key controlled by the third party.  A primary use case is that of a
   Content Delivery Network (CDN, the third party) terminating TLS
   sessions on behalf of a content provider (the owner of a domain
   name).  The presented mechanism allows the owner of the identifier to
   retain control over the delegation and revoke it at any time.  A key
   property of this mechanism is it does not require any modification to
   the deployed TLS ecosystem.

Working Group Summary

The WG deliberations on this document were quiet.  

A normative CDDL representation for the CSR template was added from the AD Review as JSON Schema didn't have a usable reference.  As were clarifying links to the CDNI use case.

The IETF LC SECDIR review focused the text to be clearer on the services provided by the profile and to better distinguish between the STAR and long-term certificate use cases.

Document Quality

The document shepherd reports that at least one CDN provider would use this, and there are indications that some commercial CA's would support this, but no commitments.


Rich Salz  is the document shepherd.

Roman Danyliw is the responsible area director.