Technical Summary
This memo defines a profile of the Automatic Certificate Management
Environment (ACME) protocol by which the owner of an identifier
(e.g., a domain name) can allow a third party to obtain an X.509
certificate such that the certificate subject is the delegated
identifier while the certified public key corresponds to a private
key controlled by the third party. A primary use case is that of a
Content Delivery Network (CDN, the third party) terminating TLS
sessions on behalf of a content provider (the owner of a domain
name). The presented mechanism allows the owner of the identifier to
retain control over the delegation and revoke it at any time. A key
property of this mechanism is it does not require any modification to
the deployed TLS ecosystem.
Working Group Summary
The WG deliberations on this document were quiet.
A normative CDDL representation for the CSR template was added from the AD Review as JSON Schema didn't have a usable reference. As were clarifying links to the CDNI use case.
The IETF LC SECDIR review focused the text to be clearer on the services provided by the profile and to better distinguish between the STAR and long-term certificate use cases.
Document Quality
The document shepherd reports that at least one CDN provider would use this, and there are indications that some commercial CA's would support this, but no commitments.
Personnel
Rich Salz is the document shepherd.
Roman Danyliw is the responsible area director.