Technical Summary
Public-key certificates need to be revoked when they are compromised,
that is, when the associated private key is exposed to an
unauthorized entity. However the revocation process is often
unreliable. An alternative to revocation is issuing a sequence of
certificates, each with a short validity period, and terminating this
sequence upon compromise. This memo proposes an ACME extension to
enable the issuance of short-term and automatically renewed (STAR)
X.509 certificates.
Working Group Summary
This document reflects WG consensus. A review by the designated expert for the pertinent registries resulted in revision of the draft after IETF LC that was rerun through a WG run.
Document Quality
The document has been in circulation for 2.5 years and a WG document for 2 years. During this time it has received a variety of reviews, resulting in significant changes. Although discussion has been light, the document reflects WG consensus.
** The MAMI implementation of this draft is being integrated with the OSM orchestrator [0] for NFV workloads;
** GSMA is considering ACME STAR as one of the reference solutions for handling encrypted content in CDNI (see also [1]);
** There has been discussion related to the use of short-term certs for non-web use cases (see [2]), for example in the ANIMA control plane [3].
** The CDNI working group plans to use this work
[0] https://osm.etsi.org
[1] https://datatracker.ietf.org/doc/draft-ietf-cdni-interfaces-https-delegation
[2] https://www.ietf.org/archive/id/draft-nir-saag-star-01.txt
[3] https://datatracker.ietf.org/doc/draft-ietf-anima-autonomic-control-plane
Personnel
Rich Salz is the document shepherd;
Roman Danyliw is the responsible AD.