Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: email@example.com, Rich Salz <firstname.lastname@example.org>, The IESG <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Subject: Protocol Action: 'Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)' to Proposed Standard (draft-ietf-acme-star-11.txt) The IESG has approved the following document: - 'Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)' (draft-ietf-acme-star-11.txt) as Proposed Standard This document is the product of the Automated Certificate Management Environment Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-star/
Technical Summary Public-key certificates need to be revoked when they are compromised, that is, when the associated private key is exposed to an unauthorized entity. However the revocation process is often unreliable. An alternative to revocation is issuing a sequence of certificates, each with a short validity period, and terminating this sequence upon compromise. This memo proposes an ACME extension to enable the issuance of short-term and automatically renewed (STAR) X.509 certificates. Working Group Summary This document reflects WG consensus. A review by the designated expert for the pertinent registries resulted in revision of the draft after IETF LC that was rerun through a WG run. Document Quality The document has been in circulation for 2.5 years and a WG document for 2 years. During this time it has received a variety of reviews, resulting in significant changes. Although discussion has been light, the document reflects WG consensus. ** The MAMI implementation of this draft is being integrated with the OSM orchestrator  for NFV workloads; ** GSMA is considering ACME STAR as one of the reference solutions for handling encrypted content in CDNI (see also ); ** There has been discussion related to the use of short-term certs for non-web use cases (see ), for example in the ANIMA control plane . ** The CDNI working group plans to use this work  https://osm.etsi.org  https://datatracker.ietf.org/doc/draft-ietf-cdni-interfaces-https-delegation  https://www.ietf.org/archive/id/draft-nir-saag-star-01.txt  https://datatracker.ietf.org/doc/draft-ietf-anima-autonomic-control-plane Personnel Rich Salz is the document shepherd; Roman Danyliw is the responsible AD.