Network Working Group J. Mattsson Internet-Draft R. Skog Intended status: Informational Ericsson Expires: September 10, 2015 March 9, 2015 Additional Use Cases for Automatic Certificate Management (ACME) draft-mattsson-acme-use-cases-00 Abstract Contacting a CA is just one way in which a newly deployed HTTPS server can get hold of the certificate to use. This document describes additional (and common) use cases that fall into the major guiding use case for ACME as stated by [I-D.barnes-acme], "obtaining certificates for Web sites". Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 10, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Mattsson & Skog Expires September 10, 2015 [Page 1] Internet-Draft ACME Use Cases March 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Additional Use Cases . . . . . . . . . . . . . . . . . . . . 2 3. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction It is well known that security features should be on by default and automatically configured. Otherwise the risk is overwhelming that the security features are left unused, or used in non-secure ways. One important task that benefits from more automation is certificate management. The document [I-D.barnes-acme] describes the use case where an HTTPS web server contacts a certification authority (CA) to request (and often pay for) a new domain validation certificate for a domain. But contacting a CA is just one way in which a newly deployed HTTPS server can get hold of the certificate to use. This document describes additional (and common) use cases that fall into the major guiding use case for ACME as stated by [I-D.barnes- acme], "obtaining certificates for Web sites". To fulfill the needs of these use cases, we introduce the following certificate management function for ACME: o Certificate Download where the ACME server is not the CA, but rather a server operated by the domain owner. Just as the main scenario in [I-D.barnes-acme], the scenarios in this document often uses a collection of ad hoc mechanisms. And while [I- D.barnes-acme] mentions the already horrible 1-3 hours to obtain and install certificates for a newly deployed HTTPS server, the process of transferring an existing certificate can be even more time consuming, and people flying back on forth just to manually transfer certificates is not unheard of. 2. Additional Use Cases A newly deployed HTTPS server replacing or complementing an existing HTTPS server should import an existing certificate instead of buying a new. In the flow diagram in Figure 1, the new HTTPS server (ACME CLIENT) requests, downloads, and imports an existing certificate from a server (ACME SERVER). A PKCS#10 Certificate Signing Request (CSR) cannot be used as that creates a new certificate. Instead the client Mattsson & Skog Expires September 10, 2015 [Page 2] Internet-Draft ACME Use Cases March 2015 sends a request (here called CertDownload) to request download of an existing certificate. Authorization may e.g. be based on authentication of the computer operator. ACME CLIENT ACME SERVER Identifier -------> <------- Challenges Responses -------> <------- Authorization CertDownload -------> <------- Certificate Figure 1: Downloading existing certificate A large domain with several virtualized HTTPS servers is likely to have a centralized certificate repository, and a newly deployed HTTPS server should download a certificate from the central repository. The flow diagram in Figure 2 shows two separate ACME sessions. First the repository (acting as an ACME client) requests a new certificate from the CA (ACME server). Secondly the HTTPS server (ACME client) downloads the certificate from the repository (now acting as an ACME server). The two sessions are usually separated in time. Mattsson & Skog Expires September 10, 2015 [Page 3] Internet-Draft ACME Use Cases March 2015 HTTPS SERVER REPOSITORY CA Identifier -------> <------- Challenges Responses -------> <------- Authorization CSR -------> <------- Certificate Identifier -------> <------- Challenges Responses -------> <------- Authorization CertDownload -------> <------- Certificate Figure 2: Downloading certificate from central repository A newly deployed HTTPS server operated by another juridical person (e.g. a CDN provider) cannot (and shouldn't be able to) prove ownership of the domain. The message flow in Figure 2 with two serial ACME sessions might be used also in this case. But the domain owner might be unwilling to distribute its ordinary long-term domain certificate. Instead the domain owner might only authorize the HTTPS sever to obtain a certificate with certain restriction. The restrictions could be that the certificate is only valid for a certain subdomain (e.g. cdn-aXtckW7K3Rgf29UPuGUF@example.com) and with a restricted lifetime (days instead of years). In this case two parallel ACME sessions may be used where the HTTPS server first contacts the domain owner, who proves ownership of the domain to the CA, and then forwards the newly issued certificate to the HTTPS server. An example message flow is shown in Figure 3. Authorization may e.g. be based on the HTTPS server proving ownership of a DV, OV, or EV certificate (perhaps issued in an earlier ACME session). Mattsson & Skog Expires September 10, 2015 [Page 4] Internet-Draft ACME Use Cases March 2015 HTTPS SERVER DOMAIN OWNER CA Identifier -------> Identifier -------> <------- Challenges <------- Challenges Responses -------> Responses -------> <------- Authorization <------- Authorization CSR -------> CSR -------> <------- Certificate <------- Certificate Figure 3: Obtaining certificate with restrictions 3. References [I-D.barnes-acme] Barnes, R., Eckersley, P., Schoen, S., Halderman, A., and J. Kasten, "Automatic Certificate Management Environment (ACME)", draft-barnes-acme-01 (work in progress), January 2015. Authors' Addresses John Mattsson Ericsson AB SE-164 80 Stockholm Sweden Email: john.mattsson@ericsson.com Mattsson & Skog Expires September 10, 2015 [Page 5] Internet-Draft ACME Use Cases March 2015 Robert Skog Ericsson AB SE-164 80 Stockholm Sweden Email: robert.skog@ericsson.com Mattsson & Skog Expires September 10, 2015 [Page 6]