Internet DRAFT - draft-mattsson-acme-use-cases
draft-mattsson-acme-use-cases
Network Working Group J. Mattsson
Internet-Draft R. Skog
Intended status: Informational Ericsson
Expires: September 10, 2015 March 9, 2015
Additional Use Cases for Automatic Certificate Management (ACME)
draft-mattsson-acme-use-cases-00
Abstract
Contacting a CA is just one way in which a newly deployed HTTPS
server can get hold of the certificate to use. This document
describes additional (and common) use cases that fall into the major
guiding use case for ACME as stated by [I-D.barnes-acme], "obtaining
certificates for Web sites".
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Mattsson & Skog Expires September 10, 2015 [Page 1]
�
Internet-Draft ACME Use Cases March 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Additional Use Cases . . . . . . . . . . . . . . . . . . . . 2
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
It is well known that security features should be on by default and
automatically configured. Otherwise the risk is overwhelming that
the security features are left unused, or used in non-secure ways.
One important task that benefits from more automation is certificate
management.
The document [I-D.barnes-acme] describes the use case where an HTTPS
web server contacts a certification authority (CA) to request (and
often pay for) a new domain validation certificate for a domain. But
contacting a CA is just one way in which a newly deployed HTTPS
server can get hold of the certificate to use.
This document describes additional (and common) use cases that fall
into the major guiding use case for ACME as stated by [I-D.barnes-
acme], "obtaining certificates for Web sites". To fulfill the needs
of these use cases, we introduce the following certificate management
function for ACME:
o Certificate Download
where the ACME server is not the CA, but rather a server operated by
the domain owner.
Just as the main scenario in [I-D.barnes-acme], the scenarios in this
document often uses a collection of ad hoc mechanisms. And while [I-
D.barnes-acme] mentions the already horrible 1-3 hours to obtain and
install certificates for a newly deployed HTTPS server, the process
of transferring an existing certificate can be even more time
consuming, and people flying back on forth just to manually transfer
certificates is not unheard of.
2. Additional Use Cases
A newly deployed HTTPS server replacing or complementing an existing
HTTPS server should import an existing certificate instead of buying
a new. In the flow diagram in Figure 1, the new HTTPS server (ACME
CLIENT) requests, downloads, and imports an existing certificate from
a server (ACME SERVER). A PKCS#10 Certificate Signing Request (CSR)
cannot be used as that creates a new certificate. Instead the client
Mattsson & Skog Expires September 10, 2015 [Page 2]
�
Internet-Draft ACME Use Cases March 2015
sends a request (here called CertDownload) to request download of an
existing certificate. Authorization may e.g. be based on
authentication of the computer operator.
ACME CLIENT ACME SERVER
Identifier ------->
<------- Challenges
Responses ------->
<------- Authorization
CertDownload ------->
<------- Certificate
Figure 1: Downloading existing certificate
A large domain with several virtualized HTTPS servers is likely to
have a centralized certificate repository, and a newly deployed HTTPS
server should download a certificate from the central repository.
The flow diagram in Figure 2 shows two separate ACME sessions. First
the repository (acting as an ACME client) requests a new certificate
from the CA (ACME server). Secondly the HTTPS server (ACME client)
downloads the certificate from the repository (now acting as an ACME
server). The two sessions are usually separated in time.
Mattsson & Skog Expires September 10, 2015 [Page 3]
�
Internet-Draft ACME Use Cases March 2015
HTTPS SERVER REPOSITORY CA
Identifier ------->
<------- Challenges
Responses ------->
<------- Authorization
CSR ------->
<------- Certificate
Identifier ------->
<------- Challenges
Responses ------->
<------- Authorization
CertDownload ------->
<------- Certificate
Figure 2: Downloading certificate from central repository
A newly deployed HTTPS server operated by another juridical person
(e.g. a CDN provider) cannot (and shouldn't be able to) prove
ownership of the domain. The message flow in Figure 2 with two
serial ACME sessions might be used also in this case. But the domain
owner might be unwilling to distribute its ordinary long-term domain
certificate. Instead the domain owner might only authorize the HTTPS
sever to obtain a certificate with certain restriction. The
restrictions could be that the certificate is only valid for a
certain subdomain (e.g. cdn-aXtckW7K3Rgf29UPuGUF@example.com) and
with a restricted lifetime (days instead of years). In this case two
parallel ACME sessions may be used where the HTTPS server first
contacts the domain owner, who proves ownership of the domain to the
CA, and then forwards the newly issued certificate to the HTTPS
server. An example message flow is shown in Figure 3. Authorization
may e.g. be based on the HTTPS server proving ownership of a DV, OV,
or EV certificate (perhaps issued in an earlier ACME session).
Mattsson & Skog Expires September 10, 2015 [Page 4]
�
Internet-Draft ACME Use Cases March 2015
HTTPS SERVER DOMAIN OWNER CA
Identifier ------->
Identifier ------->
<------- Challenges
<------- Challenges
Responses ------->
Responses ------->
<------- Authorization
<------- Authorization
CSR ------->
CSR ------->
<------- Certificate
<------- Certificate
Figure 3: Obtaining certificate with restrictions
3. References
[I-D.barnes-acme]
Barnes, R., Eckersley, P., Schoen, S., Halderman, A., and
J. Kasten, "Automatic Certificate Management Environment
(ACME)", draft-barnes-acme-01 (work in progress), January
2015.
Authors' Addresses
John Mattsson
Ericsson AB
SE-164 80 Stockholm
Sweden
Email: john.mattsson@ericsson.com
Mattsson & Skog Expires September 10, 2015 [Page 5]
�
Internet-Draft ACME Use Cases March 2015
Robert Skog
Ericsson AB
SE-164 80 Stockholm
Sweden
Email: robert.skog@ericsson.com
Mattsson & Skog Expires September 10, 2015 [Page 6]
