Extensions to Automatic Certificate Management Environment for email TLS
Isode Ltd14 Castle MewsHamptonMiddlesexTW12 2NPUKAlexey.Melnikov@isode.comACME
This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue
certificates for use by TLS email services.
is a mechanism for automating certificate
management on the Internet. It enables administrative entities to
prove effective control over resources like domain names, and
automates the process of generating and issuing certificates.
This document describes extensions to ACME for use by email services.
defines extensions for how email services (such as SMTP, IMAP)
can get certificates for use with TLS.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in
.SMTP (including SMTP submission) and IMAP servers
use TLS to provide server identity authentication, data confidentiality and integrity services.
Such TLS protected email services either use STARTTLS command or run on a separate TLS-protected port.
defines several challenge types that can be extended for use by email services.
This document also defines some new challenge types specific to SMTP and IMAP.
In order to use these challenges JWS object used by
is extended. The following extra requirements are in addition to requirements on JWS objects sent in ACME
defined in Section 6.2 of :
"service" JWS header parameter MUST be included. See for more details.
"port" JWS header parameter MUST (SHOULD?) be included. See for more details.
The "service" JWS header parameter specifies the service for which TLS server certificate should be issued.
Valid values come from "Service Names and Transport Protocol Port Numbers" IANA registry
<https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml>.
ACME server MAY include SRV-ID subjectAltNames in issued certificates.
The "port" JWS header parameter specifies the TCP port number where the corresponding
service is running.
[[This parameter might have applicability beyond email services.]]"tls-sni-email-00" is very similar to "tls-sni-01" defined in Section 8.3 of .The difference between processing of "tls-sni-email-00" and "tls-sni-01" are listed below:
SAN A MUST be constructed as follows: compute the SHA-256 digest
[FIPS180-4] of the challenge token and encode it in lowercase
hexadecimal form. The dNSName is "<x>.<y>.<token>.acme.invalid", where <x>
is the first half of the hexadecimal representation and <y> is the
second half, and <token> was generated by the ACME server.
SAN B MUST be constructed as follows: compute the SHA-256 digest of
the key authorization and encode it in lowercase hexadecimal form.
The dNSName is "<x>.<y>.<ka>.acme.invalid" where <x> is the first half of the
hexadecimal representation and <x> is the second half, and <ka> is the key authorization.
[[OPEN ISSUE: Should service name and port number be incorporated into SAN A and B?]]
When verifying the client's control of the domain/service, ACME server connects to port
as specified in "port" JWS header parameter (), instead of port 443.
When connecting to ports 25, 143 and 587, ACME server needs to use STARTTLS command.
When connecting to ports 465 or 993, ACME server initiate TLS negotiation immediately
upon connection to the corresponding ports.
In all cases ACME server presents SAN A in the SNI field, constructed as specified above.
"dns-email-00" is very similar to "dns-01" defined in Section 8.4 of .The difference between processing of "dns-email-00" and "dns-01" are listed below:
The TXT record used to validate this challenge is _<port>._<service>_acme-challenge.<domain>.
For example, for domain "example.com" and IMAP service running on port 993, the TXT record name is
_993._imaps._acme-challenge.example.com. For domain "example.net" and IMAP service running on port 143,
the TXT record name is _143._imap._acme-challenge.example.next.
[[OPEN ISSUE: Should service name and port number be incorporated into the hash?]]
For "capability-smtp-00" challenge, ACME client (== SMTP server)
constructs a key authorization from the "token" value provided in the challenge
and the client's account key. The client then computes the SHA-256
digest [FIPS180-4] of the key authorization. SMTP server than
returns the base64url encoding of this digest as a value of the "ACME" EHLO capability:
Similarly, "capability-imap-00" challenge, ACME client (== IMAP server)
constructs a key authorization from the "token" value provided in the challenge
and the client's account key. The client then computes the SHA-256
digest [FIPS180-4] of the key authorization. SMTP server than
returns the base64url encoding of this digest as a value of the "ACME" capability:
[[This section should be empty before publication]]
One possible alternative for issuing TLS certificates for email services is to define a new Identifier Type that specifies service@domain.
The current version of the document just reuses "dns".
IANA is requested to register the following ACME challenge types that are used with Identifier Type "dns":
"tls-sni-email", "dns-email", "capability-smtp" and "capability-imap". The reference for all of them is this document.
TBD.
Automatic Certificate Management Environment (ACME)
Certificates in PKI using X.509 (PKIX) are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certificate authorities in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a certification authority (CA) and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.