IETF Logo Mail Archive

Re: [Acme] ACME v06 - Pre-Authorization

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Tue, 27 June 2017 19:05 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624B312EAFB for <acme@ietfa.amsl.com>; Tue, 27 Jun 2017 12:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aAs1O4kPjIN6 for <acme@ietfa.amsl.com>; Tue, 27 Jun 2017 12:05:30 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 589231292F5 for <acme@ietf.org>; Tue, 27 Jun 2017 12:05:30 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id w19so3553934uac.0 for <acme@ietf.org>; Tue, 27 Jun 2017 12:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/JyosKBINl3Rf66wPkRHyp5YyTFiq8NYlDhcBpOK5Ik=; b=MhCyKqkuPV+jAo2Kry0D8jmjTVidLVr+sPPqPKmXoprdF4b3ubRkXnFZ03vZaAQB3s Tzcwet7JGbNFwIeF/s/G8xolCRk+FQc9ahgORKjzS/31+nI+N7aedRb4mj4jZ8aW6StK ZyvdioVcI9N2IezrkcazorDBi0b7GCxs9B4hD1UMfpx/Pja3nLyNIXV7G7R734uEXvsA XnrVrIAOez1p2Rj4TxV6xIDqnkVP2F96cUwWqTrhC8rH0kytoT3Vmds7WMPoy2VfakeJ iS1tqUSjFD6KhA0Bm9cXptH7hJkwREEl5iZpiyCLd1SfzdpgaBTCzjxMrLQJD/7HG4fE FGuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/JyosKBINl3Rf66wPkRHyp5YyTFiq8NYlDhcBpOK5Ik=; b=Por+gezxZDDMI8bOzi43XubX9P4bXjMtaV4QluIMorqaTGDfn5pW2y3c2AU6klUygx V/IC8f/lepvRRO4XoMMUW9TZGj6Jhh+rGmxIATJW3f5JLSh8nWtbcdxcXSe6ME2/o1Ys s935LKzawpigwKwQ0g8X2LaU7B/fppSB1HnKxEA5COEmKGi8XCvro3ysvbCnKzMqQ/xr fkLNHV8Fkvn8qYfWHvn47AtgnGMXPNJ0cXASTV2ci1Z/Fw8oDOTmB9tOg+zJi7y1s/VG PsNgcdvz/eXXL4vCg19GrcHqOg1TDTsKDd2M7QcSOcLsqFFQGasIOAEFYnYLc7hC9UuL TmXg==
X-Gm-Message-State: AKS2vOyd/dHZ9BdUhZMN6iuCQiWO+qj0fMBjk3LdG904I5KkqzcsuxqE Njn0SDIQeOy5koV6cd0NBrTnLy9D0A==
X-Received: by 10.176.78.29 with SMTP id g29mr4101934uah.55.1498590329503; Tue, 27 Jun 2017 12:05:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.76.29 with HTTP; Tue, 27 Jun 2017 12:05:29 -0700 (PDT)
In-Reply-To: <5c4422a1-6fbf-f3cf-18d8-41d0901e99ae@eff.org>
References: <CAGL6epJo=LmZngTH_zbvdUgV2kV3TpU24DcSV71t3LhEwDT7AA@mail.gmail.com> <f1f20829-6f42-c683-baea-cd997236c3f7@eff.org> <CAGL6epLj_dKTeS6Th2MhtQ0kOh67pJjGwYf3LswcL+DE_Xt3=g@mail.gmail.com> <5c4422a1-6fbf-f3cf-18d8-41d0901e99ae@eff.org>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tue, 27 Jun 2017 15:05:29 -0400
Message-ID: <CAGL6ep+OUAwu8NOOgAmkj7S3SW9b5i43GQarz5-cSKVUu+WvNQ@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="f40304378a6c4108b10552f5c0ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/e6enht4q_X6cOKUATAArnj0HxFU>
Subject: Re: [Acme] ACME v06 - Pre-Authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 19:05:32 -0000

On Tue, Jun 27, 2017 at 2:29 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 06/27/2017 05:15 AM, Rifaat Shekh-Yusef wrote:
>
>
>
>> The server would create an order object with one or more
>> authorizations objects that need to be fulfilled.
>
>
> My point is that the pre-authorization request (i.e. new-authz) would have
> already created
> a pending authorization object with the challenges for the client.
>
> The ACME server MAY reuse existing pending authorizations, or it may
> create new ones. You should not rely on the pending authorizations that
> result from a new-order request being the same as ones previously created
> by new-authz requests.
>
>
Fair enough.
What would be the response from the server when it reuses existing pending
authorization? 200 OK with the existing challenge?
Could that be spelled out in the document?


>
> What I have in mind for this is that ACME client might be representing
> more than one entity
> when it is using the pre-authorization procedure, as specified in section
> 7.4.1.
>
> The use case I have in mind is to use this pre-authorization mechanism for
> a client to issue certificates
> for large number of *endpoints*.
>
> Instead of sending a new-authz request per endpoint, it might be useful to
> allow the client to send one
> request for a list of endpoints.
>
> I'm not clear what you mean by entity and endpoint in this question. Are
> you thinking of people, machines, companies, DNS names, IP addresses, or
> something else?
>

I am thinking of hard endpoints, like deskphones, mobile devices, etc.
I am working on an ACME endpoint extension draft that I would like to
discuss later that hopefully clarifies the use case and how I think it
could fit into the ACME mechanism.

Regards,
 Rifaat

v2.23.0 | Report a Bug | By Email