Network Working Group J. Mattsson
Internet-Draft R. Skog
Intended status: Informational Ericsson
Expires: September 10, 2015 March 9, 2015

Additional Use Cases for Automatic Certificate Management (ACME)
draft-mattsson-acme-use-cases-00

Abstract

Contacting a CA is just one way in which a newly deployed HTTPS server can get hold of the certificate to use. This document describes additional (and common) use cases that fall into the major guiding use case for ACME as stated by [I-D.barnes-acme], “obtaining certificates for Web sites”.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 10, 2015.

Copyright Notice

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

It is well known that security features should be on by default and automatically configured. Otherwise the risk is overwhelming that the security features are left unused, or used in non-secure ways. One important task that benefits from more automation is certificate management.

The document [I-D.barnes-acme] describes the use case where an HTTPS web server contacts a certification authority (CA) to request (and often pay for) a new domain validation certificate for a domain. But contacting a CA is just one way in which a newly deployed HTTPS server can get hold of the certificate to use.

This document describes additional (and common) use cases that fall into the major guiding use case for ACME as stated by [I-D.barnes-acme], “obtaining certificates for Web sites”. To fulfill the needs of these use cases, we introduce the following certificate management function for ACME:

where the ACME server is not the CA, but rather a server operated by the domain owner.

Just as the main scenario in [I-D.barnes-acme], the scenarios in this document often uses a collection of ad hoc mechanisms. And while [I-D.barnes-acme] mentions the already horrible 1-3 hours to obtain and install certificates for a newly deployed HTTPS server, the process of transferring an existing certificate can be even more time consuming, and people flying back on forth just to manually transfer certificates is not unheard of.

2. Additional Use Cases

A newly deployed HTTPS server replacing or complementing an existing HTTPS server should import an existing certificate instead of buying a new. In the flow diagram in Figure 1, the new HTTPS server (ACME CLIENT) requests, downloads, and imports an existing certificate from a server (ACME SERVER). A PKCS#10 Certificate Signing Request (CSR) cannot be used as that creates a new certificate. Instead the client sends a request (here called CertDownload) to request download of an existing certificate. Authorization may e.g. be based on authentication of the computer operator.

ACME CLIENT                   ACME SERVER


Identifier      ------->

                <-------      Challenges

Responses       ------->

                <-------      Authorization

CertDownload    ------->

                <-------      Certificate

Figure 1: Downloading existing certificate

A large domain with several virtualized HTTPS servers is likely to have a centralized certificate repository, and a newly deployed HTTPS server should download a certificate from the central repository. The flow diagram in Figure 2 shows two separate ACME sessions. First the repository (acting as an ACME client) requests a new certificate from the CA (ACME server). Secondly the HTTPS server (ACME client) downloads the certificate from the repository (now acting as an ACME server). The two sessions are usually separated in time.

HTTPS SERVER                  REPOSITORY                              CA


                              Identifier       ------->

                                               <-------       Challenges

                              Responses        ------->

                                               <-------    Authorization

                              CSR              ------->

                                               <-------      Certificate
Identifier      ------->

                <-------      Challenges

Responses       ------->

                <-------      Authorization

CertDownload    ------->

                <-------      Certificate     

Figure 2: Downloading certificate from central repository

A newly deployed HTTPS server operated by another juridical person (e.g. a CDN provider) cannot (and shouldn’t be able to) prove ownership of the domain. The message flow in Figure 2 with two serial ACME sessions might be used also in this case. But the domain owner might be unwilling to distribute its ordinary long-term domain certificate. Instead the domain owner might only authorize the HTTPS sever to obtain a certificate with certain restriction. The restrictions could be that the certificate is only valid for a certain subdomain (e.g. cdn-aXtckW7K3Rgf29UPuGUF@example.com) and with a restricted lifetime (days instead of years). In this case two parallel ACME sessions may be used where the HTTPS server first contacts the domain owner, who proves ownership of the domain to the CA, and then forwards the newly issued certificate to the HTTPS server. An example message flow is shown in Figure 3. Authorization may e.g. be based on the HTTPS server proving ownership of a DV, OV, or EV certificate (perhaps issued in an earlier ACME session).

HTTPS SERVER                  DOMAIN OWNER                            CA


Identifier      ------->
                              Identifier       ------->

                                               <-------       Challenges
                <-------      Challenges


Responses       ------->
                              Responses        ------->

                                               <-------    Authorization
                <-------      Authorization


CSR             ------->
                              CSR              ------->

                                               <-------      Certificate
                <-------      Certificate     

Figure 3: Obtaining certificate with restrictions

3. References

[I-D.barnes-acme] Barnes, R., Eckersley, P., Schoen, S., Halderman, A. and J. Kasten, "Automatic Certificate Management Environment (ACME)", Internet-Draft draft-barnes-acme-01, January 2015.

Authors' Addresses

John Mattsson Ericsson AB SE-164 80 Stockholm Sweden EMail: john.mattsson@ericsson.com
Robert Skog Ericsson AB SE-164 80 Stockholm Sweden EMail: robert.skog@ericsson.com