Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-friel-acme-integrations

Published byAdrien Petit Modified over 5 years ago

Similar presentations

Presentation on theme: "draft-friel-acme-integrations"— Presentation transcript:

1 draft-friel-acme-integrations
Friel, Barnes cisco

2 Use Cases ACME issuance of sub-domain certificates
Multiple client / device certificate integrations EST RFC Enrollment over Secure Transport BRSKI draft-ietf-anima-bootstrapping-keyinfra - Bootstrapping Remote Key Infrastrucutres TEAP RFC 7170 – Tunnel Extensible Authentication Protocol TEAP-BRSKI draft-lear-eap-teap-brski - Bootstrapping Key Infrastructure over EAP

3 Related Drafts draft-yusef-acme-3rd-party-device-attestation
draft-moriarty-acme-client Preliminary discussions about alignment have taken place Side meeting scheduled Coller meeting room 9am Wednesday morning

4 Sub-domain certificates
ACME mandates that The identifier in CSR must match identifier in newOrder request The identifier in the authorization object must be used when fulfilling challenges via HTTP or DNS ACME does not mandate that The identifier in a newOrder request matches the identifier in authorization object The specification therefore allows an ACME server to issue certificates for a given identifier (e.g. a subdomain) without requiring a challenge to be explicitly fulfilled against that identifier An ACME server could issue a certificate for sub.domain.com where the ACME client has only fulfilled a challenge for domain.com An ACME server could issue certificates for a number of sub-domain certificates and only require a single challenge to be fulfilled against the parent domain

5 Sub-domains with pre-authorization

6 Client / device certificate integrations
EST (which BRSKI leverages) defines the protocol that clients use to enrol with an EST Registration Authority (RA) using PKCS#10 / PKCS#7 payloads EST does not define the mechanism that the RA uses to talk to the CA TEAP (which TEAP-BRSKI leverages) defines the protocol that clients use to enrol with a TEAP server using PKCS#10 / PKCS#7 payloads TEAP does not define the mechanism that the TEAP server uses to talk to the CA The draft illustrates how ACME can be used to integrate an EST RA or a TEAP server with a CA No changes are required to EST, TEAP or ACME specifications The sub-domain proposal is a nice optimisation to facilitate issuance of large numbers of client / device certificates

7 EST -> ACME

8 Discussion Is the sub-domain use case of interest to ACME CAs?
Is this worth formally documenting? Are the client / device use cases of interest? Note: this short presentation will be given ACME, ANIMA and EMU sessions Side meeting reminder: Coller, 9am Wednesday

Download ppt "draft-friel-acme-integrations"

Similar presentations

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.

Wireless LAN  Setup & Optimizing Wireless Client in Linux  Hacking and Cracking Wireless LAN  Setup Host Based AP ( hostap ) in Linux & freeBSD  Securing.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.

Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
Eugene Chang EMU WG, IETF 70

Eugene Chang EMU WG, IETF 70
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-08.

Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
1 82 nd IETF meeting NETCONF over WebSocket (http://tools.ietf.org/html/draft-iijima-netconf-websocket-ps-01 ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,

1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date: 2015-07-15.

Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

Similar presentations

Ads by Google