Hiya, On 20/04/15 17:40, Russ Housley wrote: > Stephen: > >>> I'm willing to assume that an attempt to replace things that >>> people are using will meet with vigorous discussion. >> >> Right. People are using CMC, but not afaik when dealing with any >> public CAs for getting certificates for public Internet services. I >> think CMP has some similar but much smaller set of real uses. (*) >> And I'm not sure if EST has gotten traction. SCEP has uses but >> that's another kettle of cans of worms and fish;-) >> >> I think it would be better to have the vigorous discussion about >> CMC vs.ACME-JSON-etc (if that's the one we need to have) before we >> form the WG. But is that in fact the meat of your concern here? If >> so, then I assume you'd be arguing for use of CMC/CRMF PDUs in ACME >> messages. If not, I'm not back to being puzzled. Can you clarify? > > I was not concerned about CMC, CMP, or SCEP. My concern is around > EST. The Hotspot spec points to it, and we should see if others are > using it.
(Do you have a ref for the hotspot spec? I don't know that one.) Anyway EST carries (a profile of) CMC messages [1] doesn't it? So aren't we really asking about use of CMC-defined, ASN.1 encoded payloads here after all? In case it helps, I think (open to correction of course) that everyone would be fine with re-using and not duplicating PKCS#10, at least for RSA, since that is what is well supported by well deployed code. And that seems to be in the current ACME draft. [2] So I think we're mostly talking about the bits and pieces of CMC/CRMF that go beyond PKCS#10 - and it's those that are afaik unused and where we oughtn't be fussed about duplicating (should that be what the WG wants). I do agree that we might want to think some more if there's significant deployment of EST somewhere relevant, or if a good argument that that's highly likely can be made. I also agree that asking the question "why isn't EST good enough" is totally valid, and that it'd be great if someone would summarise the earlier thread on that. [3] Cheers, S. [1] https://tools.ietf.org/html/rfc7030#section-3 [2] https://tools.ietf.org/html/draft-barnes-acme-01#section-4 [3] https://www.ietf.org/mail-archive/web/acme/current/msg00003.html > > Russ > > _______________________________________________ Acme mailing list > Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme