On Thu, Jul 24, 2025 at 2:55 PM Michael Richardson <[email protected]> wrote:
> > <[email protected]> wrote: > > (1) the most important reason is ACME is widely used worldwide, EST > > not; > > EST is not used for getting WebPKI anchored server certificates. > It is used extensively in private/enterprise PKIs, not just in IoT. > > > internal CA uses an EST server to issue certificates for IoT > devices", > > but we need ACME for public CA to issue publicly trusted certificate. > > I'm not convinced that many certificates used for client authentication > will > have identifiers that ACME can easily authorize via dns-01 or http-01. > Yes, it's possible, but I'm not convinced the things that many people want > will be. Further, in order to issue the client certificates, there often > needs to be a more complex trust relationship (business relationship) > between > the client and the CA. > Yes, I don't know DigiCert's current state, but back in 2019 they were doing this already for other certificate types. To your point, there is a different business process for something like a code signing certificate, hence the discussion on identity proofing and stating that the process portion is for the CA to set as that is outside of the protocol. I'll clean up the current draft after the meeting and Q. Misell has agreed to help a bit with a review (and contribution if needed) ahead of submitting in an effort to reduce cycles. Your review (and others) would be helpful as well. Thank you, Kathleen > > > So I strongly recommend use ACME, not EST. And we need this draft for > > client certificate including code signing certificate and document > > signing certificate, thanks. > > What SAN would be used for a document signing certificate? > > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | network > architect [ > ] [email protected] http://www.sandelman.ca/ | ruby on > rails [ > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Best regards, Kathleen
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
