My understanding of the externalAccountBinding mechanism in RFC8555 is that is allows a JWS account key to be approved/endorsed by some longer term key that the CA/customer have exchanged. I see support in the "certbot" client via the --eab* options, so I'm guessing that it's in use by at least one CA.
My understanding is that a customer would login to some CA "sales" portal. They do whatever dance is required to be authorized for the extra stuff. (Whether that's EV certificates, higher transactions/hour, or just payment) The CA sends the MAC key/ID, and the operator then runs "certbot register .." on each machine that is going to act as a client. That binds the locally generated JWS account key in the CA's database with the service. The client then operates as "normal" Are there CAs for which this is not the end? For instance, are there CAs that would then ask the operator to login to approve the binding, and/or adjust the attributes on the account? Are there any for which the bindings requires multiple authorizations? (Like from the CTO and the CISO, or 2 out of 3...) I'm asking because I'm trying to understand/brainstorm around innovation/extension around per-issurance authorizations. (ps: are there clients which know how to store this symmetric account binding MAC in some other HSM/TPM? Clearly a local issue) -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
