Hi Richard, I was not in the room when EAB was invented, but my understanding is that it is a dance around both a technical and legal issue. People who have been here longer than I, please correct.
Technical: if I run Mike's Web Hosting, inc, and I run one certbot with one JWK for my billions of subscriber domains, when Mike's acmebot JWK requests a cert for bobsblog.com against a CA cert profile that costs money, who do we bill? Legal: the ACME protocol can carry a Terms of Service Agreement down the pipe to be accepted by the human user, and accepted via a "termsOfServiceAgreed": true in the new-account creation. The issue is, which human has to accept the ToS? Mike's Web Hosting (who owns the acmebot) or Bob who owns bobsblog.com? In cases where it needs to be Bob, he can read and agree to the ToS in advance through the CA's portal and then the CA knows (via the EAB) that ToS does not need to be done in-band in new-account. (I'm only like 40% confident about this info, so someone please correct me. On Sun, 26 Oct 2025 at 11:00, Michael Richardson <[email protected]> wrote: > > My understanding of the externalAccountBinding mechanism in RFC8555 is that > is allows a JWS account key to be approved/endorsed by some longer term > key that the CA/customer have exchanged. > I see support in the "certbot" client via the --eab* options, so I'm > guessing > that it's in use by at least one CA. > > My understanding is that a customer would login to some CA "sales" portal. > They do whatever dance is required to be authorized for the extra stuff. > (Whether that's EV certificates, higher transactions/hour, or just payment) > The CA sends the MAC key/ID, and the operator then runs "certbot register > .." > on each machine that is going to act as a client. That binds the locally > generated JWS account key in the CA's database with the service. The > client > then operates as "normal" > > Are there CAs for which this is not the end? > For instance, are there CAs that would then ask the operator to login to > approve the binding, and/or adjust the attributes on the account? > Are there any for which the bindings requires multiple authorizations? > (Like from the CTO and the CISO, or 2 out of 3...) > > I'm asking because I'm trying to understand/brainstorm around > innovation/extension around per-issurance authorizations. > > > (ps: are there clients which know how to store this symmetric account > binding > MAC in some other HSM/TPM? Clearly a local issue) > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
