Thanks, Rich, inline
On Wed, Mar 01, 2023 at 12:49:33AM +0000, Salz, Rich wrote:
> >Yepp. I understand the high level point in the meantime. I wonder how
> >commonly
> available protocol options between registrar and CA allow to support
> this. FullCMC seems to support it (hence also EST if CA suports fullCMC over
> it),
> ACME does not. What other protocol options are relevant, which use-cases /
> type
> of deployments do not have a way to pick a protocol that supports this
> (because
> its not used / available in th deployments).
>
> I don't think that the IETF hasn't defined any CA/Registrar protocols, other
> than the BRSKI drafts. Even RFC 7030 says: "The nature of communication
> between an EST server and a CA is not described in this document."
Right. Nevertheless EST is also offered as a protocol by CA implementations
for either pleges or registrars to sign certificates and/or retrive trust
anchors
and the like. I think when it was written it was just meant to indicate that
RA to CA could
use any protocol and EST should be able to happily support the pledge/RA leg.
> ACME's design assumed that clients talk directly to the CA.
> I'm not sure if the latest set of drafts have changed that setup.
Right. So i guess the use-case for ACME did not have a need for the
RA (sorry, i think regisrar is only a term we started to use in anima,
RA is the PKI term).
> It "used to be" that almost every CA that wanted to issue certificates for
> enterprise customers had its own variety of Registrar integration. You
> couldn't walk down any of the aisles of the RSA conference and not bump into
> one. They were all custom, private. A subset had protocols or API's that let
> you plug your enterprise identity system (e.g., ActiveDirectory) into their
> provisioning system. I don't know if that kind of thing is still popular.
Haha, yes, i wasn't privy to that experience but i did hear similar things in
the past.
> All of this is a long-winded way of saying you'll have to ask around. :|
Ack.
> As for your earlier question, could a certificate end up having things that
> weren't in the CSR? Yes. Often or always. The obvious ones are issuer,
> validity period; sometimes keyUsage and extendedKeyUsage, the submitted
> SubjectDN could be modified to enforce corporate policy, references to
> certification practice statements, and so on. Especially when an enterprise
> Registrar is involved, and the organization wants client-handled keygen.
Right. But unless i have evidence of the opposite, i would assume most
or all of this comes from the CA itself, and may not be possible to do on an
RA.
> Hope this helps.
Thanks. Only 999 more steps to go ;-))
Cheers
Toerless
>
--
---
[email protected]
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
