This is what I see as the three hurdles towards securing access to local resources.
1. the name or other identifier that the user types into has to get
translated to an IP address using some local context.
2. the certificate received has correspond in some way with the name that the
user provided.
3. the certificate received has to be valid (notBefore/notAfter), and be
signed by one or more subordinate CAs that lead to a trust anchor.
On the public internet, (1) is provided by DNS, (2) is provided by the
subjectAltName (now detailed by RFC9525), and (3) comes from the browser
and/or operating system trust store, along with various CABFORUM rules which
has reduced the validity period from 2+bit years to 1+bit years, and perhaps
soon
to 90 days.
There are many different ways of getting at these three points.
One reason I am not enthusiastic about Michael Sweet's ACME efforts is
because it does not seem address any of these three points. It's not enough.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
