<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Paul,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks for that presentation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m assuming that Entrust uses External Account Binding (EAB) to link the MAC key and KeyID to the customer account. Are these the API credentials you’re referring to in the presentation?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Another way to look into automating for EV is asking the question: Do we need the concept of Certificate Approver? While there was probably value in this back when the EVGs were created, is there continued value of this in 2024, especially in light of the need to automate?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Doug<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org> <b>On Behalf Of </b>Paul van Brouwershaven via Servercert-wg<br><b>Sent:</b> Thursday, February 1, 2024 12:41 PM<br><b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> [Servercert-wg] EV Certificates through automation / Pre-Authorized Certificate Approver (API)<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-family:"Aptos",sans-serif;color:black'>As briefly introduced on the Server Certificate WG Teleconference, I would like to bring up a topic around the use of API keys that are linked to a Pre-Authorized Certificate Approver.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-family:"Aptos",sans-serif;color:black'>Please find some reference slides attached.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b><span style='font-family:"Aptos",sans-serif;color:black'>Slide 3:</span></b><span style='font-family:"Aptos",sans-serif;color:black'> <br>How I think API keys with a Pre-Authorized Certificate Approver are implemented today.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b><span style='font-family:"Aptos",sans-serif;color:black'>Slide 4:</span></b><span style='font-family:"Aptos",sans-serif;color:black'> <br>If the API key fulfills the same requirements and is authorized by the Certificate Approver, does it matter who creates/holds the API key with authorization of the Certificate Approver?</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b><span style='font-family:"Aptos",sans-serif;color:black'>Slide 5:</span></b><span style='font-family:"Aptos",sans-serif;color:black'> <br>Does this change if the authorization was given based on a reference to an API key, like located in a well-known directory of the Cloud Service Provider (CSP)? The idea is that this could enable <a href="https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/" title="https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/">ACME auto discovery</a> for OV and EV certificates as the Certificate Approver explicitly approves the CSP to request certificates on their behalf.</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-family:"Aptos",sans-serif;color:black'>It would be great to get people’s thoughts on this!</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-family:"Aptos",sans-serif;color:black'>Paul</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-family:"Aptos",sans-serif;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal><i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></i> <o:p></o:p></p></div></body></html>