[Servercert-wg] EV Certificates through automation / Pre-Authorized Certificate Approver (API)

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Thu Feb 1 17:40:39 UTC 2024

As briefly introduced on the Server Certificate WG Teleconference, I would like to bring up a topic around the use of API keys that are linked to a Pre-Authorized Certificate Approver.

Please find some reference slides attached.

Slide 3:
How I think API keys with a Pre-Authorized Certificate Approver are implemented today.

Slide 4:
If the API key fulfills the same requirements and is authorized by the Certificate Approver, does it matter who creates/holds the API key with authorization of the Certificate Approver?

Slide 5:
Does this change if the authorization was given based on a reference to an API key, like located in a well-known directory of the Cloud Service Provider (CSP)? The idea is that this could enable ACME auto discovery<https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery/> for OV and EV certificates as the Certificate Approver explicitly approves the CSP to request certificates on their behalf.

It would be great to get people’s thoughts on this!


Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240201/12d20fc4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20240201 ACME Certificate Approver.pdf
Type: application/pdf
Size: 264600 bytes
Desc: 20240201 ACME Certificate Approver.pdf
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240201/12d20fc4/attachment-0001.pdf>

More information about the Servercert-wg mailing list