[Servercert-wg] EV Certificates through automation / Pre-Authorized Certificate Approver (API)

[Doug Beattie]

Hi Paul,

 

Thanks for that presentation.

 

I'm assuming that Entrust uses External Account Binding (EAB) to link the
MAC key and KeyID to the customer account.  Are these the API credentials
you're referring to in the presentation?

 

Another way to look into automating for EV is asking the question: Do we
need the concept of Certificate Approver?  While there was probably value in
this back when the EVGs were created, is there continued value of this in
2024, especially in light of the need to automate?

 

Regards,

 

Doug

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Paul
van Brouwershaven via Servercert-wg
Sent: Thursday, February 1, 2024 12:41 PM
To: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org>
Subject: [Servercert-wg] EV Certificates through automation / Pre-Authorized
Certificate Approver (API)

 

As briefly introduced on the Server Certificate WG Teleconference, I would
like to bring up a topic around the use of API keys that are linked to a
Pre-Authorized Certificate Approver.

 

Please find some reference slides attached.

 

Slide 3: 
How I think API keys with a Pre-Authorized Certificate Approver are
implemented today.

 

Slide 4: 
If the API key fulfills the same requirements and is authorized by the
Certificate Approver, does it matter who creates/holds the API key with
authorization of the Certificate Approver?

 

Slide 5: 
Does this change if the authorization was given based on a reference to an
API key, like located in a well-known directory of the Cloud Service
Provider (CSP)? The idea is that this could enable ACME auto discovery
<https://datatracker.ietf.org/doc/draft-vanbrouwershaven-acme-auto-discovery
/>  for OV and EV certificates as the Certificate Approver explicitly
approves the CSP to request certificates on their behalf.

 

It would be great to get people's thoughts on this!

 

Paul

 

Any email and files/attachments transmitted with it are intended solely for
the use of the individual or entity to whom they are addressed. If this
message has been sent to you in error, you must not copy, distribute or
disclose of the information it contains. Please notify Entrust immediately
and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240202/368365f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8445 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240202/368365f7/attachment.p7s>