Improving ACME with ACME-STAR

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

https://smallstep.com/certificates

Apache License 2.0

6.57k stars 428 forks source link

Improving ACME with ACME-STAR #258

Open sergiosanzferrero opened 4 years ago

sergiosanzferrero commented 4 years ago

What would you like to be added

It would be great if it supports ACME-STAR compatibility. https://tools.ietf.org/html/draft-ietf-acme-star-11

Why this is needed

ACME-STAR would reduce the latency that occurs when revoking certificates using OCSP or CRL, eliminating revocation and allowing the CA itself to automatically renew the certificates unless the entity requesting the certificates requests to stop issuing certificates.

dcow commented 4 years ago

Note, while we don't currently support ACME-STAR, our CA has a challenge-free renewal mechanism that uses mTLS for authentication (so it authenticates based on ownership of the private key of an issued certificate).

edit: not a draft

thomas-fossati commented 4 years ago

the ACME-STAR draft

Nitpicking :-) since a couple of months it is not in draft form anymore, see RFC8739. And yes, STAR gives you the same "passive revocation" that step-ca implements, except the renewal schedule is decided once at registration time and managed completely server-side instead of being client-driven.