Support for Short-Term, Automatically Renewed (STAR) Certificates in the Automated Certificate Management Environment (ACME)

Public-key certificates need to be revoked when they are compromised, that is, when the associated private key is exposed to an unauthorized entity. However the revocation process is often unreliable. An alternative to revocation is issuing a sequence of certificates, each with a short validity period, and terminating this sequence upon compromise. This memo proposes an ACME extension to enable the issuance of short-term and automatically renewed (STAR) X.509 certificates. [RFC Editor: please remove before publication] While the draft is being developed, the editor's version can be found at https://github.com/yaronf/I-D/tree/master/STAR.

[1]  Thomas Narten,et al.  Guidelines for Writing an IANA Considerations Section in RFCs , 1998, RFC.

[2]  Adrienne Porter Felt,et al.  Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors , 2017, CCS.

[3]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content , 2014, RFC.

[4]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[5]  Dan Boneh,et al.  The Case for Prefetching and Prevalidating TLS Server Certificates , 2012, NDSS.

[6]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Caching , 2014, RFC.

[7]  Barry Leiba,et al.  Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words , 2017, RFC.

[8]  Richard Barnes,et al.  Automatic Certificate Management Environment (ACME) , 2019, RFC.

[9]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[10]  Erik Wilde,et al.  Problem Details for HTTP APIs , 2016, RFC.

[11]  Chris Newman,et al.  Date and Time on the Internet: Timestamps , 2002, RFC.

[12]  Phillip M. Hallam-Baker X.509v3 Transport Layer Security (TLS) Feature Extension , 2015, RFC.

[13]  Yaron Sheffer,et al.  An ACME Profile for Generating Delegated STAR Certificates , 2000 .

[14]  Adrian Farrel,et al.  Improving Awareness of Running Code: The Implementation Status Section , 2013, RFC.

[15]  Yaron Sheffer,et al.  Generating Certificate Requests for Short-Term, Automatically-Renewed (STAR) Certificates , 2018 .

[16]  C. Jackson,et al.  Towards Short-Lived Certificates , 2012 .

[17]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[18]  Yaron Sheffer,et al.  Considerations For Using Short Term Certificates , 2018 .