Hi Lloyd,
In all honesty, I think you've got things the wrong way around here. Rather than building a wall around the word "standard" and trying to police it, we should be thinking about whether our usage of those terms makes sense in the market.
The posts from Let's Encrypt et al. provide data that are informative on this question. Many of the participants in the ACME process were newcomers to the IETF. That they've put in all the effort to get an RFC published and still failed to note the various maturity levels should be instructive.
Further discussion on this point is probably a topic for another thread, though.
--Richard
On Tue, Mar 12, 2019 at 9:17 PM Lloyd Wood <lloyd.wood@xxxxxxxxxxx> wrote:
Richard,
your IETF blog post says:
"the server that needs a certificate can send in its information in a standard form"
I do get nervous seeing the 'standard' word used in IETF material; the IETF has a specific standards process, IETF material has to be careful in its terminology.
While RFC 8555 is published as an RFC and as a proposed standard, it is not yet an IETF standard.
The Let's Encrypt crowd have been saying:
"The protocol we use for automated certificate management, ACME, is now finalized as an Internet standard!"
or
"the ACME protocol became an IETF standard with RFC 8555."
or
"
The ACME Protocol is an IETF Standard
It has long been a dream of ours for there to be a standardized protocol for certificate issuance and management. That dream has become a reality now that the IETF has standardized the ACME protocol as RFC 8555."
https://letsencrypt.org/2019/03/11/acme-protocol-ietf-standard.html
which is slightly overstating it (proposed standard is NOT finalized and is NOT an IETF Standard), while inadvertently(?) dismissing the IETF standards process that you'd think active participants would understand...
"in an agreed form" is less misleading, I think.
sigh.
L.
Lloyd Wood lloyd.wood@xxxxxxxxxxx http://about.me/lloydwood
________________________________
From: Richard Barnes <rlb@xxxxxx>
To: IETF discussion list <ietf@xxxxxxxx>
Sent: Wednesday, 13 March 2019, 7:39
Subject: IETF blog post on ACME
Hey all,
In honor of ACME finally being published as an RFC, my co-authors and I wrote a quick blog post announcing ACME and why it matters:
https://www.ietf.org/blog/acme/
The tl;dr is:
- Certificates are necessary to make secure applications scale
- Getting a certificate used to be hard, but ACME makes it easy
- Now we can encrypt all the things!
For those of you more at the networking layer, think of it like DHCP -- long ago, IP address assignment was manual and slow, and we needed an automated way of handing out addresses to make the Internet scale. Same thing here, but for the PKI.
Sincere thanks to the many contributors to this work!
--Richard