Did you find any provider for RFC8823 support / email-reply-00 challenges?

[Daniel-Nashed]

I just discovered RFC8823 and I am quite excited, because it would be a game changer for e-mail encryption once widely adopted.

I don't see anyone providing it for trusted certificates. The only service I found so far is https://acme.castle.cloud/
They have a staging and production environment.

I don't see any of the larger CAs providing it.

Do you have any other providers you tested with and which we could use in production?
It's a quite young RFC, but I would have expected CA providers would jump on it quickly.

With EAB there would be ways to have accounts with payment options.

Do you have any additional providers I missed?

Thanks in advance!

Daniel

[shred]

Hi Daniel! I'm sorry, but I don't know other CAs supporting it yet. This is why the support for RFC 8823 is still experimental in acme4j. It's mainly tested against the RFC via unit tests, but not field tested yet.

I will let this issue open for a while. Maybe someone knows other CAs offering S/MIME certs via ACME protocol?

[Daniel-Nashed]

Thanks for your quick feedback!

You could test against -> https://acme.castle.cloud/
If you have DKIM setup for your domain, this should be easy to test against.

They have a staging and production environment.

Their implementation does only support e-mail challenges from what it looks like.
Registering an account worked with a ECDSA key.

The interesting part is how you would use this in production.
The ACME account should be handled by the server including the communication with the CA.
But the request flow show start on the email client.

• User requests a certificate
• Client creates private key and CSR
• Client sends CSR to server
• Server starts an ACME request with CA for user's e-mail address
• CA provides challenge
• Server waits for the challenge to arrive for the user and replies with the token
• Server waits until the challenge is valid...
• Sends CSR on behalf of the user
• Retrieves certificate and returns it to client
• Client merges private key and certificate chain

Server needs to make sure the client provides it's identity as reliable way.
Usually this isn't a problem, because clients have to authenticate against their mail server anyhow.

For a small environment without a corporate e-mail server the client could do all the operations and hold the ACME account. But for a corporate environment, this would be the flow I would want to implement.

But this would require CAs supporting it.

[augjoh]

@Daniel-Nashed For small environments, you could run your own ACME CA (server-side and client-side (older binaries)). Run the software using node.js. There is a docker container (https://hub.docker.com/r/platynum/certification-authority) providing this service, too. The documentation is a little bit hidden, but please find it here: Setup ACME S/MIME CA.

[Daniel-Nashed]

Thanks for the tip! I am mainly interested in production use.
And I working on another ACME client product --> HCL Domino CertMgr

But as long there is no widely trusted official CA (free or commercial), I can't implement it.
We have all the components in place like own DKIM implementation, full ACME client implementation.

The only missing component would be adding the challenge and intercepting the incoming messages.

Nice to meet another ACME developer virtually!

I should test our ACME client against your ACME server!
Also it would be a good test bed for S/MIME in future!

[shred]

Closing for inactivity. Feel free to reopen if necessary.