Support for Short-Term, Automatically Renewed (STAR) Certificates in the Automated Certificate Management Environment (ACME)
RFC 8739

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc:, Rich Salz <>, The IESG <>,,,,,
Subject: Protocol Action: 'Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)' to Proposed Standard (draft-ietf-acme-star-11.txt)

The IESG has approved the following document:
- 'Support for Short-Term, Automatically-Renewed (STAR) Certificates in
   Automated Certificate Management Environment (ACME)'
  (draft-ietf-acme-star-11.txt) as Proposed Standard

This document is the product of the Automated Certificate Management
Environment Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Technical Summary

   Public-key certificates need to be revoked when they are compromised,
   that is, when the associated private key is exposed to an
   unauthorized entity.  However the revocation process is often
   unreliable.  An alternative to revocation is issuing a sequence of
   certificates, each with a short validity period, and terminating this
   sequence upon compromise.  This memo proposes an ACME extension to
   enable the issuance of short-term and automatically renewed (STAR)
   X.509 certificates.

Working Group Summary

This document reflects WG consensus.  A review by the designated expert for the pertinent registries resulted in revision of the draft after IETF LC that was rerun through a WG run.

Document Quality

The document has been in circulation for 2.5 years and a WG document for 2 years. During this time it has received a variety of reviews, resulting in significant changes.  Although discussion has been light, the document reflects WG consensus.

** The MAMI implementation of this draft is being integrated with the OSM orchestrator [0] for NFV workloads;
** GSMA is considering ACME STAR as one of the reference solutions for handling encrypted content in CDNI (see also [1]);
** There has been discussion related to the use of short-term certs for non-web use cases (see [2]), for example in the ANIMA control plane [3].
** The CDNI working group plans to use this work



Rich Salz is the document shepherd; 
Roman Danyliw is the responsible AD.