Submitter's message This contribution identifies some open issues associated with extending the SHAKEN PKI to support ALIII mTLS certificate issuance, and recommends solution options for consideration.
Topics include...
- ALIII mTLS certificate profile
- STI vs. ALIII certificate policies and CA approval
- Trust-list model for ALIII-approved CAs
- Relationship between SHAKEN-approved and ALIII-approved SPs
- SP authorization for ALIII mTLS certificate issuance
- SAN dNSName authorization and ACME validation
- Updates to ACME issuance procedures for ALIII mTLS certificates
-- David Hancock