hack.lu

ACME: benefits of deploying an Internet Security protocol inside your corporate network
10-18, 15:30–16:00 (Europe/Luxembourg), Salle Europe

This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA). I will explain the caveats of our private CA setup and why we decided to add ACME to our corporate CA architecture. I will then expose the expected (and unexpected!) benefits of using this Internet Security protocol inside your corporate network. Finally, some new opportunities proposed by the industry and relying on ACME used inside corporate networks will be covered.


This talk will give a feedback on the deployment of an ACME proxy in front of a private Certificate Authority (CA) in a corporate network.

I will expose:
- our analysis of the shortcomings of our current CA setup (slowness, heaviness, not so robust security controls),
- our search to improve our architecture,
- why we look at the Internet CA landscape,
- why we choose ACME.

I will then detailed to the audience:
- the expected benefits of having an ACME service inside your corporate ecosystem like robustness or automation opportunities
- but also the unexpected ones like non anticipated uses cases provided directly by our IT users or massive ACME appropriation by a wide variety of IT professionals in the company that were not regular users of our original CA setup.

And, finally, I will end speaking about new ACME use cases in private networks provided by the IT security industry like the new ACME challenge, device-attest-01, proposed by Google [1] and used by Apple in its Managed Device Attestation [2] solution used to enrolled new corporate private iOS/MacOS/iPadOS devices.

[1] https://www.ietf.org/id/draft-acme-device-attest-01.html
[2] https://support.apple.com/guide/deployment/managed-device-attestation-dep28afbde6a/web

See also: Slides (3.0 MB)
  • Security engineer @ Assurance Maladie (French public HealthCare insurance) with a particular focus on R&D in the field of security and network protocols such as Certificate Transparency, ACME or DNS.
  • Co founder and organizer of Pass the SALT, a conference dedicated to Security & Free Software : https://www.pass-the-salt.org/
  • Contact & more: https://www.brocas.org/