[Openid-specs-fapi] Open Banking certificates using ACME

[Anders Rundgren]

I have now actually used ACME :)  It was great!

Anyway, I see a slight disconnect between ACME and how Open Banking CAs work today.

That is, open banking application developers typically create an account using a Web application provided by the bank (or external CA). From this account they can retrieve application IDs as well as getting certificates and private keys supplied as ZIP or P12 files.

The latter is of course not ideal so the question is how this could be enhanced using ACME.

I'm thinking about a process where you:
- Locally create an account key-pair
- Register the account public key using the aforementioned Web application
After that you should have everything needed to perform automated certification requests using ACME.

This may look similar to what many commercial CAs already do but it is actually quite different; account keys are long-lived keys, distinct from the keys that the CA is supposed to certify.

It is obvious that these applications could benefit from attestations as well since the security of this scheme is highly dependent on the account keys.  Since attestations would be a part of every certification request, it should be sufficient to provide the attestation certificate during registration.  Attestations are not yet a part of ACME.

WDYT?

Anders