@fireblade, that Internet of Things security problem is a very tough one!
The design of ACME is focused around the PKI problem of proving associations between cryptographic keys and names; every cert that Let’s Encrypt issues using ACME contains a list of subject names and also a subject public key, and the point of the certificate is to say that the certificate authority has confirmed that it’s OK to use a particular subject public key when talking to someone who uses one of those subject names. For example, Let’s Encrypt issued one certificate, using ACME, that says that it’s OK to use the RSA public key (
bc6a865c19c03c9316b06c48a2a9bc56f4e1a6707c2120e4c8cb61548c57ed262f922518291440ba636779f9880351a8e66bfeb165eb97798ecadde356475c0b8ed8970bc3446843589d5e3b3e36db6182ecebab0cdccba22e1000a8fbf10d98eae309ea31ba3d9cd6cd333025d3e2b16ae0f93d69d02aba06461bba6792b9dde2c14834fbb6b04b769de58fc8dd56d60234a498bc83c4c6fdcef377b294fb61c9a68c52e6cdadb3005299a7ad4da06cbfbad0c0fc8de0e3b476e4ec805e4ac602ac136eeae5dfbe88a9d12eb38226308d1dc529c9051ce9d1affa8b6ba8e0406b1bf14011e87e07e527229f36e00725a6640d127db402ed9120aa26d1ba282d) when talking to someone using the name
ACME itself consists mostly of mechanisms that certificate authorities can issue to requesters in order to try to satisfy themselves that ① the requesters actually want to associate particular cryptographic keys with particular names, and ② the requesters actually control those names. This is what we call domain validation.
So, that’s what our technology can do. To apply it in another context, you need to figure out whether there are names that could be associated with cryptographic keys, how entities can figure out what those names mean, and how they can figure out who is entitled to use them.