Update READMEs for bootstrap and IETF MTC crates

- bootstrap_mtc_worker: clarifies this implements the older bootstrap
  experiment (~davidben-09), not the current IETF draft; updates
  'signatureless' → 'landmark-relative'; removes stale test-dev.sh steps
- bootstrap_mtc_api: new README describing its role as the frozen
  bootstrap protocol library
- ietf_mtc_worker: replaces stale bootstrap copy with accurate description
  of the plants-02 implementation; lists known limitations (standalone
  certs, ML-DSA, subtree signing oracle, notBefore/notAfter)
- ietf_mtc_api: new README describing the plants-02 wire format components

Author: lukevalenta

crates/bootstrap_mtc_api/README.md

@@ -0,0 +1,27 @@
+# bootstrap_mtc_api
+
+Core types and logic for the [Bootstrap MTC CA](../bootstrap_mtc_worker/README.md).
+
+This crate implements the bootstrap-specific protocol layer on top of the shared
+[`tlog_tiles`](../tlog_tiles/) infrastructure:
+
+- **X.509 bootstrap chain validation** — validates a submitted certificate chain
+  against a root pool, enforces EKU (`serverAuth`), filters extensions, and
+  converts the leaf to a `TBSCertificateLogEntry`.
+- **`MerkleTreeCertEntry` encoding/decoding** — the binary log entry format
+  (approximately draft-davidben-tls-merkle-tree-certs-09).
+- **`serialize_landmark_relative_cert`** — constructs the landmark-relative MTC
+  certificate from a sequenced log entry, an inclusion proof, and the subscriber's
+  SPKI.
+- **Landmark sequence** — tracks the active landmark subtrees and their Merkle
+  roots for inclusion proof generation.
+- **Cosigner** — Ed25519-based subtree cosigning over the `mtc-subtree/v1` note
+  format.
+
+This crate is intentionally frozen at the bootstrap protocol version and will not
+be updated to track the IETF draft. For the current IETF draft implementation,
+see [`ietf_mtc_api`](../ietf_mtc_api/).
+
+## License
+
+The project is licensed under the [BSD-3-Clause License](./LICENSE).

crates/bootstrap_mtc_worker/README.md

@@ -1,48 +1,53 @@
-# Merkle Tree CA Worker
+# Bootstrap Merkle Tree CA Worker
 
-A Rust implementation of a [Merkle Tree CA](https://github.com/davidben/merkle-tree-certs/) (MTCA) for deployment on [Cloudflare Workers](https://workers.cloudflare.com/).
+A Rust implementation of a [Bootstrap MTC CA](https://blog.cloudflare.com/bootstrap-mtc) for deployment on [Cloudflare Workers](https://workers.cloudflare.com/).
 
-Much of the API and the internal architecture of the Merkle Tree CA is shared by the [Static CT Log](../ct_worker/README.md). This Worker also implements issuance of Merkle Tree Certificates (MTCs). The issuance API should be considered unstable. For now, its primary purpose is to support an experimental deployment of the MTC specification.
+This worker implements an experimental Merkle Tree Certificate CA based on the bootstrap experiment described in the Cloudflare blog post above. It predates the IETF standardisation effort and implements an older version of the protocol (approximately draft-davidben-tls-merkle-tree-certs-09). For a CA tracking the current IETF draft, see [`ietf_mtc_worker`](../ietf_mtc_worker/README.md).
 
-## Development
+The internal log architecture (Sequencer, Batcher, Cleaner Durable Objects, tiled R2 storage) is shared with the [Static CT Log](../ct_worker/README.md).
 
-`node` and `npm` are required to run the Worker locally. First, use `npm` to install `wrangler`:
+## How it works
 
-```bash
-npm install -g wrangler@latest
-```
+For every MTC issued, the requester must provide a **bootstrap certificate chain** — a standard X.509 certificate chain with a path to a root trusted by the CA. By default the root store is the intersection of Chrome's and Mozilla's trust stores (sourced from the CCADB). The CA validates the chain, extracts the subject, SPKI, SANs, key usage, and EKU, and logs them as a `TBSCertificateLogEntry`.
+
+Once a landmark interval elapses, the sequencer produces a landmark subtree and the CA can issue **landmark-relative MTC certificates** — DER-encoded X.509 structures whose `signatureValue` encodes a Merkle inclusion proof into the landmark subtree rather than a traditional signature.
 
-Then use `wrangler` to run the Worker locally from this directory:
+## Development
+
+Requires `node` and `npm`.
 
 ```bash
-npx wrangler dev -e=dev
-```
+# Run locally
+npx wrangler -e=dev dev
 
-The Worker doesn't implement a full-blown MTCA. Instead, it implements what we call a **bootstrap MTCA**. For every MTC requested, the requester must provide a **bootstrap certificate**. A bootstrap certificate is a standard X.509 certificate chain that must have a path to a root certificate trusted by `bootstrap_mtc_worker`. By default, the root store used is the intersection of Chrome's and Mozilla's trust stores.
+# Reset local state between runs
+./reset-dev.sh
+```
 
 To test the basic functionality, run the following script from this directory:
 
 ```bash
 ./test-dev.sh
 ```
 
-This script does the following:
-
-1. Fetch a bootstrap certificate chain.
-
-1. Submit the bootstrap certificate chain to the MTCA running locally.
-
-1. Wait for the next landmark to be minted. The landmark interval is defined in [`config.dev.json`](./config.dev.json).
-
-1. Request the signatureless MTC from the MTCA running locally
+This script:
+1. Fetches a bootstrap certificate chain.
+2. Submits it to the MTCA running locally.
+3. Waits for the next landmark (interval defined in [`config.dev.json`](./config.dev.json)).
+4. Requests the landmark-relative MTC.
 
 ### Overriding the trust store
 
-It may be useful to provide your own roots for testing. To do so:
+To test with your own root certificates:
 
-1. Build the Worker with the `"dev-bootstrap-roots"` feature. Note that `wrangler` invokes `cargo` with a custom build script, so the simplest thing to do is to edit the `Cargo.toml` file by adding `"dev-boostrap-roots"` to the default feature set.
+1. Add `dev-bootstrap-roots` to the default features in `Cargo.toml`.
+2. Append your root certificates (PEM format) to [`dev-bootstrap-roots.pem`](./dev-bootstrap-roots.pem).
 
-1. Append your roots to [`dev-bootstrap-roots.pem`](./dev-bootstrap-roots.pem).
+### Integration tests
+
+```bash
+BASE_URL=http://localhost:8787 BOOTSTRAP_MTC_LOG_NAME=dev2 cargo test -p integration_tests --test bootstrap_mtc_api
+```
 
 ## Deployment
 

crates/ietf_mtc_api/README.md

@@ -0,0 +1,33 @@
+# ietf_mtc_api
+
+Core types and logic for the [IETF Merkle Tree CA Worker](../ietf_mtc_worker/README.md).
+
+This crate implements the IETF draft protocol layer on top of the shared
+[`tlog_tiles`](../tlog_tiles/) infrastructure, targeting
+[draft-ietf-plants-merkle-tree-certs-02](https://datatracker.ietf.org/doc/draft-ietf-plants-merkle-tree-certs/).
+
+Key components:
+
+- **`AddEntryRequest`** — PKCS#10 CSR submission request (base64url-encoded DER,
+  matching the ACME `finalize` format per RFC 8555 §7.4).
+- **`build_pending_entry`** — parses a CSR, extracts subject, SPKI algorithm,
+  SPKI hash, and SANs, and constructs an `IetfMtcPendingLogEntry`.
+- **`TbsCertificateLogEntry`** — the plants-02 wire format: fields encoded as raw
+  concatenated DER (no outer SEQUENCE wrapper), including the new
+  `subjectPublicKeyInfoAlgorithm` field.
+- **`MerkleTreeCertEntry`** — entry type enum (`NullEntry` / `TbsCertEntry`) with
+  encode/decode.
+- **`serialize_landmark_relative_cert`** — constructs the landmark-relative MTC
+  certificate from a sequenced log entry, an inclusion proof, and the subscriber's
+  SPKI.
+- **Landmark sequence** — tracks the active landmark subtrees and their Merkle
+  roots.
+- **Cosigner** — Ed25519-based subtree cosigning over the `mtc-subtree/v1` note
+  format.
+
+For the older bootstrap experiment (draft-davidben-tls-merkle-tree-certs-09),
+see [`bootstrap_mtc_api`](../bootstrap_mtc_api/).
+
+## License
+
+The project is licensed under the [BSD-3-Clause License](./LICENSE).

crates/ietf_mtc_worker/README.md

@@ -1,53 +1,52 @@
-# Merkle Tree CA Worker
+# IETF Merkle Tree CA Worker
 
-A Rust implementation of a [Merkle Tree CA](https://github.com/davidben/merkle-tree-certs/) (MTCA) for deployment on [Cloudflare Workers](https://workers.cloudflare.com/).
+A Rust implementation of an [IETF Merkle Tree Certificate CA](https://github.com/ietf-plants-wg/merkle-tree-certs/) for deployment on [Cloudflare Workers](https://workers.cloudflare.com/).
 
-Much of the API and the internal architecture of the Merkle Tree CA is shared by the [Static CT Log](../ct_worker/README.md). This Worker also implements issuance of Merkle Tree Certificates (MTCs). The issuance API should be considered unstable. For now, its primary purpose is to support an experimental deployment of the MTC specification.
+This worker implements [draft-ietf-plants-merkle-tree-certs-02](https://datatracker.ietf.org/doc/draft-ietf-plants-merkle-tree-certs/). For the older bootstrap experiment, see [`bootstrap_mtc_worker`](../bootstrap_mtc_worker/README.md).
 
-## Development
-
-`node` and `npm` are required to run the Worker locally. First, use `npm` to install `wrangler`:
+The internal log architecture (Sequencer, Batcher, Cleaner Durable Objects, tiled R2 storage) is shared with the [Static CT Log](../ct_worker/README.md).
 
-```bash
-npm install -g wrangler@latest
-```
+## How it works
 
-Then use `wrangler` to run the Worker locally from this directory:
+Subscribers submit a PKCS#10 CSR (base64url-encoded, no padding) to the `add-entry` endpoint, matching the ACME `finalize` format (RFC 8555 §7.4). The CA extracts the subject, SPKI, and SANs from the CSR and logs them as a `TBSCertificateLogEntry`. The validity window is set server-side to `[now, now + max_certificate_lifetime_secs]`.
 
-```bash
-npx wrangler dev -e=dev
-```
-
-The Worker doesn't implement a full-blown MTCA. Instead, it implements what we call a **bootstrap MTCA**. For every MTC requested, the requester must provide a **bootstrap certificate**. A bootstrap certificate is a standard X.509 certificate chain that must have a path to a root certificate trusted by `bootstrap_mtc_worker`. By default, the root store used is the intersection of Chrome's and Mozilla's trust stores.
-
-To test the basic functionality, run the following script from this directory:
-
-```bash
-./test-dev.sh
-```
+Once a landmark interval elapses, the sequencer produces a landmark subtree and the CA can issue **landmark-relative MTC certificates** — DER-encoded X.509 structures whose `signatureValue` encodes a Merkle inclusion proof into the landmark subtree rather than a traditional signature.
 
-This script does the following:
+## Known limitations
 
-1. Fetch a bootstrap certificate chain.
+- Standalone certificates (with cosignatures in the `signatures` field) are not yet implemented.
+- ML-DSA signing is not yet implemented.
+- The subtree signing oracle (for external cosigners) is not yet implemented.
+- ACME order `notBefore`/`notAfter` fields are not currently supported.
 
-1. Submit the bootstrap certificate chain to the MTCA running locally.
-
-1. Wait for the next landmark to be minted. The landmark interval is defined in [`config.dev.json`](./config.dev.json).
+## Development
 
-1. Request the signatureless MTC from the MTCA running locally
+Requires `node` and `npm`.
 
-### Overriding the trust store
+```bash
+# Run locally
+npx wrangler -e=dev dev
 
-It may be useful to provide your own roots for testing. To do so:
+# Reset local state between runs
+./reset-dev.sh
+```
 
-1. Build the Worker with the `"dev-bootstrap-roots"` feature. Note that `wrangler` invokes `cargo` with a custom build script, so the simplest thing to do is to edit the `Cargo.toml` file by adding `"dev-boostrap-roots"` to the default feature set.
+### Integration tests
 
-1. Append your roots to [`dev-bootstrap-roots.pem`](./dev-bootstrap-roots.pem).
+```bash
+BASE_URL=http://localhost:8787 IETF_MTC_LOG_NAME=dev2 cargo test -p integration_tests --test ietf_mtc_api
+```
 
 ## Deployment
 
 See the [`ct_worker` documentation](../ct_worker/README.md#deployment-to-a-custom-domain) for deployment to a custom domain.
 
+The production environment is `prod` (maps to `config.prod.json`):
+
+```bash
+npx wrangler -e=prod deploy
+```
+
 ## License
 
 The project is licensed under the [BSD-3-Clause License](./LICENSE).