IETF Logo Mail Archive

Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 17 January 2019 21:04 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E68D2128CF2 for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 13:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrMQp2cZOw_K for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 13:04:22 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F1491271FF for <acme@ietf.org>; Thu, 17 Jan 2019 13:04:22 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id a6so3075428itl.4 for <acme@ietf.org>; Thu, 17 Jan 2019 13:04:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z4h9XzPyptPfrydwyIWoDf6yK+9DHjC59/4gjTmrKx0=; b=e+w2RDBTSXlTtoGIMHDAsod3HFeEszyIz0CkqOG4/2xpmXPPYO/1Vy9DhnDC4G8jPI Fa9+I4m/rvhswJgtiLinvkOANwwLTB7kLqs4Eq3s3bZI0jsfXMTS9FwY8GWD8wruaDfK wHVOawpYU8WFO2fh0XylDh9ELEay1iLVSSePdTCcRo0y4F5tD7fEv3kCis1A+SboT2ny 01I/vgrHjUwQLxMG3p7AWfFHpCg+FBzG7ZdnjOj1C8b0ODFlEtehsiGfDWk1iNokP07A YZT0P5Wokf9z+wsgSPWMPV75mvYO+mto6pbSYLu2q4yYJEmdepOiyFy6VbveVBUcrt3P yuug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z4h9XzPyptPfrydwyIWoDf6yK+9DHjC59/4gjTmrKx0=; b=tm9TCH09JNxJTTKcnII3jw4Zrch7ltRHLwZPtUam1GTL2cOF/wNY5myQWTV/OtnEgx q81oWpka4Dkg2z/u4c1P+ohabBoF4BCyZNT9Zlh2q9v+niKFe6ImG14FigKo1XnNgtNk W+jDvgSppIX7DwghPHKP2eliBs/sZtkqvPxKKM6D/6SkZJsj7/dllMdgqTceRp6K813Z 5xJKe7BdR2Rr8wubnWUU15vdQKe+ARKpRAGB5jAvd8y4Ssqgf9Fp1l1/ZbvYX+vc2hlg 57M98cW6iSlmBJ6tMpI9la61oTacTIkEXe9da+VMdSQ5NtC8J3iCGO2e75X9DUEnTm8H WAzQ==
X-Gm-Message-State: AJcUukdkJmN4Vj4+lhCTOgTalMhJN1wkBoDb7zaPHENUSHlkKdJsEIXx WPOzDKuYyCm+8MQBFMOWYcszImKO3R2Cn6AslaE=
X-Google-Smtp-Source: ALg8bN4ScFqsKB1+BG0ErT2F/qQW9WwM8tAB0vrt2dnVzLpz80+hhN2Lc+Kq10eEVjs5koRZbiKfXSEdnkIZ2RkCgSg=
X-Received: by 2002:a24:d316:: with SMTP id n22mr10695712itg.107.1547759061374; Thu, 17 Jan 2019 13:04:21 -0800 (PST)
MIME-Version: 1.0
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com> <CAGL6ep+aZETDNLFME5mT9f=AxowLTkhKSvMevGxEYwirLhTT_Q@mail.gmail.com> <CAL02cgSRqD7POpRd57rNK6a+wTRAJ7qHy+f74DbmGRPe=OnBGg@mail.gmail.com>
In-Reply-To: <CAL02cgSRqD7POpRd57rNK6a+wTRAJ7qHy+f74DbmGRPe=OnBGg@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 17 Jan 2019 16:04:10 -0500
Message-ID: <CAGL6epJhJ98rG_ZbaXgV1iswUWCypwkxtsvriL5mje98=g6dxQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000d1d4a057fadbd8e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3KFIT5eALqYr0GszdfDpd0ojTM4>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 21:04:25 -0000

Why would you close a an appropriate WG to deal with this, and send us to
secdispatch?



On Thu, Jan 17, 2019 at 3:45 PM Richard Barnes <rlb@ipv.sx> wrote:

> I would add that if this is just another token type, it might not be
> necessary to keep the WG open for it.  Good exercise for the secdispatch
> process.
>
> On Thu, Jan 17, 2019 at 12:49 Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>> Thanks Richard,
>>
>> The redirection is not critical part, and your explanation makes sense.
>> I looked at the "authority token" documents a while ago; I will take a
>> look again to see if I can align this document with that framework.
>>
>> Regards,
>>  Rifaat
>>
>>
>> On Thu, Jan 17, 2019 at 1:51 AM Richard Barnes <rlb@ipv.sx> wrote:
>>
>>> It seems like the core of this draft is identifier delegation.  Namely,
>>> the CA recognizes the DA as an authority for a certain identifier space
>>> (e.g., the first few octets of a MAC address), and the JWT delegates
>>> permission to issue certificates for some identifier in that space to the
>>> Client.
>>>
>>> Given that, it seems to me like this could fit under the rubric of the
>>> "authority token" challenge.  If you were to do what this draft wants to do
>>> with that framework, the Client would have two separate interactions -- an
>>> OAuth interaction with the DA to get a token, then an ACME interaction with
>>> the CA to issue the certificate.  The only specification needed would be to
>>> specify the identifier and token type, as has been done for TNAuthList [2].
>>>
>>> The only thing that would then be missing with regard to this draft is
>>> that the CA wouldn't provide the redirect to the DA.  Whether that makes
>>> sense depends on the use case, but I suspect that in most cases it does
>>> not.  The design in the draft presumes there's a single DA per identifier,
>>> and that the CA keeps a mapping table from possible identifiers to DAs.
>>> That seems unlikely for most identifier spaces and most CAs with reasonably
>>> broad coverage.  So losing this property of the draft doesn't seem like a
>>> big issue.
>>>
>>> So net/net, I think this draft should be restructured along the lines of
>>> [2], to just define a token type and maybe an identifier type.
>>>
>>> --Richard
>>>
>>> [1] https://tools.ietf.org/html/draft-ietf-acme-authority-token
>>> [2]
>>> https://tools.ietf.org/wg/acme/draft-ietf-acme-authority-token-tnauthlist/
>>>
>>> On Wed, Jan 16, 2019 at 12:33 PM Rifaat Shekh-Yusef <
>>> rifaat.ietf@gmail.com> wrote:
>>>
>>>> All,
>>>>
>>>> I have just submitted new updated version to address the issues raised
>>>> by Ilari and Ryan.
>>>> I would appreciate any more reviews and comments.
>>>>
>>>> Regards,
>>>>  Rifaat
>>>>
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: <internet-drafts@ietf.org>
>>>> Date: Wed, Jan 16, 2019 at 3:28 PM
>>>> Subject: New Version Notification for
>>>> draft-yusef-acme-3rd-party-device-attestation-01.txt
>>>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>>>>
>>>>
>>>>
>>>> A new version of I-D,
>>>> draft-yusef-acme-3rd-party-device-attestation-01.txt
>>>> has been successfully submitted by Rifaat Shekh-Yusef and posted to the
>>>> IETF repository.
>>>>
>>>> Name:           draft-yusef-acme-3rd-party-device-attestation
>>>> Revision:       01
>>>> Title:          Third-Party Device Attestation for ACME
>>>> Document date:  2019-01-16
>>>> Group:          Individual Submission
>>>> Pages:          9
>>>> URL:
>>>> https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt
>>>> Status:
>>>> https://datatracker.ietf.org/doc/draft-yusef-acme-3rd-party-device-attestation/
>>>> Htmlized:
>>>> https://tools.ietf.org/html/draft-yusef-acme-3rd-party-device-attestation-01
>>>> Htmlized:
>>>> https://datatracker.ietf.org/doc/html/draft-yusef-acme-3rd-party-device-attestation
>>>> Diff:
>>>> https://www.ietf.org/rfcdiff?url2=draft-yusef-acme-3rd-party-device-attestation-01
>>>>
>>>> Abstract:
>>>>    This document defines a Third-Party Device Attestation for ACME
>>>>    mechanism to allow the ACME CA to delegate some of its authentication
>>>>    and authorization functions to a separate trusted entity, to automate
>>>>    the issuance of certificates to devices.
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>
>>>> The IETF Secretariat
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>
>>>

v2.23.0 | Report a Bug | By Email