[Acme] Re: WG Last Call: draft-ietf-acme-device-attest-02 (Ends 2026-04-09)

Aaron Gable <aaron@letsencrypt.org> Wed, 01 April 2026 20:30 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3993BD50F411 for <acme@mail2.ietf.org>; Wed, 1 Apr 2026 13:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775075412; bh=AuPWomSbgEO0rwB6RS8VwFGxAe1zwPquKauVD0VH5ok=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=DV7SGOyqrfAb6bzt9Es0QjKo8n2X/GvrUK/JKcIAfIRhTUDcYiWpOvSGx4AoELYyM nWQv0kNeF1SNzrR2mspMJYBjB7FPkfdUFUUXMKYLLgB/MhomS/sTjodsZmo1liARjp 7eYNpIXFY4DMusX+PUfexLAgvzYpNG997XGjQDwc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EvusDRmrU8m for <acme@mail2.ietf.org>; Wed, 1 Apr 2026 13:30:11 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 96E75D50F409 for <acme@ietf.org>; Wed, 1 Apr 2026 13:30:11 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-466f1c3c627so111668b6e.1 for <acme@ietf.org>; Wed, 01 Apr 2026 13:30:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775075411; cv=none; d=google.com; s=arc-20240605; b=AifgzDbtadLWNeB/8AzeOM1yCJ+zZejEKJAKBpA8zEQn/F9N+A/DWLAqN3W0pkl67o ZkrlUYDyy+59LK4rG5Af1DPdHBksGX3yWWllItumTDOdmJz6jcSdum8koM6fp63v9YrL xzMDEWlRnSOdIwYYkWsFYo8VlQZZmBfivIBF/DcC354iMU5RF4n+PRTI72U9yNGoWZQ3 RC97uXNspfKmL8tVPrnoLYWe/3HsvLP4E028hJ0ZILHJMo7UIXjZVR8csGgCh9ybR4SV CKZrvid5VJCQYfGbzapKbDM/pl+qw2wpxTQqxj7ejHGmQFkwRAY63qrfwSWkrHi0CvyF p71w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=qbwqXqtunNBnqaFcCYQV+gmHCljklgsMJOsjdpkE/6Y=; fh=8pk0tX6TgSWcqrXnA7tHIc2ae5gNfvYm3tmvQoxqJz4=; b=Xm1cKthfeaLDt1MHiWrDawXFSyix/tADtMCfa4E0ZAT8uL3V0mwuahnAqgra55YQ9W Nqh1OxTWap/yLaU23TmlbqQYiF/xKC7gs0103tR9FAlOkZohNqSdNeDhkcV51G29BtPu 9jImMYqHcxg8PThUPPvv6CGroerDRpyp7RYnRDqKchlH+0gnLNDBkAzJ3ORbiUK64j9Z /m07QNvI5eVj9NxlqIVVNZhqFx5HRHVRRJAxj/cTyAhY0xM3uAItY2XylGTt5BHqMftl jIqM6LQlS/mSNwyOYEfsv3f+einX0lolMtINvtT5vSuMTIxqlku/yrkSo0/mMFRI491z Qu+Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1775075411; x=1775680211; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qbwqXqtunNBnqaFcCYQV+gmHCljklgsMJOsjdpkE/6Y=; b=GS8PjibBIpH7qXWBO2pnfnC7sCMe1iWPjJ31gp/vJCHLl5jg6KNTw7djkg2/vgB6YG YtaRqTHAT1eZH0Vk6dCt9evoxXjHX/AE43rQ6tHltxkGsxhxBiQ0WcMEiU7i3mW1zHip xLhJgRhRM4dcbgiK8igi+bwjrorFQ5tLhFTDc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775075411; x=1775680211; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qbwqXqtunNBnqaFcCYQV+gmHCljklgsMJOsjdpkE/6Y=; b=nN+Aq9jJ5fVUZUEcJcaiA3uLpceZbqlMFNnd9h5IPll8ZDgTE59pc7nWOdmizxuuI+ krH23pDPpgr02i13H0CKcjMtPytQQ14dISq1jHsLEVjHXIEDmXJcSOcrMdg9+BXkpdXd C2ZzQHWjaGp3fMWCDtKTNmWLfi0H21UXWtgH5Xs+LzuC7RtNqru3h/zWBVjnzVBz9tkS IJAat1kerZv667WAnb8ni+67nUoyjFUSjuMm78eo/YfHsUNWywpemUrNxXnk9GeaREn6 EyW16MwnS1+huHEEowTlXN1fDEnOZTOby8EMguqhK0Uje9R2fgExZNoQd9UYSRieF0lK qHBw==
X-Forwarded-Encrypted: i=1; AJvYcCVbiCXybz6BatEgy/zMn3nlYHobNhJpp3HRAJgRThbda1r6FE7fUtOfAcwqklIYWil57B9q@ietf.org
X-Gm-Message-State: AOJu0YzXiaDxmqHg/m+2kegpDt2sjCLnuNgLx6lF/w1e/jNB0TSxUPh/ 5wzOcVdkT73sPHwDv5cr6mHZMmzPXK401ABqPaFcpboXfqwvSrK6W4efHaPvU1kNgfrMOdNU0p+ 79sMrAk1ShlqehgHOAOXy3ZO1WOUBSxgaklMlqTQbgg==
X-Gm-Gg: ATEYQzye8fYmX8v8FQDxllceVrMWmCXcMseXWu5W748B08qQftfXm146s1VWnZX77Tc nVTNL0Z3tANO87UKx38ewHQcXsXYZchG8rPrAvpLrbjzsNRy8v1IXn8p9dVbeQLC+vwEY9yOL6C d5+K9AZwUwVN3dFHirUyMUEbIIrblOI2kst/rZz+Tz+KYYxyEpkiNB8jKiwC9j7UqvAeCrWtGvf qxcXyLg7OTtBLmJVbL6n0lDvq9rzZcJ9Fz6agp2SncO/oTZhI9b8Hr12YxuR76M9VbPoJJDAx1Q 3VoErLU=
X-Received: by 2002:a05:6808:d51:b0:466:efb5:9443 with SMTP id 5614622812f47-46ae01532cdmr2785860b6e.39.1775075410713; Wed, 01 Apr 2026 13:30:10 -0700 (PDT)
MIME-Version: 1.0
References: <177456502637.650544.14855547787185245061@dt-datatracker-5775bcb475-pnkww>
In-Reply-To: <177456502637.650544.14855547787185245061@dt-datatracker-5775bcb475-pnkww>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 01 Apr 2026 13:29:59 -0700
X-Gm-Features: AQROBzAeXzr0uSdzag_Q6yeY2PudMkuop76Dr4KSGcu-e9fQtYxhSBkpSXmoORU
Message-ID: <CAEmnEreNrXnMqc+KKXKY_q8KePeRaGee4rcb66YFDwXY0O4Lkg@mail.gmail.com>
To: Mike Ounsworth <mike@ounsworth.ca>
Content-Type: multipart/alternative; boundary="0000000000004e31f5064e6bf33c"
Message-ID-Hash: IZX5BSFYACK3PZ4S2LLP75JNDCBW3AXQ
X-Message-ID-Hash: IZX5BSFYACK3PZ4S2LLP75JNDCBW3AXQ
X-MailFrom: aaron@letsencrypt.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: acme-chairs@ietf.org, acme@ietf.org, draft-ietf-acme-device-attest@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: WG Last Call: draft-ietf-acme-device-attest-02 (Ends 2026-04-09)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/CQJaU9JqYet03JffIdjtLoDbJo0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Hi all,

Here are notes from my review of the most recent version of this document:

1. The new ABNF production rules in 3.1 and 4.1 appear to have mangled
formatting: the triple backticks delimiting a code block are present
verbatim in both the HTML and TXT views of the document.

2. Sections 3.2 and 4.2 both note that the Server may wish to omit the
identifier from the resulting certificate due to "privacy concerns". These
should probably be discussed in more detail in the Security Considerations
section, so implementers can make informed decisions about whether and when
to include these identifiers.

3. Section 1 states that the new device-attest-01 challenge type can prove
control of either permanent-identifier or hardware-module identifiers.
However, Section 8.2 only adds one new entry to the ACME Validation Methods
IANA registry. It should add two entries, one for each identifier type (see
the current table
<https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods>
which
has multiple rows for http-01, one for dns and one for ip identifiers).

4. It's unclear how the device-attest-01 challenge demonstrates control
over a specific permanent-identifier or hardware-module. The value of the
identifier never comes up in the validation flow. Contrast this with
http-01, where the identifier is part of the URL the server makes a request
to, or tkauth-01, where the TNAuthList appears within the "atc" claim. I
*think* what's happening here is that the permanent identifier or hardware
module would appear within the WebAuthn attestation, and would be validated
as part of "1. Perform the verification procedures described in Section 6
of WebAuthn". But suppose someone produced a WebAuthn attestation which
attested *nothing* except for the key authorization itself. Then it seems
like this would be a valid challenge response, and the Server should mark
the Authorization as valid, even though nothing related to the
permanent-identifier has actually been demonstrated.

Thanks for all the revisions so far, I think this is a big improvement.

Aaron

On Thu, Mar 26, 2026 at 3:44 PM Mike Ounsworth via Datatracker <
noreply@ietf.org> wrote:

> This message starts a WG Last Call for:
> draft-ietf-acme-device-attest-02
>
> This Working Group Last Call ends on 2026-04-09
>
> Abstract:
>    This document specifies new identifiers and a challenge for the
>    Automated Certificate Management Environment (ACME) protocol which
>    allows validating the identity of a device using attestation.
>
> File can be retrieved from:
>
> Please review and indicate your support or objection to proceed with the
> publication of this document by replying to this email keeping
> acme@ietf.org
> in copy. Objections should be explained and suggestions to resolve them are
> highly appreciated.
>
> Authors, and WG participants in general, are reminded of the Intellectual
> Property Rights (IPR) disclosure obligations described in BCP 79 [1].
> Appropriate IPR disclosures required for full conformance with the
> provisions
> of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any.
> Sanctions available for application to violators of IETF IPR Policy can be
> found at [3].
>
> Thank you.
>
> [1] https://datatracker.ietf.org/doc/bcp78/
> [2] https://datatracker.ietf.org/doc/bcp79/
> [3] https://datatracker.ietf.org/doc/rfc6701/
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-acme-device-attest/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-acme-device-attest-02.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-device-attest-02
>
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org
>