Re: [Acme] [EXTERNAL] Re: acme-device-attest expired

Brandon Weeks <bweeks@google.com> Thu, 22 February 2024 22:25 UTC

Return-Path: <bweeks@google.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE758C165518 for <acme@ietfa.amsl.com>; Thu, 22 Feb 2024 14:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.607
X-Spam-Level:
X-Spam-Status: No, score=-22.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfPIJwEZITdR for <acme@ietfa.amsl.com>; Thu, 22 Feb 2024 14:25:42 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA11BC15109A for <acme@ietf.org>; Thu, 22 Feb 2024 14:25:42 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a3e706f50beso29593366b.0 for <acme@ietf.org>; Thu, 22 Feb 2024 14:25:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1708640741; x=1709245541; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=prTWf/RR2meWp7ua3OiUk6p/AvgBV2js7qGQo18qoO8=; b=SGlOQEmM7dxMtExqjs2U3sxa+DMi17u+pZazTqMvvtUdicETsz7F+p1vRuPoZbP6sr fRglcR7TIOOX39p0jLBR+WSw1y+pHOP03+5QvCQOXLcW2Zy24zUE3p+QfS5wjlycH6BJ VrXkJ2QHkHTlBV1DVDLca1UaBY1VDpMEF1H0jx2C2n1le8ayy1yldBMd4VUoT8lXNUmR NGmwIRcucGBlELaiakSmye6EEN5d7FmTP7Hu4wjebuAVc0MIh3RelppT+sG3WSbmwzqx D04RMgkW/8i4SbC9O2/8AB81gDuxFFwJ3FPXUUAgMwnMiNIRkTApnQmbzgCEEXy8XqZd ZKTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708640741; x=1709245541; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=prTWf/RR2meWp7ua3OiUk6p/AvgBV2js7qGQo18qoO8=; b=n73i8MwDbPiyrJ4yG7/D96yAZMCeVPunWWR/qRJL+h+9ZEp1eAaKmEIt7mx7umAmj/ 23z0Sl3oW5Q3tbatyQJBHNuoI0s9QuweohKvnibAokBKRZCR4FeA9b/8wAv8L7uFSQdr lXKjePGFshd3mXVeZme1XIWeEnM1y4snwGda6oCSjDIOINElwHlbHn/dS1QoY3z9B/+E +ZqfokPzCuYpYzgUw5SJzLQ1s6WIimKGBk3xVuXpXjvLsDybNTiO5IYcZfr3LGaPAn4H qOG3wCZ7HMfL9mj3MgS+8/rHOIACHsZBaUKpf4JVCTazWyVXaMP8F5QCn/fBPvj801rZ YygA==
X-Forwarded-Encrypted: i=1; AJvYcCUTOcym/AwBRLu/N84Cy5ym0LllGfTDm/M/pnH6wgPu5c4ipx7Tez8hpnOO6F3zOhumEeag/bpfcuLkjSXc
X-Gm-Message-State: AOJu0YzyCyVnRRY5S4vw7FkenQ2SqFdkf2sSLLgB3QE5m0kZTkBr7Z5o grDw1O8faiDc1B3RJTIV/pLMN/A5zkRtjVknU1isjvXMyE4FcGFnn8V4E9eOhZKmdS29sofcpOI KlqPzQzEaiQRFABt3VQJJNwKnsQ0zUX+WOMI6
X-Google-Smtp-Source: AGHT+IEueb7mX+0eLsWiigUJZBNvCmt1t7dqvVDlMvgWf8/2QWYrSNo16pcZRFVWBYgUbttHGVIsJE9pglZn/aFi5eQ=
X-Received: by 2002:a17:906:d8a6:b0:a3f:c345:b264 with SMTP id qc6-20020a170906d8a600b00a3fc345b264mr63400ejb.25.1708640740590; Thu, 22 Feb 2024 14:25:40 -0800 (PST)
MIME-Version: 1.0
References: <CAObGJnMnuZu6St4zZT27jgq6OnR6aSdCUy9RS_m-C0Fv1ta-nQ@mail.gmail.com> <CAA1-vB3tom_rEqSc+P7oQfNeYvKwPdp8mzVNKZrj+QSTW6tiAQ@mail.gmail.com> <CAGgd1Oe0U=WQPsgYQ76X4-bTkesPAd4ezPzLPEJf=gYO-qmLNQ@mail.gmail.com> <CAA1-vB184w6DVaxrD1dZCcaTJc9W_1D6Jv-cBGp1sVcZvDckiQ@mail.gmail.com> <CH0PR11MB5739186FCEF7D97A61D47EDD9F562@CH0PR11MB5739.namprd11.prod.outlook.com> <CAOEiZmHyrZZD3jqQtdNiYyxkLeCYjELRf4Mb5dhk2_m5Cnh2Tw@mail.gmail.com> <CAA1-vB0FAjjZ8qZCSw=+jnex4p_kM=LPYaWR1XMBGQZ_U-BAiQ@mail.gmail.com>
In-Reply-To: <CAA1-vB0FAjjZ8qZCSw=+jnex4p_kM=LPYaWR1XMBGQZ_U-BAiQ@mail.gmail.com>
From: Brandon Weeks <bweeks@google.com>
Date: Thu, 22 Feb 2024 14:25:19 -0800
Message-ID: <CAP+ZhPb3t9+BpV5HEWwJFMxAfvw2HRa3=XL9kQvG8EJGq4aY9g@mail.gmail.com>
To: Prachi Jain <prachi.jain1288@gmail.com>
Cc: Mike Malone <mike@smallstep.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Deb Cooley <debcooley1@gmail.com>, Thomas Fossati <tho.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>, "draft-acme-device-attest.authors@ietf.org" <draft-acme-device-attest.authors@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Er34zxQ-rILyq7lQjjiyJUCXo2I>
Subject: Re: [Acme] [EXTERNAL] Re: acme-device-attest expired
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 22:25:47 -0000

Apologies for letting the draft expire. I've recently switched roles
within Google and have been busy ramping up. My new team is
responsible for Android Key Attestation[0], one of the attestation
schemes included in the draft, which hopefully allows me to build a
production implementation of the draft.

I've incorporated one change from Thomas and updated the draft to version 2[1].

There hasn’t been much feedback on the draft during the ACME sessions
or on the mailing list, especially from implementers, so I’m really
excited to see all of the interest on this thread. I’d be more than
happy to incorporate any feedback received and present at IETF 120. If
reviewing the draft in a meeting would be helpful, please reach out to
me directly and I’d be happy to schedule time.

Thanks,
Brandon

[0] https://developer.android.com/privacy-and-security/security-key-attestation
[1] https://datatracker.ietf.org/doc/draft-acme-device-attest/02/


On Thu, Feb 22, 2024 at 1:53 PM Prachi Jain <prachi.jain1288@gmail.com> wrote:
>
> I plan to do a POC using this draft and potentially implement it based on the results. Thus very motivated to get this past the finish line.
>
> @Mike Ounsworth, I haven't read draft-ietf-lamps-csr-attestation yet so I am going to give it a read and come back with my thoughts.
>
> On Thu, Feb 22, 2024 at 3:00 PM Mike Malone <mike@smallstep.com> wrote:
>>
>> It's worth noting that Apple has already implemented this draft on macOS, iOS, iPadOS, and tvOS[1]. We've implemented the server side at Smallstep and can confirm that there is adoption. That shouldn't stop the evolution of this draft, of course, but could help inform it. Adoption is promising and it would be unfortunate to see this die at draft.
>>
>> We don't have any experienced IETF authors here -- not sure what that entails -- but we are very interested in the outcome here and would be happy to help however we can. To start, I've shared this with a few contacts that I know will also be interested.
>>
>> Mike
>>
>> [1] https://support.apple.com/lt-lt/guide/deployment/dep28afbde6a/web
>>
>> On Thu, Feb 22, 2024 at 12:21 PM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
>>>
>>> At the risk of adding another draft to my plate, I am the lead author on draft-ietf-lamps-csr-attestation, so I suppose it is reasonable for me to volunteer to work on this one also.
>>>
>>>
>>>
>>> I wonder if the design of acme-device-attest should change in light of the existence of draft-ietf-lamps-csr-attestation? But I admit to not having read acme-device-attest in a while :/
>>>
>>>
>>>
>>> ---
>>>
>>> Mike Ounsworth
>>>
>>>
>>>
>>> From: Acme <acme-bounces@ietf.org> On Behalf Of Prachi Jain
>>> Sent: Thursday, February 22, 2024 6:03 AM
>>> To: Deb Cooley <debcooley1@gmail.com>
>>> Cc: Thomas Fossati <tho.ietf@gmail.com>; acme@ietf.org; draft-acme-device-attest.authors@ietf.org
>>> Subject: [EXTERNAL] Re: [Acme] acme-device-attest expired
>>>
>>>
>>>
>>> Thank you for the update, Deb. I am more than willing to work as an author on this draft and help out :) On Thu, Feb 22, 2024 at 5: 28 AM Deb Cooley <debcooley1@ gmail. com> wrote: I know Brandon has been busy, but I don't know his plans
>>>
>>> Thank you for the update, Deb.
>>>
>>>
>>>
>>> I am more than willing to work as an author on this draft and help out :)
>>>
>>>
>>>
>>> On Thu, Feb 22, 2024 at 5:28 AM Deb Cooley <debcooley1@gmail.com> wrote:
>>>
>>> I know Brandon has been busy, but I don't know his plans for this draft.  Maybe his use case has changed?  I've cc'd him on this message.
>>>
>>>
>>>
>>> Note:  acme is a 'working group', to get a draft through the process people have to be willing to work on the draft (vice merely following).  Also drafts can certainly have multiple authors, perhaps an offer of helping as an author might work.
>>>
>>>
>>>
>>> Deb
>>>
>>>
>>>
>>> On Tue, Feb 20, 2024 at 11:01 AM Prachi Jain <prachi.jain1288@gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> I have been closely following this document as well and would like to know the status of the same.
>>>
>>> Thanks,
>>> Prachi
>>>
>>>
>>>
>>> On Sun, Feb 18, 2024 at 1:57 AM Thomas Fossati <tho.ietf@gmail.com> wrote:
>>>
>>> Hi, all,
>>>
>>> The acme-device-attest draft is expired.
>>>
>>> Just checking: what are the plans?
>>>
>>> cheers, thanks!
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme