[Acme] Re: I-D Action: draft-ietf-acme-device-attest-02.txt

Mike Ounsworth <ounsworth+ietf@gmail.com> Thu, 26 March 2026 22:43 UTC

Return-Path: <ounsworth@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E0501D215F02 for <acme@mail2.ietf.org>; Thu, 26 Mar 2026 15:43:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1774565012; bh=Or78n/7xPsSu68qDUB8pYIKAkBU320XpeKqtq6OBuoI=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=KmMpnUKsjZ/75+32EDMDnz78TCwF+ouuhEkRmwcrHTFh/3uUvk+N+C9wv0jmZs2zR TmSUw4owqM14qX2N3MdZFmxaoy8fiAk8ksp+XgvKetljhAU0WK6vJjDz12IJ7K90+l D10sKmVM6LGt/AQCqi21LuaqOq/7qErEsk9YjGKg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlMasUflCBAK for <acme@mail2.ietf.org>; Thu, 26 Mar 2026 15:43:32 -0700 (PDT)
Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 18588D215EA3 for <acme@ietf.org>; Thu, 26 Mar 2026 15:43:32 -0700 (PDT)
Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-67c20ed3076so848908eaf.1 for <acme@ietf.org>; Thu, 26 Mar 2026 15:43:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1774565004; cv=none; d=google.com; s=arc-20240605; b=F543eIbTKD6mjMK2nyzqFhqnEZA6nEJWqcMzYc6igg1VAmFPNs63TDZMJWwttWUSO8 su4aeeDaWe+u1I7B9F+g3pNHMa9iOBfdG4Yu4eAzS1hy4YttRLt0R3qhRhzKKy3vJZkd EXu9P2F0JxQ5ewismh6XyAcQmicMvE2B6hcA4c4wrPOk/FQfkzQO11oJUKdF9NiYgyhv 52IoiOl7ph5MN4rHnPYESRqiRgMrZrviMCAK858/lk8Db/giHEyXMYFJJnKK87lYzn2N zmYYodDggQT7kFMLOA01vgCh6PF5ha4yhDTON7N9qgtDZsrqwN51o1OI6RYg5VzubQG1 ywxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=VTdErMcvjcpchC3CDo3RYH+kXhYB+pIEcKEWd7nTeW4=; fh=fAsajtrfgz3g/k91u0K18qqAwnxNGjkOEfj/ptz/0GE=; b=Mh7zhMxoEjcBM1OxAwUuTob+uvF3AfrWkiFF4hcb6kKJ04GrSnZePpRvnfWrmVJLs2 apfaWrC1UzoEoLpViALTb9OGR5qUM0VYEJHUKvwlSLYhYaAuifEDscdJBZL6RdMpad8g kSRl/ZN56to7nz3SQEMDmTexdS15CvIcYS6/YxeXKHFvd7tdorW+HBFXw/mqNzuIrt+V 4CPRxK6xCBtGo5gu5485iOHT87/n8uXx5a2FipdhOm5OQAOfdYlv7hv7NfA3aF2JsOT9 5iLDqVb44Lv44QmTNndAdDVDAIrwFiCR8irn8cSUpNOuLO8F6uPbGCMElE9uJ1a3vuGC EWDQ==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774565004; x=1775169804; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VTdErMcvjcpchC3CDo3RYH+kXhYB+pIEcKEWd7nTeW4=; b=Pt5fs7ZZQ0/ZZprATwvQmvvsLw5M/sNrAatnee+lZt0/ezdW4+IrwN91VQdbjTDaE/ chmhRw/xNb4dC8GTFI2eWHkJkhwqCcea6cn355JDgZID+zJWed+koVItW5xPrtIrPNE8 /yw3QQ2NgQDBX1F1m914nyOnacbS+G8mbzS/YymzJHC4t8GYtWUJB3K1TnbgCa8XVTwF LTKyRNNFoST7CFKBreekFbgpjeHUKN7YH+JSPF8LTHgbhYJzxh3ge/Xt7VHQGGpYYfaN OOMY+cbNAXBJFzUcYZL8Vh+oaAcMqPYdkm6s/1lOVP7BPfj/fa6/Gfv1V4qJNCCKkL6W GT9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774565004; x=1775169804; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VTdErMcvjcpchC3CDo3RYH+kXhYB+pIEcKEWd7nTeW4=; b=HYKFERrwva3H7txNOjenYnnXdfKSfv5OKzDoPVOuup4QXqnQHLbGeLGm89HVOnw/sc 7QzbY3F1lAkdeHWfj+jEgIHaD92PaLnLRzEIZvwJOZ/Vqy8BNnPyDYqxknrvicmCD9by D4HcBvW43Znzz07stb9w3wfd6VO3gZr5zgbXftIESIbncjKnMI+2gOhqxk6iz74uHYIq zgI8841JfJ2ooZK8fHR/2AZP1V66bApp32VE35jA/eHcqSlRCOq/lPxcEpMExSfZPi2v w6qETDoBZjpVW4ez9gyHyr9AfV8l1DLceHpnU188R3R8/eqYIhxPURTnO5tYA2hoyB+H 5ysw==
X-Gm-Message-State: AOJu0Yy6la0lcvkk6vGQcW6al89lPZrw8rH2BrPA6X9rNH8cDYEJ5a3v fpGhWCu8wY3w6n0dV+GN9ZnR+DW4BaaHoycOzJO/9eYn5WxAQC9TkG5WRo6ri52xo9Sb5b5aglV PIFyqjfCrEt/FdziGZydo7JPo2uC6P4k=
X-Gm-Gg: ATEYQzwHiPMMuhexm7A6UX5R6ucKc4A3QROT9OMLUHEXVYt2XXSNhRfmBMZaOoZ0yJF hZehc8NaO0BDWn6oqJiIbX66ij73VHd1XA9jSLDqVMYSAACEWJiySYT7C+QpQ/USooWO6cIY2BY TZ+D2Ra4p7R0SXy+vE+H+EkhiwQUX+VBlBReDlPc1fZzG3PmpokOLyEIUiVyY0FG+W+p/QcGRHp /panl8JhBmulrdq7F1eJh01NSLylX3jJYtYA3zlAgHH2D4XKg7LMskRdE++a0YYjayTJ0uTjGng XyVG51/D
X-Received: by 2002:a05:6820:4c89:b0:67b:c122:d2c8 with SMTP id 006d021491bc7-67e18705b1fmr190859eaf.39.1774565004491; Thu, 26 Mar 2026 15:43:24 -0700 (PDT)
MIME-Version: 1.0
References: <177456337501.655568.7364721217774667840@dt-datatracker-5775bcb475-pnkww> <CO6PR22MB24973A167FE9178D62718DEEFA56A@CO6PR22MB2497.namprd22.prod.outlook.com>
In-Reply-To: <CO6PR22MB24973A167FE9178D62718DEEFA56A@CO6PR22MB2497.namprd22.prod.outlook.com>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Fri, 27 Mar 2026 06:43:13 +0800
X-Gm-Features: AQROBzDxv9bP9jMlx7QEEJ2yIoyRVCXPxPHx9kDCX24PyIxInNDWOQ5TScNA9RY
Message-ID: <CAKZgXHretKejWuZn8LLEbp848+B3PkWa2rP1SFwHObBEfzNvjw@mail.gmail.com>
To: Sven A Rajala <Sven.Rajala@keyfactor.com>, Aaron Gable <aaron@letsencrypt.org>, Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/related; boundary="000000000000b95d72064df51ce7"
Message-ID-Hash: GXPK4AUOALY4PFJSK67VVQLZWIRTFURB
X-Message-ID-Hash: GXPK4AUOALY4PFJSK67VVQLZWIRTFURB
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "acme@ietf.org" <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: I-D Action: draft-ietf-acme-device-attest-02.txt
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/L9rUZtthwRJG0hOobeu6Fu_Ovq4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

I have reviewed the changes and they look good to me, but I would
especially like a second pair of eyes from @Aaron Gable
<aaron@letsencrypt.org> and @Richard Barnes <rlb@ipv.sx>.

Since this version makes substantial normative changes, Deb decided to move
the document from IETF LC back into WG. I'll start a new WGLC now.

On Thu, 26 Mar 2026 at 17:19, Sven A Rajala <Sven.Rajala@keyfactor.com>
wrote:

> Hej Hej ACME,
>
>
> Richard Barnes pointed out that the previous version of this draft failed
> to provide a JSON encoding for the two new identifiers:
> *permanentIdentifier* and *HardwareModuleName* for the Order object.
> While addressing this we uncovered a few related issues. Given the scope of
> the change, Chairs and AD decided that this needed to go back to WG for
> another round of review, and do another WGLC.
>
>
> Version -02 makes the following changes:
>
>    - Adds a JSON representation of the *permanentIdentifier* and
>    *HardwareModuleName* identifiers. Since these are both represented in
>    the CSR in structured ASN.1 objects, an ASCII representation was invented,
>    along with a suggested algorithm for comparing them.
>
>    - Explicitly allows for these identifiers to appear in the CSR but not
>    in the issued certificate. It is completely reasonable that a client is
>    willing to share its device fingerprint with the CA but does not want it
>    published in the certificate, but it needs to be noted explicitly since it
>    is a contradiction of RFC8555.
>
> Kindly,
>
> Sven Rajala
>
> Deputy PKI Officer
>
>
>
> *M:* +1 540 687 0761
>
> sven.rajala@*keyfactor.com <https://www.keyfactor.com/>*
>
>
> *From: *internet-drafts@ietf.org <internet-drafts@ietf.org>
> *Date: *Friday, 2026 March 27 at 07:16
> *To: *i-d-announce@ietf.org <i-d-announce@ietf.org>
> *Cc: *acme@ietf.org <acme@ietf.org>
> *Subject: *[Acme] I-D Action: draft-ietf-acme-device-attest-02.txt
>
> This Message Is From an External Sender
> This message came from outside your organization.
> Report Suspicious
> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/BjbSd3t9V7AnTp3tuV-82YaK!_0QvQsCqUBRnXA2SsFYwFMaMq3Hw0TfwDL6egjSvBGRRBqHynpo2ayyeZGjbSVib9Vnj54APifpdPBIKdppF_W9LtvnAnP4fiRQvxjxDHPAMcASR9oFbi2hK-q6sStrDFmzqO7A$>
>
>
> Internet-Draft draft-ietf-acme-device-attest-02.txt is now available. It is a
> work item of the Automated Certificate Management Environment (ACME) WG of the
> IETF.
>
>    Title:   Automated Certificate Management Environment (ACME) Device Attestation Extension
>    Authors: Brandon Weeks
>             Ganesh Mallaya
>             Sven Rajala
>             Corey Bonnell
>    Name:    draft-ietf-acme-device-attest-02.txt
>    Pages:   13
>    Dates:   2026-03-26
>
> Abstract:
>
>    This document specifies new identifiers and a challenge for the
>    Automated Certificate Management Environment (ACME) protocol which
>    allows validating the identity of a device using attestation.
>
> The IETF datatracker status page for this Internet-Draft is:https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-acme-device-attest/__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7Ht9k_-g$
>
> There is also an HTML version available at:https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-acme-device-attest-02.html__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7MiD2qFw$
>
> A diff from the previous version is available at:https://urldefense.com/v3/__https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-device-attest-02__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7FXv7Egw$
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org
>
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org
>