Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 17 January 2019 17:49 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8020B130EBE for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 09:49:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnUDnk8vex97 for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 09:49:30 -0800 (PST)
Received: from mail-it1-x12c.google.com (mail-it1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFFDE130EB5 for <acme@ietf.org>; Thu, 17 Jan 2019 09:49:29 -0800 (PST)
Received: by mail-it1-x12c.google.com with SMTP id i145so2699039ita.4 for <acme@ietf.org>; Thu, 17 Jan 2019 09:49:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QAKsf++gb8lnOkMMX5wv6ZZPcgBaQ0vKzKHdSyVXHsM=; b=ILotQIHrJYc6s50DGwmfgia2VimYhA9xeHAimFUcYORaE5L/tTnUReMuhmtBnDJDEN rcgw85S/5VftyJsRua+R67JE6jPtictHpJseMlDdsudzstks7xE6xIQikdEKZZiZqzrE 62DhpjRGablLQuJDbHMbReueTXkSZcErTYGxooRXMxwPuhSfZS47h7Is9nRPKaMdLqoq aIx1xCryBuWSREkFiWAs4wom1HL46Y9G3VkTVtAWxJbvn7N6Ldx5flYenZFsJop7/HAL 7J7fbCEfZkoOkRp+WlMYKmsSEnea2xY9hX+d1lSx87yT0pAWE05ZY+/Wf+BUR8oGTkO4 XP7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QAKsf++gb8lnOkMMX5wv6ZZPcgBaQ0vKzKHdSyVXHsM=; b=GQxHZQ9UvAzt516XLM/xITek6aIJjSIjwViqLX7AmAm/9S7US1yxi5aXRvjuyYk8Sj ryLkZlm6vJH8FFpK8F6KrCOVIZUuRQiOgvKxPO/fSjK6cO+Unu1VzoNbQfMkO9jXbKDx cffLrlYEG/QK2XB2S3HRZ19roNiNmXVV+Uv8ZWKUUzRJuK5LTTsoWuqOPfgCNz6iOtSn govzkSs2dAUBczqlSrmqW8Dljq6RWDzxjmDA4ogXsJbyHs1UpGyNXZ4IZAdLSzNnYytl OzgMDfwOBXgnBQmpaSc7Pw6i0IfX3aF8/viEQjp2rUWX5ltITSztMtuwMv38FNBl+oIG yu7w==
X-Gm-Message-State: AJcUukfYyPlqEvsGIGRjYdxp9iI59xQ767iyWf+DJYOStzrVol1RIIrj rcSi8lobJ9yXPH9sJZNYD4F2gXCjd6nr3nBAoXp7JPSi
X-Google-Smtp-Source: ALg8bN67BdM6pODPkbjxk2YV12I81yYZKO+4cWYLRHp2tHwXJEIAFk7gl0I/A+P21wY6Q+6ST3jpQ73Du/QJj6iyxGw=
X-Received: by 2002:a24:cfc1:: with SMTP id y184mr8288713itf.72.1547747369220; Thu, 17 Jan 2019 09:49:29 -0800 (PST)
MIME-Version: 1.0
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com>
In-Reply-To: <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 17 Jan 2019 12:49:18 -0500
Message-ID: <CAGL6ep+aZETDNLFME5mT9f=AxowLTkhKSvMevGxEYwirLhTT_Q@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000024fc89057fab04eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/MHDC8hveVw9Q7VkjS6eGxJvsxVc>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 17:49:32 -0000
Thanks Richard, The redirection is not critical part, and your explanation makes sense. I looked at the "authority token" documents a while ago; I will take a look again to see if I can align this document with that framework. Regards, Rifaat On Thu, Jan 17, 2019 at 1:51 AM Richard Barnes <rlb@ipv.sx> wrote: > It seems like the core of this draft is identifier delegation. Namely, > the CA recognizes the DA as an authority for a certain identifier space > (e.g., the first few octets of a MAC address), and the JWT delegates > permission to issue certificates for some identifier in that space to the > Client. > > Given that, it seems to me like this could fit under the rubric of the > "authority token" challenge. If you were to do what this draft wants to do > with that framework, the Client would have two separate interactions -- an > OAuth interaction with the DA to get a token, then an ACME interaction with > the CA to issue the certificate. The only specification needed would be to > specify the identifier and token type, as has been done for TNAuthList [2]. > > The only thing that would then be missing with regard to this draft is > that the CA wouldn't provide the redirect to the DA. Whether that makes > sense depends on the use case, but I suspect that in most cases it does > not. The design in the draft presumes there's a single DA per identifier, > and that the CA keeps a mapping table from possible identifiers to DAs. > That seems unlikely for most identifier spaces and most CAs with reasonably > broad coverage. So losing this property of the draft doesn't seem like a > big issue. > > So net/net, I think this draft should be restructured along the lines of > [2], to just define a token type and maybe an identifier type. > > --Richard > > [1] https://tools.ietf.org/html/draft-ietf-acme-authority-token > [2] > https://tools.ietf.org/wg/acme/draft-ietf-acme-authority-token-tnauthlist/ > > On Wed, Jan 16, 2019 at 12:33 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> > wrote: > >> All, >> >> I have just submitted new updated version to address the issues raised by >> Ilari and Ryan. >> I would appreciate any more reviews and comments. >> >> Regards, >> Rifaat >> >> >> ---------- Forwarded message --------- >> From: <internet-drafts@ietf.org> >> Date: Wed, Jan 16, 2019 at 3:28 PM >> Subject: New Version Notification for >> draft-yusef-acme-3rd-party-device-attestation-01.txt >> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> >> >> >> >> A new version of I-D, draft-yusef-acme-3rd-party-device-attestation-01.txt >> has been successfully submitted by Rifaat Shekh-Yusef and posted to the >> IETF repository. >> >> Name: draft-yusef-acme-3rd-party-device-attestation >> Revision: 01 >> Title: Third-Party Device Attestation for ACME >> Document date: 2019-01-16 >> Group: Individual Submission >> Pages: 9 >> URL: >> https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt >> Status: >> https://datatracker.ietf.org/doc/draft-yusef-acme-3rd-party-device-attestation/ >> Htmlized: >> https://tools.ietf.org/html/draft-yusef-acme-3rd-party-device-attestation-01 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-yusef-acme-3rd-party-device-attestation >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-yusef-acme-3rd-party-device-attestation-01 >> >> Abstract: >> This document defines a Third-Party Device Attestation for ACME >> mechanism to allow the ACME CA to delegate some of its authentication >> and authorization functions to a separate trusted entity, to automate >> the issuance of certificates to devices. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> >
- Re: [Acme] Fwd: New Version Notification for draf… Ilari Liusvaara
- [Acme] Fwd: New Version Notification for draft-yu… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Salz, Rich
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] New Version Notification for draft-yus… Yoav Nir
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Manger, James
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef