IETF Logo Mail Archive

Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt

"Manger, James" <James.H.Manger@team.telstra.com> Fri, 25 January 2019 01:27 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E347A128D09 for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 17:27:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W55rJ8pp9gOO for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 17:27:14 -0800 (PST)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F81B12950A for <acme@ietf.org>; Thu, 24 Jan 2019 17:27:12 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.56,519,1539608400"; d="scan'208,217";a="261480975"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 25 Jan 2019 12:27:10 +1100
Received: from wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) by ipcani.tcif.telstra.com.au with ESMTP; 25 Jan 2019 12:27:10 +1100
Received: from wsapp6783.srv.dir.telstra.com (10.75.131.38) by WSMSG3707.srv.dir.telstra.com (172.49.40.81) with Microsoft SMTP Server (TLS) id 8.3.485.1; Fri, 25 Jan 2019 12:27:10 +1100
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp6783.srv.dir.telstra.com (10.75.131.38) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 25 Jan 2019 12:27:09 +1100
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.101.126) by wsapp5585.srv.dir.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 25 Jan 2019 12:27:09 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wPEEz349jzVP6NOMP5SbxkPbauUD54Bye2OepkD8a2o=; b=fX23/lR1NZJUfGEhIS+Dr7IcaVY2V/+dVwGKgJdF6adcwzIj299mKRyGkRvYLqSw7aIVwXYm3ZGGLxU+2zDA38UdUjBo3wNxPHBCouJBMMRxgBZE2u2SYXYupUEFPQt2Bol8wSlLKnG0sbXIGICrugI7dKaUfL8JWNHTTX9XsuA=
Received: from ME1PR01MB0771.ausprd01.prod.outlook.com (10.169.165.7) by ME1PR01MB1491.ausprd01.prod.outlook.com (10.171.7.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.16; Fri, 25 Jan 2019 01:27:08 +0000
Received: from ME1PR01MB0771.ausprd01.prod.outlook.com ([fe80::ec11:3880:aeb5:f26f]) by ME1PR01MB0771.ausprd01.prod.outlook.com ([fe80::ec11:3880:aeb5:f26f%9]) with mapi id 15.20.1558.016; Fri, 25 Jan 2019 01:27:08 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
Thread-Index: AQHUrdrHJafF9rFjK0uUpBF7TEqo0aWzBl+AgAWUiACABLfwgIABhWaAgABXkzA=
Date: Fri, 25 Jan 2019 01:27:08 +0000
Message-ID: <ME1PR01MB07711AB21EFE888468CA571EE59B0@ME1PR01MB0771.ausprd01.prod.outlook.com>
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com> <CAGL6epJX+dSb9fK7E8fagwROesL7DF_3KJhF0nB=TTqdcpi-cA@mail.gmail.com> <CAL02cgRx7SOYSmzCo8cLdz08U2Y=_KtjSe3Zha3GhFjQsYgW5Q@mail.gmail.com> <CAGL6epLpBCqyBbvSpZb41xOgOwy6TBobK_hHZ+SdSWAFjvuyKQ@mail.gmail.com>
In-Reply-To: <CAGL6epLpBCqyBbvSpZb41xOgOwy6TBobK_hHZ+SdSWAFjvuyKQ@mail.gmail.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 10.0.500.19
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.41.142.254]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; ME1PR01MB1491; 6:JboM8GVrDUfflOSfL4ASCmTlgtDPYX0M/zi0tL5JpXtNSAL7kden9WhJ4grVXNb/aj8XYnRMI9dpkcNxWltn60bT5FDCuqFIuqV5eQLboSkGBdUPJdtiruUU4TZeR0V9jX2epXBDm0nMXFMb3HWlPyUtLY/aaHHf6CJAb/n8XrbtJiTV8jmSGjrrWU7OsC14XCew2RZ2UeT8dx96WPyWt+mOgqV6eQU3dwDV+8PhFTrz3EXJ/doWGYJnY7yFVKmeDim4wFm+KGgEMPh0srdLY7FW6zfP+kRJXtsGcvWgij4SM0ETCaxjpnREvP0+t/ysrqdqDJPY4grI6FBFY9a3LKlsf60rztu8jgWcXPPoPn+6QGYkLHglxFE47gscRzsaDtB2oYXQb99DlQtfAWkq2WbjNgGcmso1+fOX3C2lNnjXGE5723MqcniUgURuYHnPb8u5D9JVPABTOmGc+b2+Cg==; 5:Xw3otryALaRbylfjsUH4r4kXs3VJ1QJjev8OMHIk2ZSo4JUPLn9nVtLU7wOistwmj7Uy4wHHhPSi5gRacpPhqferAr2bw1815LC1UuxxpiAh2Z7VHCT742xSr0e+GS3oxVTTqjH/XNSdw81tgZhEXQ5imDVZY2mrVVLTcGf69bRRpO276Rw8fnUwuTTxlsuxDaX7mtOqvX9oOn/f6nlw9w==; 7:Ff/Mozs+KTpv/qO9wC348XSZxKo59SEE0pkcTfYyE20ySorgMp6mFMxX8PJw+QL2zB1Bsau5kHsGboHf96MSLuzVSr6y/0qck2pzo/ksPNQui3OOGrynSUOOgaclT3mSYaKSNS8yENwwd6wZwlMrlQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 19be3328-fb83-432a-52b2-08d68264390a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:ME1PR01MB1491;
x-ms-traffictypediagnostic: ME1PR01MB1491:
x-microsoft-antispam-prvs: <ME1PR01MB149153230497A28E6277208CE59B0@ME1PR01MB1491.ausprd01.prod.outlook.com>
x-forefront-prvs: 0928072091
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(40224003)(189003)(199004)(53936002)(8936002)(498600001)(14454004)(446003)(11346002)(9686003)(6916009)(6246003)(186003)(93886005)(55016002)(86362001)(66066001)(39060400002)(6116002)(6306002)(3846002)(72206003)(54896002)(71200400001)(7696005)(71190400001)(105586002)(99286004)(74316002)(25786009)(97736004)(81166006)(26005)(8676002)(790700001)(106356001)(81156014)(476003)(4326008)(2906002)(256004)(229853002)(486006)(14444005)(6436002)(6506007)(33656002)(76176011)(68736007)(7736002)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:ME1PR01MB1491; H:ME1PR01MB0771.ausprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: XNR5zyk6PtW9uHq6kMt2Oe3GZYc8nzdzZUwGLsgXuGIAr+Q56Uogr37hNoE/TY0erMaR4R9mXi5GcIHbDaZM+/E6m1fhwHhzfrRjGvr9CiboRT/DZuIqwGnN2SLiGqgydS9mCBK5A7WTzDUIpocKdsBB5YaYWENgtAYURrPSKG8u7VXR8UDLer47r2EiITm4xK8DfU6gLifE2DVnam+2oEh6vAM3Mb6DfP2koZBBEyaz3dpQSbIUQMFmCnGiyVd/xQJIkW7iZorla3nvL2FhvfNFfrGHRWOcRFrUWIZQvMvrobeYSu+jUrEBa5jovsTWeG4yPhdyeA2C6rUXBWsSjdrdnSWs4uSzLVq6mfaea+hB6V2lvR22r8PdYsCkZ9g1hQjoRrXtuuJ3Bf0JcPe7C88T4X9FiidRGbk4TQOXmw4=
Content-Type: multipart/alternative; boundary="_000_ME1PR01MB07711AB21EFE888468CA571EE59B0ME1PR01MB0771ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 19be3328-fb83-432a-52b2-08d68264390a
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2019 01:27:08.4353 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME1PR01MB1491
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Q2mij5kQhMFQTcWV5NNar7zJ-3Q>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jan 2019 01:27:17 -0000

I’m confused about what is desired with draft-yusef-acme-3rd-party-device-attestation, but I think it may be quite different from what draft-ietf-acme-authority-token offers. Here’s my guess:

draft-ietf-acme-authority-token is designed to issue certs for namespaces other than domain names, eg for phone numbers. The CA trusts another authority to vouch for that namespace.

draft-yusef-acme-3rd-party-device-attestation is designed to issue certs for a domain name (as per normal Acme). The cert will be for a specific device whose serial number (eg MAC address) the domain-owner knows. The device manufacturer can vouch for device keys associated with that serial number.
Curiously, the protocol flow in draft-yusef-acme-3rd-party-device-attestation doesn’t seem to involve the device at all – only the domain-owner (client), manufacturer, and CA. But surely the device needs to provide the CSR?

It sounds like the client (domain-owner) should be able to confirm the correct device is involved (by talking to the device and manufacturer) before sending a normal ACME request. That way the ACME CA doesn’t need to know anything about the device attestation.

--
James Manger
+61 4 1754 1870

v2.23.0 | Report a Bug | By Email