Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 16 January 2019 21:15 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B119F13117C for <acme@ietfa.amsl.com>; Wed, 16 Jan 2019 13:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1xakUs9S0UW for <acme@ietfa.amsl.com>; Wed, 16 Jan 2019 13:15:30 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB52D1292F1 for <acme@ietf.org>; Wed, 16 Jan 2019 13:15:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 758A545C5B; Wed, 16 Jan 2019 23:15:26 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id NGlHbda2B96w; Wed, 16 Jan 2019 23:15:26 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id A87BB72; Wed, 16 Jan 2019 23:15:23 +0200 (EET)
Date: Wed, 16 Jan 2019 23:15:23 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Message-ID: <20190116211522.GA7547@LK-Perkele-VII>
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/cLfKmGY3tImhGOdx93yBR7laqjk>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 21:15:33 -0000
On Wed, Jan 16, 2019 at 03:32:57PM -0500, Rifaat Shekh-Yusef wrote: > All, > > I have just submitted new updated version to address the issues raised by > Ilari and Ryan. > I would appreciate any more reviews and comments. > > ---------- Forwarded message --------- > Name: draft-yusef-acme-3rd-party-device-attestation > Revision: 01 > https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt Other comments: - How the ACME server can look up the client account with kid field (which normally contains the client account identifier) now contains the client domain? - URL field in first request seems to be also overloaded. Considering that this field actually has security significance (prevent misrouting to different resource), this seems questionable. - Constructing URL poiting to the client without knowledge of used paths is very questionable. - It seems to me that this should be handled by defining a new validation method for the mac identifiers, without touching rest of ACME. Then the CA would send those back for mac identifiers (together with the needed references) and then take the JWT as reply. -Ilari
- Re: [Acme] Fwd: New Version Notification for draf… Ilari Liusvaara
- [Acme] Fwd: New Version Notification for draft-yu… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Salz, Rich
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] New Version Notification for draft-yus… Yoav Nir
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Manger, James
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef