Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 16 January 2019 21:15 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B119F13117C for <acme@ietfa.amsl.com>; Wed, 16 Jan 2019 13:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1xakUs9S0UW for <acme@ietfa.amsl.com>; Wed, 16 Jan 2019 13:15:30 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB52D1292F1 for <acme@ietf.org>; Wed, 16 Jan 2019 13:15:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 758A545C5B; Wed, 16 Jan 2019 23:15:26 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id NGlHbda2B96w; Wed, 16 Jan 2019 23:15:26 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id A87BB72; Wed, 16 Jan 2019 23:15:23 +0200 (EET)
Date: Wed, 16 Jan 2019 23:15:23 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Message-ID: <20190116211522.GA7547@LK-Perkele-VII>
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/cLfKmGY3tImhGOdx93yBR7laqjk>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 21:15:33 -0000

On Wed, Jan 16, 2019 at 03:32:57PM -0500, Rifaat Shekh-Yusef wrote:
> All,
> 
> I have just submitted new updated version to address the issues raised by
> Ilari and Ryan.
> I would appreciate any more reviews and comments.
> 
> ---------- Forwarded message ---------
> Name:           draft-yusef-acme-3rd-party-device-attestation
> Revision:       01
> https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt

Other comments:

- How the ACME server can look up the client account with kid field
  (which normally contains the client account identifier) now contains
  the client domain?
- URL field in first request seems to be also overloaded. Considering
  that this field actually has security significance (prevent misrouting
  to different resource), this seems questionable.
- Constructing URL poiting to the client without knowledge of used paths
  is very questionable. 
- It seems to me that this should be handled by defining a new validation
  method for the mac identifiers, without touching rest of ACME. Then
  the CA would send those back for mac identifiers (together with the
  needed references) and then take the JWT as reply. 


-Ilari