Re: [Acme] Call for adoption for draft-bweeks-acme-device-attest
Sebastian Nielsen <sebastian@sebbe.eu> Thu, 24 November 2022 19:32 UTC
Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0597DC14CE54 for <acme@ietfa.amsl.com>; Thu, 24 Nov 2022 11:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sebbe.eu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbiQyKIlBhu7 for <acme@ietfa.amsl.com>; Thu, 24 Nov 2022 11:32:37 -0800 (PST)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F1D6C14CEE3 for <acme@ietf.org>; Thu, 24 Nov 2022 11:32:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu; s=root; h=Date:To:From:cc; bh=1/rDnlzwySiKUt8tW3so5gR9cvUXFLgTE6nfhK27PTA=; b=ZlZBCn6TfPMQy+ylwIkPzOtNm+JTxkSEISgftKkXMQCZj2XZOsKXnnfdX/SAO5tgYz9PbxOv5O U67Z2EWaVH0h0HuarNLk/oIIKoW63PpITQ3bb02gvsNTyukWZTPpQT6v3XlwXl4kp88yTC66Ig3yF gOxdrM0ljdNuDQk8bCQE=;
Received: from localhost ([127.0.0.1] helo=sebastian-desktop) by sebbe.eu with esmtp (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1oyHxX-001i51-Dc for acme@ietf.org; Thu, 24 Nov 2022 20:32:31 +0100
Received: from [192.168.1.188] (helo=DESKTOPA5BEHQI) by sebbe.eu with esmtpa (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1oyHxX-001i4y-4j for acme@ietf.org; Thu, 24 Nov 2022 20:32:31 +0100
From: Sebastian Nielsen <sebastian@sebbe.eu>
To: 'Mailing List' <acme@ietf.org>
References: <CAGgd1OfBGt9E-n8O8834VC8Jrqa6Lt1eK_gbBwsM_f7Bo5KB7g@mail.gmail.com> <DB9PR08MB652488D510181D5C5CEB5D0A9C0F9@DB9PR08MB6524.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB652488D510181D5C5CEB5D0A9C0F9@DB9PR08MB6524.eurprd08.prod.outlook.com>
Message-ID: <008001d9003b$7ec91c80$7c5b5580$@sebbe.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0081_01D90043.E08EBD00"
X-Mailer: Microsoft Outlook 16.0
Content-Language: sv
Thread-Index: AQH0rqDtq2UaC+fnLyWnUugpVEw78AIsRZYMrgWyDwA=
X-Encryption-Target: external
Date: Thu, 24 Nov 2022 20:32:31 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/kC3BJ9I8p4wqk2HOzE-Lfb1Ih94>
Subject: Re: [Acme] Call for adoption for draft-bweeks-acme-device-attest
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 19:32:42 -0000
I think a even better idea is to actually support passports for real. Passports and ID-cards (with an MRZ), and some driver licenses with an MRZ today contain a NFC chip, so a ACME server could provide this as a validation method for getting a fully validated certificate. The passports can then be validated electronically using the country signer key, and then a fully validated certificate can be issued. On the topic of validating in the passport model however, is that if the attestation from the verifier is fraudulent, there is no possibility for the verifier to revoke it. This serves less of a importance if the ownership of physical device is being attested, whose contains no identity information. But if its a device or attestation linked to a person or organization, there must be a way to revoke said credential, for example if it becomes lost. Which means you have to implement the background check topology regardless, and in some way, check the attestation with the verifier to ensure it hasnt been blocked. There is a third model however, which mixes background check and passport model. That is, you have a long-lived attestation from a verifier. You then get a short-lived attestation that the long lived attestation is still valid (think OCSP protocol here) You then send both attestations to the RP (OCSP Stapling). This only serves a advantage if you need to verify yourself against many RPs in a short timeframe, and you want to ease up the load on the verifier. In a certificate issuance situation, this will never become a problem, since a ACME server will only contact a verifier a few times per 30/60/90 days. Thus the background check model can always be used. Från: acme-bounces@ietf.org <acme-bounces@ietf.org> För Thomas Fossati Skickat: den 24 november 2022 13:35 Till: Deb Cooley <debcooley1@gmail.com>; IETF ACME <acme@ietf.org> Kopia: acme-chairs@ietf.org Ämne: Re: [Acme] Call for adoption for draft-bweeks-acme-device-attest I have read the draft and I think it brings a very valuable feature into the ACME ecosystem. Its also a perfect fit in at least two of our projects, and Id be happy to integrate it in our protocol flows. The only concern I have with the current proposal is its reliance on WebAuthns as the sole encap format. The trouble is it only allows background check-style topologies [1], whilst wed like to be able to support passport [2] as well. Therefore, Id like to have WebAuthn as one of the supported formats, rather than the only supported format. (For a more generic encapsulation of attestation-related payloads you may want to take a look at [3].) Cheers, thanks t [1] https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html#section -5.2 [2] https://www.ietf.org/archive/id/draft-ietf-rats-architecture-22.html#section -5.1 [3] https://datatracker.ietf.org/doc/draft-ftbs-rats-msg-wrap/ On 15/11/2022, 18:03, "Acme" <acme-bounces@ietf.org <mailto:acme-bounces@ietf.org> > wrote: This will be a three week call for adoption ending on 6 Dec. (because of holidays in the US). Please speak up either for or against adopting this draft. Thanks, Deb and Yoav. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Acme] Call for adoption for draft-bweeks-acme-de… Deb Cooley
- Re: [Acme] Call for adoption for draft-bweeks-acm… Carl Wallace
- Re: [Acme] Call for adoption for draft-bweeks-acm… Richard Barnes
- Re: [Acme] Call for adoption for draft-bweeks-acm… Amir Omidi
- Re: [Acme] Call for adoption for draft-bweeks-acm… Mike Malone
- Re: [Acme] Call for adoption for draft-bweeks-acm… Russ Housley
- Re: [Acme] Call for adoption for draft-bweeks-acm… Thomas Fossati
- Re: [Acme] Call for adoption for draft-bweeks-acm… Sebastian Nielsen
- Re: [Acme] Call for adoption for draft-bweeks-acm… Sean Turner
- Re: [Acme] Call for adoption for draft-bweeks-acm… Deb Cooley