Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
Richard Barnes <rlb@ipv.sx> Thu, 17 January 2019 20:45 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7316B130E63 for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 12:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQOUCP2twWlQ for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 12:45:03 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BED31271FF for <acme@ietf.org>; Thu, 17 Jan 2019 12:45:03 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id a11so12365579otr.10 for <acme@ietf.org>; Thu, 17 Jan 2019 12:45:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fCwuE0/Uj9t42T5LacV/v0WPOXebNZ5lgd5CTjRTL8g=; b=K9T1GzVG4GB36cTvQ/95R5NmPvclijdrmlhgNoI5fXwrzqYjfYsh1f+JFKN7tFniU+ OruyyI+MQoM28R8fhdbIcwvknjEzpRE/weoMZKYeE9Im17LPkMtm0hSRC55Lp1pxiYEX lVovmFpn6DNbInRKbHrTqfpMvc9z7Uv9M2kVDB9uPOCXc59ag8TDp7yUbwKAPDoIfded TuGr5MQcfQbIkh8dfXLdDCmNFY7p6ewQw6XxPsGN7tz0GkthY5mo0fjEm5BY9CQiwrR9 i7DPdTF+6Gob8KrSloo0niy7Czyeh4i4O2Y9HSKQhwtH0Njeyb3Yat+ye0baJBL+8eWH gmzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fCwuE0/Uj9t42T5LacV/v0WPOXebNZ5lgd5CTjRTL8g=; b=IPhsflXY2572BArAZk/OpipAIcLK8IMFoiNnlsf6YemgBziM5Dv/ny+2MaK8yN8ZUR Xn4ce7OKm771LPh7yIjg1j5hnAtabP2aRWbroHJGoWxopBVZJBfTIzlWUdEh3Sw2o0ma WDQG+MBz9w+gYbWBqze49T/JjXxSVF+1yoMYCOE/tUBH6GS0oxzZ+2DsPNVh3kqa5ppo hkyIRp7FvotEf2Vy/q3Y0jirIGjpsEFxIGs8rLiJjoMlflJtMoT8Z2M6Zx8OdK2zuOLO AmT1G7KESLC9USP7LxKkB+h3jsLysqE+5aHg36CrEAfItcCfidkrnHff1o/nKP64dBWS 23mA==
X-Gm-Message-State: AJcUuke2btJj0R8kUoNWnD763zv6vIIAqya+iGSU+wjoIphoujnQYQsp QyCa1IcW5r6dR5INQ4VDZO/bh9ztEDWilKWlu9M0Ow==
X-Google-Smtp-Source: ALg8bN7t5pgQybpZEBQqfqYW2dQyf2GFgTZbRZ6nh4ygew0Jd4fqKabeNmvpsCAjMLZx2QEwug9e8w8ttteWfeVsK1Q=
X-Received: by 2002:a9d:191a:: with SMTP id j26mr10372114ota.81.1547757902402; Thu, 17 Jan 2019 12:45:02 -0800 (PST)
MIME-Version: 1.0
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com> <CAGL6ep+aZETDNLFME5mT9f=AxowLTkhKSvMevGxEYwirLhTT_Q@mail.gmail.com>
In-Reply-To: <CAGL6ep+aZETDNLFME5mT9f=AxowLTkhKSvMevGxEYwirLhTT_Q@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 17 Jan 2019 15:44:50 -0500
Message-ID: <CAL02cgSRqD7POpRd57rNK6a+wTRAJ7qHy+f74DbmGRPe=OnBGg@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8ac47057fad77a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/lI08iB6UYn3o-nA4BpOfwmUO-J0>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 20:45:06 -0000
I would add that if this is just another token type, it might not be necessary to keep the WG open for it. Good exercise for the secdispatch process. On Thu, Jan 17, 2019 at 12:49 Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote: > Thanks Richard, > > The redirection is not critical part, and your explanation makes sense. > I looked at the "authority token" documents a while ago; I will take a > look again to see if I can align this document with that framework. > > Regards, > Rifaat > > > On Thu, Jan 17, 2019 at 1:51 AM Richard Barnes <rlb@ipv.sx> wrote: > >> It seems like the core of this draft is identifier delegation. Namely, >> the CA recognizes the DA as an authority for a certain identifier space >> (e.g., the first few octets of a MAC address), and the JWT delegates >> permission to issue certificates for some identifier in that space to the >> Client. >> >> Given that, it seems to me like this could fit under the rubric of the >> "authority token" challenge. If you were to do what this draft wants to do >> with that framework, the Client would have two separate interactions -- an >> OAuth interaction with the DA to get a token, then an ACME interaction with >> the CA to issue the certificate. The only specification needed would be to >> specify the identifier and token type, as has been done for TNAuthList [2]. >> >> The only thing that would then be missing with regard to this draft is >> that the CA wouldn't provide the redirect to the DA. Whether that makes >> sense depends on the use case, but I suspect that in most cases it does >> not. The design in the draft presumes there's a single DA per identifier, >> and that the CA keeps a mapping table from possible identifiers to DAs. >> That seems unlikely for most identifier spaces and most CAs with reasonably >> broad coverage. So losing this property of the draft doesn't seem like a >> big issue. >> >> So net/net, I think this draft should be restructured along the lines of >> [2], to just define a token type and maybe an identifier type. >> >> --Richard >> >> [1] https://tools.ietf.org/html/draft-ietf-acme-authority-token >> [2] >> https://tools.ietf.org/wg/acme/draft-ietf-acme-authority-token-tnauthlist/ >> >> On Wed, Jan 16, 2019 at 12:33 PM Rifaat Shekh-Yusef < >> rifaat.ietf@gmail.com> wrote: >> >>> All, >>> >>> I have just submitted new updated version to address the issues raised >>> by Ilari and Ryan. >>> I would appreciate any more reviews and comments. >>> >>> Regards, >>> Rifaat >>> >>> >>> ---------- Forwarded message --------- >>> From: <internet-drafts@ietf.org> >>> Date: Wed, Jan 16, 2019 at 3:28 PM >>> Subject: New Version Notification for >>> draft-yusef-acme-3rd-party-device-attestation-01.txt >>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> >>> >>> >>> >>> A new version of I-D, >>> draft-yusef-acme-3rd-party-device-attestation-01.txt >>> has been successfully submitted by Rifaat Shekh-Yusef and posted to the >>> IETF repository. >>> >>> Name: draft-yusef-acme-3rd-party-device-attestation >>> Revision: 01 >>> Title: Third-Party Device Attestation for ACME >>> Document date: 2019-01-16 >>> Group: Individual Submission >>> Pages: 9 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt >>> Status: >>> https://datatracker.ietf.org/doc/draft-yusef-acme-3rd-party-device-attestation/ >>> Htmlized: >>> https://tools.ietf.org/html/draft-yusef-acme-3rd-party-device-attestation-01 >>> Htmlized: >>> https://datatracker.ietf.org/doc/html/draft-yusef-acme-3rd-party-device-attestation >>> Diff: >>> https://www.ietf.org/rfcdiff?url2=draft-yusef-acme-3rd-party-device-attestation-01 >>> >>> Abstract: >>> This document defines a Third-Party Device Attestation for ACME >>> mechanism to allow the ACME CA to delegate some of its authentication >>> and authorization functions to a separate trusted entity, to automate >>> the issuance of certificates to devices. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> _______________________________________________ >>> Acme mailing list >>> Acme@ietf.org >>> https://www.ietf.org/mailman/listinfo/acme >>> >>
- Re: [Acme] Fwd: New Version Notification for draf… Ilari Liusvaara
- [Acme] Fwd: New Version Notification for draft-yu… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Salz, Rich
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] New Version Notification for draft-yus… Yoav Nir
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Manger, James
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef