Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Fri, 25 January 2019 13:07 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C615A130F78 for <acme@ietfa.amsl.com>; Fri, 25 Jan 2019 05:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jEAAxL2b5bH for <acme@ietfa.amsl.com>; Fri, 25 Jan 2019 05:07:07 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E5CA130E59 for <acme@ietf.org>; Fri, 25 Jan 2019 05:07:07 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id s8so7629579iob.13 for <acme@ietf.org>; Fri, 25 Jan 2019 05:07:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GbMMNPivRmDvf1pjSDQ+K9vej4ZwRbWerDCIXtcn7I0=; b=AE9bkSauGm8qTrJQjYzBj/jQ9W8uexqp253LvLDef1AxdvDoU0bvQtaFt19Sv6XJud E1xzm1VZvUwf06gUEQ9rY0I+D5lXA6GVQIEmWeJXA8piHYOtyPZeDRRVB/QxwGTfeLAv kwfD3o7t7GMl3fnVA9+l+zMenbAOtAOnjWrRR2UNU2H05bnN4fRg9lInblhId5B1T/sS qOnd8I04SQIT0HvedrtHCaRuCwuGKQsKO8nPQ7uSBgE9IspmaCdUXRysuEox/jNckhK9 TCeK9O8nqQ2mr0ti6pJyMPG8ABLcB1x/n9kxKF9w3ypTVaJ2PoZgJT9KJYRJZWZP7R9f ZNVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GbMMNPivRmDvf1pjSDQ+K9vej4ZwRbWerDCIXtcn7I0=; b=T+ZjOPJYdGE+wXd2Tb+8oCqXQKcNuhnpWJlhD7CCr/iV7DoqqGzrNMzB4Tol6D4/4V oHhQOgYrILM2TJFC981+3Kvd3PBy7E1CbhfTCQzQg3BS6vPY1IweZVd2L0jVjQE3ZIaQ EIYCrWykRMNqcjKT+imoaTCF421Q4fLmR05bxLC58oYGIznp/8hR6rKiNpz/GY1HSL20 T3ZNBe+1MHr7hAHHBJMjJn5am8mDG7BO9m0vVZ4HTo1HIG++Ixf3Pk70I1EdV/NJ7LN2 54zPBov2tnDVfgx/LuIdZpyYYS21zy5YRXN1IXOGURHr7y6k441Gy6exYSBiAeVT01h/ WQAA==
X-Gm-Message-State: AJcUukedm3Z0Wy4F077I6jYu6t5AzV3269/6V8ISrhzbiFeQ0Fcs5qwY elAti9uTMNt+Yi9ZtOCiHhuOIFmyoD5wAm3IvfQa7/dsWsM=
X-Google-Smtp-Source: AHgI3IZ+8AdshvRDiE0e/Nb0YO3UkiulLz+nsbZbi7ojX33pyek7UTg3pWofI6j1ECGHfU/+UatqUVUq9n6WtUI3D3Q=
X-Received: by 2002:a5d:904b:: with SMTP id v11mr7037254ioq.0.1548421626331; Fri, 25 Jan 2019 05:07:06 -0800 (PST)
MIME-Version: 1.0
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com> <CAGL6epJX+dSb9fK7E8fagwROesL7DF_3KJhF0nB=TTqdcpi-cA@mail.gmail.com> <CAL02cgRx7SOYSmzCo8cLdz08U2Y=_KtjSe3Zha3GhFjQsYgW5Q@mail.gmail.com> <CAGL6epLpBCqyBbvSpZb41xOgOwy6TBobK_hHZ+SdSWAFjvuyKQ@mail.gmail.com> <ME1PR01MB07711AB21EFE888468CA571EE59B0@ME1PR01MB0771.ausprd01.prod.outlook.com>
In-Reply-To: <ME1PR01MB07711AB21EFE888468CA571EE59B0@ME1PR01MB0771.ausprd01.prod.outlook.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Fri, 25 Jan 2019 08:06:55 -0500
Message-ID: <CAGL6ep+AM_1APY2fCgGkLgJ-dXnfxYU7gtwmQ_P8higW5h1Vkg@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000008f4058048019a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/tS-En1wrreGfke9yNfmcyrAbQ-g>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jan 2019 13:07:14 -0000
Thanks for the review and feedback, James. See my reply inline below. Regards, Rifaat On Thu, Jan 24, 2019 at 8:27 PM Manger, James < James.H.Manger@team.telstra.com> wrote: > I’m confused about what is desired with > draft-yusef-acme-3rd-party-device-attestation, but I think it may be quite > different from what draft-ietf-acme-authority-token offers. Here’s my guess: > > > > draft-ietf-acme-authority-token is designed to issue certs for namespaces > other than domain names, eg for phone numbers. The CA trusts another > authority to vouch for that namespace. > > > > draft-yusef-acme-3rd-party-device-attestation is designed to issue certs > for a domain name (as per normal Acme). The cert will be for a specific > device whose serial number (eg MAC address) the domain-owner knows. The > device manufacturer can vouch for device keys associated with that serial > number. > Yes, and that was captured in section 2.2: https://tools.ietf.org/html/draft-yusef-acme-3rd-party-device-attestation-01#section-2.2 > Curiously, the protocol flow in > draft-yusef-acme-3rd-party-device-attestation doesn’t seem to involve the > device at all – only the domain-owner (client), manufacturer, and CA. But > surely the device needs to provide the CSR? > > This is out of scope for this document, as the document is focusing on the ACME interface. But you are correct that the device will be the one that provides the CSR. > > > It sounds like the client (domain-owner) should be able to confirm the > correct device is involved (by talking to the device and manufacturer) > before sending a normal ACME request. That way the ACME CA doesn’t need to > know anything about the device attestation. > Correct. This the the OAuth interaction, which is out of scope for this document. Regards, Rifaat > > > -- > > James Manger > > +61 4 1754 1870 >
- Re: [Acme] Fwd: New Version Notification for draf… Ilari Liusvaara
- [Acme] Fwd: New Version Notification for draft-yu… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Salz, Rich
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] New Version Notification for draft-yus… Yoav Nir
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Manger, James
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef
- Re: [Acme] Fwd: New Version Notification for draf… Rifaat Shekh-Yusef