IETF Logo Mail Archive

[Acme] AD comments on draft-ietf-acme-device-attest

Deb Cooley <debcooley1@gmail.com> Mon, 04 May 2026 11:22 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 27521E8A77E3 for <acme@mail2.ietf.org>; Mon, 4 May 2026 04:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777893736; bh=y3ZGRHhhV9F+6scCaR0ZOldIK4r2s4GrDAQz33WG03o=; h=From:Date:Subject:To:Cc; b=FCEMnL/C+csYnMhWV8fSXHuVLKeF1AnNusELo5qlJWRQl/EEyVfPF6DLQfD9Ssuap XcKhToHOwG9kz3U47tCXzEJxrw8aofJ8o8L4AqrOv8Zzk0w0f+0A1c7UWkVNuckQCs 6HBOkzGmWTdYCg+lcmw9s5B03XhG2C2+HQ8ZKAo4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUOdZrOaGMfk for <acme@mail2.ietf.org>; Mon, 4 May 2026 04:22:14 -0700 (PDT)
Received: from mail-dy1-x1336.google.com (mail-dy1-x1336.google.com [IPv6:2607:f8b0:4864:20::1336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D8796E8A77CA for <acme@ietf.org>; Mon, 4 May 2026 04:22:14 -0700 (PDT)
Received: by mail-dy1-x1336.google.com with SMTP id 5a478bee46e88-2ecf9e398f4so9002729eec.1 for <acme@ietf.org>; Mon, 04 May 2026 04:22:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777893734; cv=none; d=google.com; s=arc-20240605; b=kpyWJjmaDI3t6nA//skiMlaMZy/xsThaMWemkAZaJJ5h2FNj8CDZFwbw0WgsmH09gR Ele7ynw2EvqKlU+VxUNUyEfseXvxzy5CxVE4JAvUaRDUKNxO6cbCFPquFYc2sYV/8Iwq DAGXgWX1G1xZT+5+3kbotENNHnzvnOC4lCDGxJE/UfwCaZ5N4F+Q1R9v9jyBp5qbls2O TeHPL1F6kxIVu/PptmgKANl1/s2ARtY4pyVXzUUQWl/0Ic8F6UbsqqEziEbWLXxAXECI Rsi7R/MuuC0flPaz/7u41M52GKOZuJb8DgXWB6D2pY7xMDAPQGl1pvSHwiVbSvfijaGx c13A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=+N6+w50Om1YGgwd/+Y4T1tANOr0dCkzHkMxNy+Fxoe0=; fh=pUFexDgTWFOBF3rR3fWUwMeBpRkID5jIo13N38YBZYE=; b=DsufsLXHnY9QHwF9kjYOjS7fdH9G95Ojxi/7uZ9JRC9a015boV2GN/qiKLxgdtehfn TmMygJ3nuiIWpsNrq3ADyK0aMxyEPXlI/KEQ1kMyFgnshAR20nkowO+O+rV+RuLwJklB nn2H0RPXRJ3Pe0LOx2Np0gqusvWnZPe5uz6Wh+IdAZxYLG38lDNjuUAAzZ2EKHW3xlQx J3dmF9qDAGGT7i/aoEWwHo6Mv9dlDdv4CHTgF7ktL0lOcFOOyWBwYRPmxuTvnqeL4shf GnlYYb242OnNbtsv1VC1P7wB9WdXJKm3SBCZ6pN59OQdy2hqd4mn6mu6RfqjJNkBVUOn Wr5Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777893734; x=1778498534; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=+N6+w50Om1YGgwd/+Y4T1tANOr0dCkzHkMxNy+Fxoe0=; b=YGmZSKWpyE7dfoMWCAQpg91H6rtMiFbTATzxtTC1/gs0bTkoGeE/Ptr9XIKlelt1MP OKM6I6Lq+oaTB7c/Rty4Dg/bVvusEEhVywWCaLIn/03xyuHqQgh5pZZHY2qSLggthDUN C2pcbKlF4VtyG93sTOPLMd66wlmDXQ6nDvVNhAjBeea7erHRXwIJZy5cuxzmBvdqAEzg /HzLenvLVldoTCpCpqCTYwZCc0N4rPPOYiJkKWCwLHuzu6GAkzSIoGlnVZKlGrIlbsI5 0vWGsJ4v9GXcSRZIG+RD6pVUlu8PyRs7VtUHKBQKSR/6G5sE8PW/clE37Fh9dvlAE9Hm kkQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777893734; x=1778498534; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+N6+w50Om1YGgwd/+Y4T1tANOr0dCkzHkMxNy+Fxoe0=; b=Wqqz69WbFQworIF4IlN6iXYbmLujkjrp86dcn0WLCFMfjoF/Hig1w79vxifNijDHgS XvtONOlKGNoXfzaG6+mM28qgEvG7KSHVgjCwsHA1B93VmkCokY944HVHdUSb7a+O3eQv 3VwxWPs96GEGtcpQYGzdQ5SqtlD+ghIuXcTTUwsevlJHQDLn42IWumXioEj9gHwMGUte qvSE9Jhshu8UtkQ7rD4acGU/euZ4Ey+LzywFDSBHv2YL8jH2A2oZ+e27HxcvRMOCHXnv SvoRDfPArnQ2RA2Mxwwl0HCeUzbcUWPuMGP6LunvO6TTSxgUdvxcpWgxfBxpC5j4eY5c dgmQ==
X-Forwarded-Encrypted: i=1; AFNElJ/OuVfUfvaifmG0fBvLHYQflMbU8PlIHd2w6xOVTSx8w30Gq+E6b4cnvz+esh102TJNG2PT@ietf.org
X-Gm-Message-State: AOJu0Yw8Iw5SS5DQ3/sO0CIviJQM0eTo9bxtPGHQWe0N5tKYaMm3K3A5 C5Mrjb/Xnsnnv83Y+HOetfkn3L8/HHTEI1rPNXDk8ZoJKOaGuCIkXkSfxc+3Lm0ERhkJn/iCFXZ n3GLEVPkmeh18iIAWdQs07CSA0uM4TAZZvzw=
X-Gm-Gg: AeBDies0XBlv+LUq6WAiUI7IlpCuHZysH2I7sJznHxGCLzsAwJ+1KqqUcQqc+T+qgPo lhZ91+yegEJlLYzKaDbNYw+WIkc78aRo0AiuZn2gcGNVptKBLgSv0kL9hPL4zjs+Kk3eYdUhNjU 9PbFUb7C66Lq4ha+SMs60Iin19jYjkZkMt8qmoddEcYT0Kp+aJh01VEokLeb73zxdNJZ80o6fN9 B+FAJLXIH2uPmxzQblEwk0kC/SWCNwHz7ggzbuR3rkQJl7PWl0QDmcfwmQZqdMbZadsC4cFb5dI hI0PZ7QRYZzTiMpMXDw/QoUcb6h0SIsP8p7j3JSy0S7bxs7bOaew1XnCWGcvtyR0Cn0porS7wp/ ys3umPTHLoagx+TuTDjVQGtfES/j8Y8elbut8
X-Received: by 2002:a05:7300:6c05:b0:2e6:e504:5431 with SMTP id 5a478bee46e88-2efb99a22b3mr5123616eec.22.1777893733709; Mon, 04 May 2026 04:22:13 -0700 (PDT)
MIME-Version: 1.0
From: Deb Cooley <debcooley1@gmail.com>
Date: Mon, 04 May 2026 07:22:03 -0400
X-Gm-Features: AVHnY4LilhqBfHZYoGvMDVuAK0fBG0qUP0f3VEuBfoJ3hyl5-Q4qwa0Ej6pPnzU
Message-ID: <CAGgd1OfgjBZL1yghSNyV7VAA5UvskNpHitb7_JNL1a2j4wN-6Q@mail.gmail.com>
To: draft-ietf-acme-device-attest.authors@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007239d10650fc24e2"
Message-ID-Hash: EPAZUULIWUPBM4YANBJIJDXGLJUDR4SD
X-Message-ID-Hash: EPAZUULIWUPBM4YANBJIJDXGLJUDR4SD
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] AD comments on draft-ietf-acme-device-attest
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ygjL82y-ebI7svpjL-AzDYj9DsY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Thanks for the work to improve this draft!

I have several pretty easy comments.  I will put this draft into IETF Last
Call, with the assumption that my comments will be worked before/together
with IETF Last Call comments.

Section 1, para 3:  'is to be' is an odd turn of phrase, how about 'will
be'?

Section 3.1, assigner value:  Is this intended to be an IP address?  If so,
expect to get a comment similar to 'what about IPv6 addresses?'  If it is
intended to be an OID, then I would just say that, as is done in Section
4.1.

Section 3.2, title:  Add (CSR).  Or within para 4, spell out CSR instead.

Section 3.2 and 4.2, para 3 and 4:  'octet-for-octet', I'm curious to hear
why any other sort of 'match' isn't correct or useful.  And why merely
saying that it 'MUST be a match' wouldn't work.

Section 6.1, para 1:  nit:  remove '###External Account Binding'.

Section 6.1.1, para 2:   This wording isn't clear (I had to read it a bunch
of times to understand).  How about something like, 'Servers can rely on
other authorization mechanisms,such as external account binding or
pre-authorized accounts, to establish device identity instead of completing
the device-attest-01 challenge.'

Deb Cooley
Sec AD

v2.46.0 | Report a Bug | By Email | System Status