[Rats] device attestation and ACME
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 20 July 2022 22:41 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74EECC13C53E; Wed, 20 Jul 2022 15:41:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCeC7b6O4edT; Wed, 20 Jul 2022 15:41:48 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 678D9C15A731; Wed, 20 Jul 2022 15:41:48 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [12.227.228.130]) by relay.sandelman.ca (Postfix) with ESMTPS id 1BBE21F459; Wed, 20 Jul 2022 22:41:46 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 96F3D1A0383; Wed, 20 Jul 2022 18:41:44 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: rats@ietf.org, acme@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 20 Jul 2022 18:41:44 -0400
Message-ID: <1680731.1658356904@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/rLDZ61HnDwqFgul4aCWXNLjmfU8>
Subject: [Rats] device attestation and ACME
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 22:41:49 -0000
I read acme-device-attest, and I guess the key part is a new device-attest-01 method. https://www.ietf.org/archive/id/draft-bweeks-acme-device-attest-00.html#name-device-attestation-challeng tries to explain the format, and how the challenge is signed by the device. What I do not understand is any of the trust relationships between the ACME server and the manufacturer/provisionor of the Android Key Attestation/Chrome OS Verified Access/Trusted Platform Module. Why does the Enterprise trust the attestation key? -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Rats] device attestation and ACME Michael Richardson
- Re: [Rats] device attestation and ACME Carl Wallace
- [Rats] rats-concise-ta-stores (was Re: device att… Michael Richardson
- Re: [Rats] rats-concise-ta-stores (was Re: device… Carl Wallace
- Re: [Rats] [Acme] device attestation and ACME Brandon Weeks
- Re: [Rats] [Acme] device attestation and ACME Carl Wallace