On Sat, Jan 12, 2019 at 12:38:59PM -0500, Rifaat Shekh-Yusef wrote: > Hi, > > I have submitted the draft below that defines a mechanism to automate the > deployment of certificates to devices based on an attestation from > 3rd-party server that has authority over the device. > I would appreciate any review and feedback on this document. > > ---------- Forwarded message --------- > > Name: draft-yusef-acme-3rd-party-device-attestation > URL: > https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-00.txt
To me, the mechanism proposed seems to be fundamentially insecure. WebPKI CAs are forbidden from having any trusted third parties for domain validation. They are required to do domain validation themselves. This restriction came (previously trusted third parties were just required to be audited) after some high-profile incidents where trusted third parties did some very poor job, and audits (nor the CA) did not catch that well. Thinking about domain validation from OAUTH point of view, relaxing some constraints, and trying to apply existing protocols yields that one would only need a protocol for device authority to ask the customer for grant to get a certificate via existing ACME validation methods. Such thing would be useful when ACME client and the target of the certificate are privilege-separated from each other. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
