Thanks Ilari, Please, see me reply inline...
Regards, Rifaat On Tue, Jan 15, 2019 at 1:13 PM Ilari Liusvaara <[email protected]> wrote: > On Sat, Jan 12, 2019 at 12:38:59PM -0500, Rifaat Shekh-Yusef wrote: > > Hi, > > > > I have submitted the draft below that defines a mechanism to automate the > > deployment of certificates to devices based on an attestation from > > 3rd-party server that has authority over the device. > > I would appreciate any review and feedback on this document. > > > > ---------- Forwarded message --------- > > > > Name: draft-yusef-acme-3rd-party-device-attestation > > URL: > > > https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-00.txt > > To me, the mechanism proposed seems to be fundamentially insecure. > > WebPKI CAs are forbidden from having any trusted third parties for > domain validation. They are required to do domain validation > themselves. The proposed mechanism does not suggest the CA perform a domain validation based on an attestation from the Device Authority. Instead, the Client that already has an account with the ACME server and proved that it has control over the domain, is asking for a certificate to be issued to a specific device with their domain. > This restriction came (previously trusted third parties > were just required to be audited) after some high-profile incidents > where trusted third parties did some very poor job, and audits (nor > the CA) did not catch that well. > > > Thinking about domain validation from OAUTH point of view, relaxing > some constraints, and trying to apply existing protocols yields that > one would only need a protocol for device authority to ask the customer > for grant to get a certificate via existing ACME validation methods. > > Such thing would be useful when ACME client and the target of the > certificate are privilege-separated from each other. > > The Device Authority has no authority over the Client's domain, so I am not sure how that would work. I will take a look at the ACME protocol again to see if this is possible. Regards, Rifaat > > -Ilari >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
