Hi Anders, On Tue, Oct 19, 2021 at 2:08 PM Anders Rundgren < [email protected]> wrote:
> On 2021-10-19 19:00, Kathleen Moriarty wrote: > > Hello Anders, > > > > The draft extends ACME to add client challenge methods that might be > helpful. This could be for several use cases including code signing > automation or client certificate management. Does the draft contain what > you need? The use case from your message is not clear to me. > > Hello Kathleen, > The client is not a person, it is a regulated entity like a payment > processor. These entities need client certificates for calling banks. > > Currently CAs distribute encrypted private key + certificate chain for > installation in servers. Both the initial part and possible updates could > benefit from a more automated scheme which is why I find your draft > interesting. > OK, so the automation via already distributed credentials, and those pre-existing credentials may have been supported by a manual identity proofing process. > > The scheme could be further strengthened by (in some way...) locking cert > requests to the entity's domain as well. > Sure, for code signing certificates, there is a tie to the organization and the credentials may require a bigger process for issuance outside of ACME. > For updates it would be cool if key container attestations also was a part > of the plot because requests signed by the original key does not guarantee > that the new key is in the same container. Newer HSMs support attestations. > What are you proposing? Do you have text? I'm not clear on this part. Thank you, Kathleen > > Does that make sense? > > Thanx, > Anders > > > > > Thank you, > > Kathleen > > > > > > On Wed, Oct 13, 2021 at 8:42 AM Anders Rundgren < > [email protected] <mailto:[email protected]>> > wrote: > > > > After some research I found > https://datatracker.ietf.org/doc/draft-ietf-acme-client/ < > https://datatracker.ietf.org/doc/draft-ietf-acme-client/> which almost > fills the bill. What would the preferred procedure be, including challenge? > > > > Attestations like offered by FIDO is not a part of ACME, right? > > > > thanx, > > Anders > > > > On 2021-10-11 9:03, Anders Rundgren wrote: > > > Dear ACME experts, > > > > > > I haven't kept track of ACME so please pardon my somewhat naive > question: > > > > > > In Open Banking, service providers (TPPs) are equipped with TLS > client certificates as well as signature certificates. Currently the > certificates (including associated private keys), are distributed by the CA > as encrypted files. This makes updates fairly difficult and not entirely > compatible with the highly regulated nature of these providers. > > > > > > Question: does ACME support this scenario? > > > > > > thanx, > > > Anders > > > > > > > > > > > -- > > > > Best regards, > > Kathleen > > -- Best regards, Kathleen
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
