Hi Meiling, >> Problem: Certificate forgery issue It’s not exactly about certificate forgery. It’s about issuing certificates to posture/trustworthiness-checked accessing devices, more like an authorization challenge. So maybe this answers Q1?
>> The certificate verifier verifies that the holder has the authority to use >> the certificate The certificate verifier verifies the holder is eligible to have a certificate. >> Reuse the remote proof process of RATS, Generate a attestation result for >> the certificate owner, and the certificate verifier can confirm the >> legitimacy of the certificate through the attestation result, Of course, >> this also involves the issue of mapping or reference. Sorry for the confusion, I think it is not that intertwined — 1. use normal rats process to assess accessing devices, issue attestation results if it qualifies. 2. Verify AR using original rats procedures. 3. Issue certificate if 2 pass. Does this answer your question? Peter From: Meiling Chen <chenmeil...@chinamobile.com> Sent: Monday, October 28, 2024 10:41 AM To: Liuchunchi(Peter) <liuchun...@huawei.com>; acme@ietf.org Cc: acme-cha...@ietf.org Subject: Re: [Acme] new acme draft -- rats identifier and challenge Hi Peter, I have reviewed your draft, this draftis related to RATS, so I noticed it, I am trying to understand from these aspects: 1. Problem: Certificate forgery issue 2. Object: Short term certificate holders and verifier 3. Logic for problem-solving: The certificate verifier verifies that the holder has the authority to use the certificate 4. Solution: Reuse the remote proof process of RATS, Generate a attestation result for the certificate owner, and the certificate verifier can confirm the legitimacy of the certificate through the attestation result, Of course, this also involves the issue of mapping or reference. I also have the following questions: 1. Does ACME pay attention to the issue of forged certificates? 2. Does the current coding implementation of ACME have a process for determining the authenticity of certificates? Best, Meiling From: Liuchunchi(Peter)<mailto:liuchun...@huawei.com> Date: 2024-10-23 15:22 To: acme@ietf.org<mailto:acme@ietf.org> CC: acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> Subject: [Acme] new acme draft -- rats identifier and challenge Hi folks, Recently I submitted a new ACME draft that extends “rats” identifier and challenge type. The purpose of this work is to provide a means that allows an ACME server to test if an ACME client possess a valid remote attestation result (and an identifier to that), before issuing a certificate to it. Wonder if anyone may find this work interesting? The draft is here https://datatracker.ietf.org/doc/draft-liu-acme-rats/ and github repo is here https://github.com/liuchunchi/draft-liu-acme-rats, with some todos that welcomes contribution or comments. Dear chairs, can I request a small slot in Dublin to share this work? 15 or 10 minutes would suffice. Best, Peter (Chunchi) Liu
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
