Yes, the acme server can decide the certificate-issuing policies (what claims in the attestation results to look at) on their own.
From: Meiling Chen <chenmeil...@chinamobile.com> Sent: 2024年10月31日 14:09 To: Liuchunchi(Peter) <liuchun...@huawei.com>; acme@ietf.org Cc: acme-cha...@ietf.org Subject: Re: RE: [Acme] new acme draft -- rats identifier and challenge Hi, Well, then, this problem lies before the certificate issuance action, Only users who meet the specific conditions can obtain legitimate certificates, right? So I would like to ask the experts in certificate, what kind of verification or filtering judgments are needed in the current issuance process? Can any user apply to obtain it? Another question: how do we define and recognize the holder is eligible or not? Best, Meiling From: Liuchunchi(Peter)<mailto:liuchun...@huawei.com> Date: 2024-10-28 22:58 To: Meiling Chen<mailto:chenmeil...@chinamobile.com>; acme@ietf.org<mailto:acme@ietf.org> CC: acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> Subject: RE: [Acme] new acme draft -- rats identifier and challenge Hi Meiling, >> Problem: Certificate forgery issue It’s not exactly about certificate forgery. It’s about issuing certificates to posture/trustworthiness-checked accessing devices, more like an authorization challenge. So maybe this answers Q1? >> The certificate verifier verifies that the holder has the authority to use >> the certificate The certificate verifier verifies the holder is eligible to have a certificate. >> Reuse the remote proof process of RATS, Generate a attestation result for >> the certificate owner, and the certificate verifier can confirm the >> legitimacy of the certificate through the attestation result, Of course, >> this also involves the issue of mapping or reference. Sorry for the confusion, I think it is not that intertwined — 1. use normal rats process to assess accessing devices, issue attestation results if it qualifies. 2. Verify AR using original rats procedures. 3. Issue certificate if 2 pass. Does this answer your question? Peter From: Meiling Chen <chenmeil...@chinamobile.com<mailto:chenmeil...@chinamobile.com>> Sent: Monday, October 28, 2024 10:41 AM To: Liuchunchi(Peter) <liuchun...@huawei.com<mailto:liuchun...@huawei.com>>; acme@ietf.org<mailto:acme@ietf.org> Cc: acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> Subject: Re: [Acme] new acme draft -- rats identifier and challenge Hi Peter, I have reviewed your draft, this draftis related to RATS, so I noticed it, I am trying to understand from these aspects: 1. Problem: Certificate forgery issue 2. Object: Short term certificate holders and verifier 3. Logic for problem-solving: The certificate verifier verifies that the holder has the authority to use the certificate 4. Solution: Reuse the remote proof process of RATS, Generate a attestation result for the certificate owner, and the certificate verifier can confirm the legitimacy of the certificate through the attestation result, Of course, this also involves the issue of mapping or reference. I also have the following questions: 1. Does ACME pay attention to the issue of forged certificates? 2. Does the current coding implementation of ACME have a process for determining the authenticity of certificates? Best, Meiling From: Liuchunchi(Peter)<mailto:liuchun...@huawei.com> Date: 2024-10-23 15:22 To: acme@ietf.org<mailto:acme@ietf.org> CC: acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> Subject: [Acme] new acme draft -- rats identifier and challenge Hi folks, Recently I submitted a new ACME draft that extends “rats” identifier and challenge type. The purpose of this work is to provide a means that allows an ACME server to test if an ACME client possess a valid remote attestation result (and an identifier to that), before issuing a certificate to it. Wonder if anyone may find this work interesting? The draft is here https://datatracker.ietf.org/doc/draft-liu-acme-rats/ and github repo is here https://github.com/liuchunchi/draft-liu-acme-rats, with some todos that welcomes contribution or comments. Dear chairs, can I request a small slot in Dublin to share this work? 15 or 10 minutes would suffice. Best, Peter (Chunchi) Liu
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
