No, our draft is not about account key, but about the public key of the finally requested certificate. We want to use the IdP to help validate this public key’s authenticity, and then perform the consistency checking of this public key between the challenge phase and the certificate application phase. With all these, the public key replacement attack can be mitigated.
发件人: Q Misell <q...@as207960.net> 发送时间: 2024年12月2日 17:32 收件人: Xialiang(Frank, IP Security Standard) <frank.xiali...@huawei.com> 抄送: Xialiang(Frank, IP Security Standard) <frank.xialiang=40huawei....@dmarc.ietf.org>; Richard Barnes <r...@ipv.sx>; Aaron Gable <aa...@letsencrypt.org>; Mike Ounsworth <mike.ounswo...@entrust.com>; IETF ACME <acme@ietf.org>; draft-geng-acme-public-key.auth...@ietf.org 主题: Re: [Acme] 回复: Re: 回复: [EXTERNAL] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge It appears to me what you're trying to achieve is binding an IdP to an ACME client. EAB can bind an ACME account key to something, this could well be an IdP. As the ACME request is then signed with the account key that in turn binds the request to the account in your IdP. ________________________________ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Mon, 2 Dec 2024 at 10:11, Xialiang(Frank, IP Security Standard) <frank.xiali...@huawei.com<mailto:frank.xiali...@huawei.com>> wrote: Hi Q, My point is not a conclusion, is just an observation/fact from current ACME standards, like you gave me the reference "7.3.4 of RFC8555". If I am wrong, please tell me. If you think EAB can do more, I am very happy to know more details~~ B.R. Frank -----邮件原件----- 发件人: Q Misell <q...@as207960.net<mailto:q...@as207960.net>> 发送时间: 2024年12月2日 17:02 收件人: Xialiang(Frank, IP Security Standard) <frank.xialiang=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> 抄送: Richard Barnes <r...@ipv.sx<mailto:r...@ipv.sx>>; Aaron Gable <aa...@letsencrypt.org<mailto:aa...@letsencrypt.org>>; Mike Ounsworth <mike.ounswo...@entrust.com<mailto:mike.ounswo...@entrust.com>>; IETF ACME <acme@ietf.org<mailto:acme@ietf.org>>; draft-geng-acme-public-key.auth...@ietf.org<mailto:draft-geng-acme-public-key.auth...@ietf.org> 主题: Re: [Acme] 回复: Re: 回复: [EXTERNAL] Re: Introducting a new draft about adding a new ACME challenge type: public key challgenge I don't see why EAB can't be used to link to an identity - perhaps you could elaborate? ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Mon, 2 Dec 2024 at 03:12, Xialiang(Frank, IP Security Standard) <frank.xialiang=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> wrote: > No, my point is ACME EAB is only about account authenticity, but not > about identity and certificate. > > > > *发件人:* Q Misell > <q=40as207960....@dmarc.ietf.org<mailto:40as207960....@dmarc.ietf.org>> > *发送时间:* 2024年11月29日 23:07 > *收件人:* Xialiang(Frank, IP Security Standard) > <frank.xiali...@huawei.com<mailto:frank.xiali...@huawei.com>> > *抄送:* Richard Barnes <r...@ipv.sx<mailto:r...@ipv.sx>>; Aaron Gable > <aa...@letsencrypt.org<mailto:aa...@letsencrypt.org>>; Mike Ounsworth > <mike.ounswo...@entrust.com<mailto:mike.ounswo...@entrust.com>>; > IETF ACME <acme@ietf.org<mailto:acme@ietf.org>>; > draft-geng-acme-public-key.auth...@ietf.org<mailto:draft-geng-acme-public-key.auth...@ietf.org> > *主题:* Re: [Acme] 回复: Re: 回复: [EXTERNAL] Re: Introducting a new draft > about adding a new ACME challenge type: public key challgenge > > > > ACME EAB actually has no restrictions on its use. It might be used to > link to a financial account for billing purposes, or could be used to > link to an identity account as you desire. > ------------------------------ > > Any statements contained in this email are personal to the author and > are not necessarily the statements of the company unless specifically stated. > AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan > Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a > company registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12 > 417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. > EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: > 522-80-03080. AS207960 Ewrop OÜ, having a registered office at > Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, > trading as Glauca Digital, is a company registered in Estonia under № > 16755226. Estonian VAT > №: EE102625532. Glauca Digital and the Glauca logo are registered > trademarks in the UK, under № UK00003718474 and № UK00003718468, > respectively. > > > > > > On Thu, 28 Nov 2024 at 03:31, Xialiang(Frank, IP Security Standard) > <frank.xialiang=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> > wrote: > > Hi Q, > > Thanks for your pointing out the reference, I have read this section > and found that it (external account binding) is another thing about > account authenticity and performed in the ACME “Account Management” > phase, different from what our draft proposed about public key > authenticity and performed in the “Identifier Validation Challenges” phase
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
