Hi All, We have updated the draft-geng-acme-public-key-04, primarily adding supplementary information on the motivation, threat model, and practical application scenarios.
abstract: This document implements automated certificate provisioning through "public key identity challenge + private key ownership verification" by introducing the pk-01 challenge to the ACME protocol. It serves as a valuable complement to existing external resource verification challenge types such as DNS/HTTP, extending the ACME protocol's applicability beyond Web-PKI to other scenarios. This enables automated certificate issuance for devices and accounts. The core design objective of this document's extension to ACME's pk-01 challenge is to introduce a trusted identity provider (IdP) during the digital certificate application process. This provider verifies the certificate applicant's identity and obtains the corresponding identity public key. It enables the ACME server to use public key identity authentication protocols (e.g., WebAuthn and Opaque) to verify whether the genuine application behind the ACME client controls the public key. It ensures strong consistency between the public key used during the challenge phase and the public key ultimately used to sign the certificate, preventing tampering with the public key during the CSR submission phase. This enhances the security of the digital certificate issuance process. Similar related work can be found in RFC9883. This document also defines an optional process extension that allows removal of the CSR under the pk-01 challenge, enabling the ACME server to issue a certificate directly after successful public key verification. This document provides an example of practical application at the end, illustrating the integration of the OPAQUE, strong asymmetric password authenticated key exchange (saPAKE) protocol with the pk-01 challenge. ----------------------------------------------------------------------------------------------------------------- Title: Automated Certificate Management Environment (ACME) Extension for Public Key Challenges Draft link: https://www.ietf.org/archive/id/draft-geng-acme-public-key-04.html Thanks, Grace
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
