On Wed, Jan 16, 2019 at 03:32:57PM -0500, Rifaat Shekh-Yusef wrote: > All, > > I have just submitted new updated version to address the issues raised by > Ilari and Ryan. > I would appreciate any more reviews and comments. > > ---------- Forwarded message --------- > Name: draft-yusef-acme-3rd-party-device-attestation > Revision: 01 > https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt
Other comments: - How the ACME server can look up the client account with kid field (which normally contains the client account identifier) now contains the client domain? - URL field in first request seems to be also overloaded. Considering that this field actually has security significance (prevent misrouting to different resource), this seems questionable. - Constructing URL poiting to the client without knowledge of used paths is very questionable. - It seems to me that this should be handled by defining a new validation method for the mac identifiers, without touching rest of ACME. Then the CA would send those back for mac identifiers (together with the needed references) and then take the JWT as reply. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme