Thank you for your draft.
As per the discussion from the WG meeting in Prague, my thoughts:
Section 5, Device Certificates:
DNS/IP based challenges may be appropriate for on-premises hardware and
less appropriate for Cloud or IoT environments where a machine
requesting may not have DNS or suitable IP address. For Cloud
deployments it may be more desirable to tie the challenge to the
platform's respective IAM service using draft-ietf-acme-authority-token.
In terms of actions, an informative document describing considerations
(such as ensuring "TLS Client Certificate Authentication" is set in CSR,
like you describe) would probably be most appropriate in my view and I
would be happy to co-author or contribute to it if there was interest.
Section 6, End User Certificates:
I had considered the idea of using ACME for end user certificates (and
believe it's worth it, particulary in enterprise environments), as I was
unaware of the possibility of FIDO being used. However CAs and
implementors may find using ACME better for consistency sake as they may
already be doing existing issuance using it.
Browser support I believe remains the biggest challenge for this and I
would like to hear the thoughts from browser vendors on list.
Regards
On 20/03/2019 14:59, Kathleen Moriarty wrote:
Hello,
I am attaching a draft on several client certificate types to discuss in
Prague. The draft intentionally leaves some open questions for
discussion and I'll form the slides for the presentation in Prague
around those questions.
Thanks in advance for your review and discussion in Prague.
Safe travels!
--
Best regards,
Kathleen
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
