Hello Peter, Thank you for your review, much appreciated. I think adding the OpenIDConnect challenge type would close that gap and that is essentially OAuth.
Richard Barnes and other authors added this to a now expired draft. I am happy to add one of them as a co-author or Nancy Cam Winget who offered to add this challenge type as well when adding the text if that makes sense. Best regards, Kathleen On Thu, Jun 12, 2025 at 5:23 AM Liuchunchi(Peter) <[email protected]> wrote: > Hi Kathleen, thanks for inviting me to provide a review. > > > > I read the draft-ietf-acme-client-11 draft. The document extends ACME > protocol with 3 new challenges, such that ACME is applicable to issue > client certificates. I think the contents have matured over many previous > discussions. Just one question: When looking at the workload service > accounts use case, I noticed the GCloud documentation permits > authenticating a workload using external account credential from an external > IDP > <https://cloud.google.com/docs/authentication/application-default-credentials> > or from a workload identity federation > <https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds> > (a token or a credential configuration file). Do you have adaptability > considerations on these methods? Or are they already covered by existing > methods already? > > > > Overall I am very supportive of the document. I believe it is an important > draft that completes the missing piece and I would like to see it proceed. > > > > Best, > > Peter > > > > *From:* Kathleen Moriarty <[email protected]> > *Sent:* Wednesday, May 28, 2025 10:42 PM > *To:* Liuchunchi(Peter) <[email protected]> > *Subject:* Fwd: [Acme] I-D Action: draft-ietf-acme-client-10.txt > > > > Hello Peter! > > > > Would you please review the updated draft version that adds 3 challenge > types and provide feedback to the ACME list? If you are interested to see > these 3 challenge types progress, it would be helpful to see that support > voiced on list. > > > > It adds challenge types for PKI, WebAuthn/FIDO, and OTP. > > > > Thank you! > > Kathleen > > ---------- Forwarded message --------- > From: <[email protected]> > Date: Wed, May 28, 2025 at 10:06 AM > Subject: [Acme] I-D Action: draft-ietf-acme-client-10.txt > To: <[email protected]> > Cc: <[email protected]> > > > > Internet-Draft draft-ietf-acme-client-10.txt is now available. It is a work > item of the Automated Certificate Management Environment (ACME) WG of the > IETF. > > Title: ACME End User Client and Code Signing Certificates > Author: Kathleen M. Moriarty > Name: draft-ietf-acme-client-10.txt > Pages: 16 > Dates: 2025-05-28 > > Abstract: > > Automated Certificate Management Environment (ACME) core protocol > addresses the use case of web server certificates for TLS. This > document extends the ACME protocol to support service account > authentication credentials, micro-service accounts credentials, > device client, and code signing certificates and keys. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-acme-client/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-acme-client-10 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-client-10 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > > -- > > > > Best regards, > > Kathleen > -- Best regards, Kathleen
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
