Thanks for the update, I agree this is an improvement over where it was. The introductory text does a much better job of explaining the scope this draft is to work in, and what its goals (and to some extent non-goals) are.
My main gripes are now of a technical nature. Mainly, the challenges are not yet specified in a way that they can be used. The challenges seem to conflate into one object what the server sends to the client, and the response the client sends to respond to the server. For example, the otp-01 challenge seems to (as it is currently written) imply the server sends which OTP it expects to the client. This obviously doesn't work. Instead, the server should tell the client something to identify which OTP token it needs, then the client sends that back in the challenge response POST. Similar issues go for the rest. For WebAuthn a lot more fields are needed. At a minimum a relying party ID (and some way to verify that as genuine) are required. There's many more options supported by WebAuthn, that we may wish to also support here, see: https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions See also possible extensions we may wish to consider: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions Q Ar Llun, 11 Awst 2025 am 17:30 Kathleen Moriarty < [email protected]> ysgrifennodd: > Greetings! > > This version is an update including feedback provided by the many > participants who commented during IETF 123. I am in the process of reaching > out to those who stated interest before we add content that is ideally > informed by implementation needs and experience. This version moves > informational content to the appendix and to the security considerations > section or removes it. > > Please feel free to reach out if you have additional feedback or > contributions. There are several people who expressed interest and it would > be good to ensure this meets the needs of WG members and implementers of > the protocol. > > Thank you, > Kathleen > > On Mon, Aug 11, 2025 at 11:15 AM <[email protected]> wrote: > >> Internet-Draft draft-ietf-acme-client-14.txt is now available. It is a >> work >> item of the Automated Certificate Management Environment (ACME) WG of the >> IETF. >> >> Title: ACME End User Client and Code Signing Certificates >> Author: Kathleen M. Moriarty >> Name: draft-ietf-acme-client-14.txt >> Pages: 15 >> Dates: 2025-08-11 >> >> Abstract: >> >> Automated Certificate Management Environment (ACME) core protocol >> addresses the use case of web server certificates for TLS. This >> document extends the ACME protocol to add 3 challenge types that may >> support service account authentication credentials, micro-service >> accounts credentials, device client, code signing, document signing >> certificates and keys. >> >> The IETF datatracker status page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-acme-client/ >> >> There is also an HTMLized version available at: >> https://datatracker.ietf.org/doc/html/draft-ietf-acme-client-14 >> >> A diff from the previous version is available at: >> https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-client-14 >> >> Internet-Drafts are also available by rsync at: >> rsync.ietf.org::internet-drafts >> >> >> _______________________________________________ >> Acme mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > > -- > > Best regards, > Kathleen > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
