Q, Thank you for the quick feedback! Yes, minimizing the update was the intention to allow for collaboration in order to meet the requirements of those who stated interest.
2 separate groups are looking at the document and hopefully that will help to determine what is needed through implementation. Your points make sense as you'd use a radius server potentially for OTP and that would be integrated. Thank you, Kathleen On Tue, Aug 12, 2025 at 11:34 AM Q Misell <[email protected]> wrote: > Thanks for the update, I agree this is an improvement over where it was. > The introductory text does a much better job of explaining the scope this > draft is to work in, and what its goals (and to some extent non-goals) are. > > My main gripes are now of a technical nature. Mainly, the challenges are > not yet specified in a way that they can be used. The challenges seem to > conflate into one object what the server sends to the client, and the > response the client sends to respond to the server. > For example, the otp-01 challenge seems to (as it is currently written) > imply the server sends which OTP it expects to the client. This obviously > doesn't work. > Instead, the server should tell the client something to identify which OTP > token it needs, then the client sends that back in the challenge response > POST. > Similar issues go for the rest. > > For WebAuthn a lot more fields are needed. At a minimum a relying party ID > (and some way to verify that as genuine) are required. There's many more > options supported by WebAuthn, that we may wish to also support here, see: > https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions > See also possible extensions we may wish to consider: > https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions > > Q > > Ar Llun, 11 Awst 2025 am 17:30 Kathleen Moriarty < > [email protected]> ysgrifennodd: > >> Greetings! >> >> This version is an update including feedback provided by the many >> participants who commented during IETF 123. I am in the process of reaching >> out to those who stated interest before we add content that is ideally >> informed by implementation needs and experience. This version moves >> informational content to the appendix and to the security considerations >> section or removes it. >> >> Please feel free to reach out if you have additional feedback or >> contributions. There are several people who expressed interest and it would >> be good to ensure this meets the needs of WG members and implementers of >> the protocol. >> >> Thank you, >> Kathleen >> >> On Mon, Aug 11, 2025 at 11:15 AM <[email protected]> wrote: >> >>> Internet-Draft draft-ietf-acme-client-14.txt is now available. It is a >>> work >>> item of the Automated Certificate Management Environment (ACME) WG of the >>> IETF. >>> >>> Title: ACME End User Client and Code Signing Certificates >>> Author: Kathleen M. Moriarty >>> Name: draft-ietf-acme-client-14.txt >>> Pages: 15 >>> Dates: 2025-08-11 >>> >>> Abstract: >>> >>> Automated Certificate Management Environment (ACME) core protocol >>> addresses the use case of web server certificates for TLS. This >>> document extends the ACME protocol to add 3 challenge types that may >>> support service account authentication credentials, micro-service >>> accounts credentials, device client, code signing, document signing >>> certificates and keys. >>> >>> The IETF datatracker status page for this Internet-Draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-acme-client/ >>> >>> There is also an HTMLized version available at: >>> https://datatracker.ietf.org/doc/html/draft-ietf-acme-client-14 >>> >>> A diff from the previous version is available at: >>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-client-14 >>> >>> Internet-Drafts are also available by rsync at: >>> rsync.ietf.org::internet-drafts >>> >>> >>> _______________________________________________ >>> Acme mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >> >> >> -- >> >> Best regards, >> Kathleen >> _______________________________________________ >> Acme mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > -- Best regards, Kathleen
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
