I have reviewed the changes and they look good to me, but I would especially like a second pair of eyes from @Aaron Gable <[email protected]> and @Richard Barnes <[email protected]>.
Since this version makes substantial normative changes, Deb decided to move the document from IETF LC back into WG. I'll start a new WGLC now. On Thu, 26 Mar 2026 at 17:19, Sven A Rajala <[email protected]> wrote: > Hej Hej ACME, > > > Richard Barnes pointed out that the previous version of this draft failed > to provide a JSON encoding for the two new identifiers: > *permanentIdentifier* and *HardwareModuleName* for the Order object. > While addressing this we uncovered a few related issues. Given the scope of > the change, Chairs and AD decided that this needed to go back to WG for > another round of review, and do another WGLC. > > > Version -02 makes the following changes: > > - Adds a JSON representation of the *permanentIdentifier* and > *HardwareModuleName* identifiers. Since these are both represented in > the CSR in structured ASN.1 objects, an ASCII representation was invented, > along with a suggested algorithm for comparing them. > > - Explicitly allows for these identifiers to appear in the CSR but not > in the issued certificate. It is completely reasonable that a client is > willing to share its device fingerprint with the CA but does not want it > published in the certificate, but it needs to be noted explicitly since it > is a contradiction of RFC8555. > > Kindly, > > Sven Rajala > > Deputy PKI Officer > > > > *M:* +1 540 687 0761 > > sven.rajala@*keyfactor.com <https://www.keyfactor.com/>* > > > *From: *[email protected] <[email protected]> > *Date: *Friday, 2026 March 27 at 07:16 > *To: *[email protected] <[email protected]> > *Cc: *[email protected] <[email protected]> > *Subject: *[Acme] I-D Action: draft-ietf-acme-device-attest-02.txt > > This Message Is From an External Sender > This message came from outside your organization. > Report Suspicious > <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/BjbSd3t9V7AnTp3tuV-82YaK!_0QvQsCqUBRnXA2SsFYwFMaMq3Hw0TfwDL6egjSvBGRRBqHynpo2ayyeZGjbSVib9Vnj54APifpdPBIKdppF_W9LtvnAnP4fiRQvxjxDHPAMcASR9oFbi2hK-q6sStrDFmzqO7A$> > > > Internet-Draft draft-ietf-acme-device-attest-02.txt is now available. It is a > work item of the Automated Certificate Management Environment (ACME) WG of the > IETF. > > Title: Automated Certificate Management Environment (ACME) Device > Attestation Extension > Authors: Brandon Weeks > Ganesh Mallaya > Sven Rajala > Corey Bonnell > Name: draft-ietf-acme-device-attest-02.txt > Pages: 13 > Dates: 2026-03-26 > > Abstract: > > This document specifies new identifiers and a challenge for the > Automated Certificate Management Environment (ACME) protocol which > allows validating the identity of a device using attestation. > > The IETF datatracker status page for this Internet-Draft > is:https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-acme-device-attest/__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7Ht9k_-g$ > > There is also an HTML version available > at:https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-acme-device-attest-02.html__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7MiD2qFw$ > > A diff from the previous version is available > at:https://urldefense.com/v3/__https://author-tools.ietf.org/iddiff?url2=draft-ietf-acme-device-attest-02__;!!BjbSd3t9V7AnTp3tuV-82YaK!0H-VC426pbKo4nrZmKuTOWRwRri0KW3g1VKsbmyECeGmHIDn7yRUXfzv84zsUTfjnGa6IjwvGfv4QR9LeU_eqx7FXv7Egw$ > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
