Thanks Ilari, Section 2.4 is a informative section that meant to provide a high level view of the full flow.
Remember that the assumption is that the Client already has an account with ACME and already proved it controls customer.com domain. The first request in this flow will be the same as defined in section 7.4 in the acme draft: https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.4 The only difference is that the url will contain the new order with the vendor.com to indicate that it is requesting a certificate for a device controlled by this Device Authority. Hope this helps. I will try to expand on this in the next version of the document. Regards, Rifaat On Wed, Jan 16, 2019 at 4:15 PM Ilari Liusvaara <[email protected]> wrote: > On Wed, Jan 16, 2019 at 03:32:57PM -0500, Rifaat Shekh-Yusef wrote: > > All, > > > > I have just submitted new updated version to address the issues raised by > > Ilari and Ryan. > > I would appreciate any more reviews and comments. > > > > ---------- Forwarded message --------- > > Name: draft-yusef-acme-3rd-party-device-attestation > > Revision: 01 > > > https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt > > Other comments: > > - How the ACME server can look up the client account with kid field > (which normally contains the client account identifier) now contains > the client domain? > - URL field in first request seems to be also overloaded. Considering > that this field actually has security significance (prevent misrouting > to different resource), this seems questionable. > - Constructing URL poiting to the client without knowledge of used paths > is very questionable. > - It seems to me that this should be handled by defining a new validation > method for the mac identifiers, without touching rest of ACME. Then > the CA would send those back for mac identifiers (together with the > needed references) and then take the JWT as reply. > > > -Ilari >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
