Re: [Acme] draft-ietf-acme-client: Was: Basic ACME question/Open Banking

Tue, 19 Oct 2021 11:08:26 -0700 

On 2021-10-19 19:00, Kathleen Moriarty wrote:

Hello Anders,

The draft extends ACME to add client challenge methods that might be helpful. 
This could be for several use cases including code signing automation or client 
certificate management.  Does the draft contain what you need? The use case 
from your message is not clear to me.


Hello Kathleen,
The client is not a person, it is a regulated entity like a payment processor.  
These entities need client certificates for calling banks.

Currently CAs distribute encrypted private key + certificate chain for 
installation in servers.  Both the initial part and possible updates could 
benefit from a more automated scheme which is why I find your draft interesting.

The scheme could be further strengthened by (in some way...) locking cert 
requests to the entity's domain as well.
For updates it would be cool if key container attestations also was a part of 
the plot because requests signed by the original key does not guarantee that 
the new key is in the same container.  Newer HSMs support attestations.

Does that make sense?

Thanx,
Anders



Thank you,
Kathleen


On Wed, Oct 13, 2021 at 8:42 AM Anders Rundgren <[email protected] 
<mailto:[email protected]>> wrote:

    After some research I found 
https://datatracker.ietf.org/doc/draft-ietf-acme-client/ 
<https://datatracker.ietf.org/doc/draft-ietf-acme-client/> which almost fills 
the bill.  What would the preferred procedure be, including challenge?

    Attestations like offered by FIDO is not a part of ACME, right?

    thanx,
    Anders

    On 2021-10-11 9:03, Anders Rundgren wrote:
     > Dear ACME experts,
     >
     > I haven't kept track of ACME so please pardon my somewhat naive question:
     >
     > In Open Banking, service providers (TPPs) are equipped with TLS client 
certificates as well as signature certificates.  Currently the certificates 
(including associated private keys), are distributed by the CA as encrypted files. 
 This makes updates fairly difficult and not entirely compatible with the highly 
regulated nature of these providers.
     >
     > Question: does ACME support this scenario?
     >
     > thanx,
     > Anders
     >



--

Best regards,
Kathleen


_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to