Having been through the entire thread. It seems that my *very* *initial* view that we should do this via the account, and the Extended Accounting Binding might actually be reasonable?
Aaron Gable <aaron=40letsencrypt....@dmarc.ietf.org> wrote:
> I *believe* that the reason the design team has gone in this direction is
> because the rats identifier does not appear in the final issued
> certificate. Is that correct?
Yes.
> If yes, *why* does no corresponding identifier appear in the cert?
What would it say? While there are some small number of use cases where
putting Attestation Results into a certificate makes sense, in most cases
it's just a privacy violation waiting to happen... and as MikeO said, it
might not even be valid for the lifetime of the certificate. (Not that the
device is bad at that point!)
> If the CA is enforcing that certain policies be met, then can't that be
> represented by a Certificate Policies extension?
Yes, the CA can put a policy OID in to say that it's done this check.
Or, even that, the CA has followed it's CSP.
As you write in another email, the identity challenge can be loopholed
because we didn't precisely say what identity is. It just feels totally
wrong to widen that loophole.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
