Presentation is loading. Please wait.

Presentation is loading. Please wait.

3RD-PARTY DEVICE ATTESTATION FOR ACME

Published byRisto Kinnunen Modified over 6 years ago

Similar presentations

Presentation on theme: "3RD-PARTY DEVICE ATTESTATION FOR ACME"— Presentation transcript:

1 3RD-PARTY DEVICE ATTESTATION FOR ACME
RIFAAT SHEKH-YUSEF IETF104, ACME WG, Prague, Czech Republic 27 March 2019

2 GOAL Automate the issuance of ACME certificate to a specific device with a specific Service URI, where the device and the Service URI are controlled by different entities.

3 INITIAL TRUST as.vendor.com acme.com ACME CA DA Device Client
customer.com

4 SETUP as.vendor.com acme.com ACME CA DA 1. Create an account
2. Claim a device Device 1. Create an account 2. Prove control over customer.com Client customer.com

5 FLOW OVERVIEW as.vendor.com acme.com 1. Auth ACME CA 2. JWT DA
5. Certificate 4. Apply for Cert [CSR, JWT] Device 6. Certificate 3. CSR, JWT Client customer.com

6 CLIENT-CA INTERACTION
customer.com ACME CA acme.com [01] POST /new-order kid=customer.com/acme/acct/<acct> url=vendor.com/acme/new-order identifier=<mac> [02] 201 Created finalize=customer.com/acme/order/asdf/finalize authorizations=vendor.com/acme/authz/1234 [03] POST /vendor.com/acme/authz/1234 JWT [04] 200 OK status=valid [05] POST /customer.com/acme/order/asdf/finalize CSR [06] 200 OK certificate=customer.com/acme/cert/asdf

7 DEVICE IDENTIFIER { "type": "mac", "value": "<mac>" }

8 JWT EXAMPLE Header: { "alg": "ES256", "typ": "JWT" } Body: "iss" : "as.vendor.com", "sub": "<mac>", "aud" : ["customer.com", "acme.com"]

9 CERTIFICATE IDENTIFIERS
The issued certificate must include the following identifiers: MAC Address Service URI

10 ? QUESTIONS?

Download ppt "3RD-PARTY DEVICE ATTESTATION FOR ACME"

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Media Description for IKE in SDP draft-saito-mmusic-sdp-ike-01 Makoto Saito Dan Wing

Media Description for IKE in SDP draft-saito-mmusic-sdp-ike-01 Makoto Saito Dan Wing
Signing and Encrypting Email With the Thawte Web of Trust CSU Professional Development Institute January 8, 2009 Steve Lovaas.

Signing and Encrypting With the Thawte Web of Trust CSU Professional Development Institute January 8, 2009 Steve Lovaas.
CA Key 1 Created OCSP Cert 1 Client Cert 1 Client Cert 2 OCSP Cert 2 CA Key 2 Created CA Key 1 Expiration OCSP Cert 3 Client Cert.

CA Key 1 Created OCSP Cert 1 Client Cert 1 Client Cert 2 OCSP Cert 2 CA Key 2 Created CA Key 1 Expiration OCSP Cert 3 Client Cert.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.

Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
PKI interoperability and policy in the wireless world.

PKI interoperability and policy in the wireless world.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, 2014 1Rifaat Shekh-Yusef - SIP Digest Auth.

SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.
Peering Considerations for Directory Assistance and Operator Services - John Haluska Telcordia SPEERMINT, IETF 68 Prague, Czech Republic 20 March 2007.

Peering Considerations for Directory Assistance and Operator Services - John Haluska Telcordia SPEERMINT, IETF 68 Prague, Czech Republic 20 March 2007.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.

Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.

Similar presentations

Ads by Google