draft-ietf-acme-authority-token-03.txt   draft-ietf-acme-authority-token-04.txt 
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft Neustar Internet-Draft Neustar
Intended status: Informational M. Barnes Intended status: Informational M. Barnes
Expires: September 25, 2019 iconectiv Expires: May 7, 2020 Independent
D. Hancock D. Hancock
C. Wendt C. Wendt
Comcast Comcast
March 24, 2019 November 4, 2019
ACME Challenges Using an Authority Token ACME Challenges Using an Authority Token
draft-ietf-acme-authority-token-03.txt draft-ietf-acme-authority-token-04.txt
Abstract Abstract
Some proposed extensions to the Automated Certificate Management Some proposed extensions to the Automated Certificate Management
Environment (ACME) rely on proving eligibility for certificates Environment (ACME) rely on proving eligibility for certificates
through consulting an external authority that issues a token through consulting an external authority that issues a token
according to a particular policy. This document specifies a generic according to a particular policy. This document specifies a generic
Authority Token challenge for ACME which supports subtype claims for Authority Token challenge for ACME which supports subtype claims for
different identifiers or namespaces that can be defined separately different identifiers or namespaces that can be defined separately
for specific applications. for specific applications.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2019. This Internet-Draft will expire on May 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 20 skipping to change at page 7, line 20
"exp":1300819380, "exp":1300819380,
"jti":"id6098364921", "jti":"id6098364921",
"atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint": "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint":
"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: "SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} } 9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
Optionally, the "atc" element may contain a fourth element, "ca". If Optionally, the "atc" element may contain a fourth element, "ca". If
set to "true", the "ca" element indicates that the Token Authority is set to "true", the "ca" element indicates that the Token Authority is
granting permission to issue a certification authority certificate granting permission to issue a certification authority certificate
rather than an end-entity certificate for the names in question. rather than an end-entity certificate for the names in question.
This permits subordinate delegations from the issued certificate. This permits subordinate delegations from the issued certificate. If
The "atc" object in the example above would then look like: the "ca" element is absent, the Token Authority is explicitly
withholding permission. The "atc" object in the example above would
then look like:
"atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","ca":true, "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","ca":true,
"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} } 9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
Specifications of "tktype" identifier type may define additional Specifications of "tktype" identifier type may define additional
optional "atc" elements. optional "atc" elements.
5. Acquiring a Token 5. Acquiring a Token
skipping to change at page 8, line 6 skipping to change at page 8, line 9
service provider, and finally a locator for the token. service provider, and finally a locator for the token.
POST /at/account/:id/token HTTP/1.1 POST /at/account/:id/token HTTP/1.1
Host: authority.example.com Host: authority.example.com
Content-Type: application/json Content-Type: application/json
The body of the POST request will contain the ATC element that the The body of the POST request will contain the ATC element that the
client is requesting the Token Authority generate. client is requesting the Token Authority generate.
{ {
"atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","ca":false, "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==",
"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} } 9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
} }
In common use cases, the "tkvalue" in this request is asking that the In common use cases, the "tkvalue" in this request is asking that the
Token Authority issue a token that attests the entire scope of Token Authority issue a token that attests the entire scope of
authority to which the client is entitled. The client may also authority to which the client is entitled. The client may also
request an AT with some subset of its own authority via the "tkvalue" request an AT with some subset of its own authority via the "tkvalue"
element in the ATC object. The way that "tkvalue" is defined will element in the ATC object. The way that "tkvalue" is defined will
necessarily be specific to the identifier type. For the TNAuthlist necessarily be specific to the identifier type. For the TNAuthlist
skipping to change at page 10, line 50 skipping to change at page 10, line 50
[I-D.ietf-acme-acme] [I-D.ietf-acme-acme]
Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment Kasten, "Automatic Certificate Management Environment
(ACME)", draft-ietf-acme-acme-18 (work in progress), (ACME)", draft-ietf-acme-acme-18 (work in progress),
December 2018. December 2018.
[I-D.ietf-acme-authority-token-tnauthlist] [I-D.ietf-acme-authority-token-tnauthlist]
Wendt, C., Hancock, D., Barnes, M., and J. Peterson, Wendt, C., Hancock, D., Barnes, M., and J. Peterson,
"TNAuthList profile of ACME Authority Token", draft-ietf- "TNAuthList profile of ACME Authority Token", draft-ietf-
acme-authority-token-tnauthlist-02 (work in progress), acme-authority-token-tnauthlist-04 (work in progress),
March 2019. September 2019.
[I-D.ietf-acme-service-provider] [I-D.ietf-acme-service-provider]
Barnes, M. and C. Wendt, "ACME Identifiers and Challenges Barnes, M. and C. Wendt, "ACME Identifiers and Challenges
for VoIP Service Providers", draft-ietf-acme-service- for VoIP Service Providers", draft-ietf-acme-service-
provider-02 (work in progress), October 2017. provider-02 (work in progress), October 2017.
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Fossati, "Support for Short-Term, Automatically-Renewed Fossati, "Support for Short-Term, Automatically-Renewed
(STAR) Certificates in Automated Certificate Management (STAR) Certificates in Automated Certificate Management
Environment (ACME)", draft-ietf-acme-star-05 (work in Environment (ACME)", draft-ietf-acme-star-11 (work in
progress), March 2019. progress), October 2019.
[I-D.ietf-acme-telephone] [I-D.ietf-acme-telephone]
Peterson, J. and R. Barnes, "ACME Identifiers and Peterson, J. and R. Barnes, "ACME Identifiers and
Challenges for Telephone Numbers", draft-ietf-acme- Challenges for Telephone Numbers", draft-ietf-acme-
telephone-01 (work in progress), October 2017. telephone-01 (work in progress), October 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 12, line 27 skipping to change at page 12, line 27
Jon Peterson Jon Peterson
Neustar, Inc. Neustar, Inc.
1800 Sutter St Suite 570 1800 Sutter St Suite 570
Concord, CA 94520 Concord, CA 94520
US US
Email: jon.peterson@team.neustar Email: jon.peterson@team.neustar
Mary Barnes Mary Barnes
iconectiv Independent
Email: mary.ietf.barnes@gmail.com Email: mary.ietf.barnes@gmail.com
David Hancock David Hancock
Comcast Comcast
Email: davidhancock.ietf@gmail.com Email: davidhancock.ietf@gmail.com
Chris Wendt Chris Wendt
Comcast Comcast
 End of changes. 9 change blocks. 
12 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/