Authority Tokens for ACME IETF 104 ACME WG

  • Slides: 7
Download presentation
Authority Tokens for ACME IETF 104 ACME WG Jon & Chris - Praha -

Authority Tokens for ACME IETF 104 ACME WG Jon & Chris - Praha - Mar 2019

Authority Token Challenge • Identified a generic need for authorities to provide tokens to

Authority Token Challenge • Identified a generic need for authorities to provide tokens to a CA to respond to challenges – Surely any number of namespaces have authorities who could generate tokens • Inspired by the STIR case, but this could work for domains even – Requires the ACME server has some trust relationship with the authority • draft-ietf-acme-authority-token-03 – Framework for tokens that allow authorities trusted by the CA to attest client ownership of names • CA can then issue certs via ACME for particular names – Need some sort of typing mechanism for tokens, and a means to contact authorities

Example challenge "challenges": [ { "type": “example-01", "tkauth-type": “ex", "token-authority": "https: //authority. example. org/authz",

Example challenge "challenges": [ { "type": “example-01", "tkauth-type": “ex", "token-authority": "https: //authority. example. org/authz", "url": "https: //boulder. example. com/authz/asdf/0" "token": "Ilirfx. KKXAs. Htmz. K 29 Pj 8 A" } ] • The tkauth-type is governed by a registry – Specifies the syntax of the token • Today we only specify one initial registration, for JWT • It is the identifier type in the challenge that tells you what you are asking the authority to attest • The token-authority contains an optional URL – A hint for where clients can get a token – Not mandatory to follow, clients may already know where to get tokens from some out-of-band source

The “atc” tkauth-type • “atc” tkauth-type based on JWT – Described in the ACME

The “atc” tkauth-type • “atc” tkauth-type based on JWT – Described in the ACME TNAuthlist document • Example ACME response with a JWT – The JWT itself is the “ATC” payload in bold { "protected": base 64 url({ "alg": "ES 256", "kid": "https: //boulder. example. com/acme/reg/asdf", "nonce": "Q_s 3 MWoq. T 05 Trdk. M 2 MTDcw", "url": "https: //boulder. example. com/acme/authz/asdf/0" }), "payload": base 64 url({ ”atc": { “tktype”: … } }), "signature": "5 w. Ur. DI 3 e. Aa. V 4 wl 2 Rfj 3 a. C 0 Pp--XB 3 t 4 YYu. Ngacv_D 3 U" }

What’s New in AT -03 (and -02) • Fleshed out the REST interface for

What’s New in AT -03 (and -02) • Fleshed out the REST interface for token acquisition – Cribbed from the ATIS specification • Better ATC structure • Introduced the concept of asking for a particular authority scope – Basically, you post the ATC object you will want the Token Authority to issue, scope is “tkvalue” • So, can you ask for a CA cert in ACME? – Why not? CSR with CA boolean set to true – We have a optional flag for that boolean in ATC • Added some minimal IANA Considerations

ATC Structure “atc": { "tktype": "Tn. Auth. List", "tkvalue": "F 83 n 2 a.

ATC Structure “atc": { "tktype": "Tn. Auth. List", "tkvalue": "F 83 n 2 a. . . avn 27 DN 3==", "fingerprint": "SHA 256 56: … 8: E 3” } • Optional element “ca”: true

Updates & To Do • To Do – Housekeeping in both drafts (Sec Cons,

Updates & To Do • To Do – Housekeeping in both drafts (Sec Cons, etc. ) • Should be ready for review and last call after another rev of each draft

Sci Tokens Update for LSST Sci Tokens TeamSci Tokens Update for LSST Sci Tokens Team
Tokens typedef enum bookkeeping tokens ENDFILE ERROR TypedefTokens typedef enum bookkeeping tokens ENDFILE ERROR Typedef
Scanning Tokens 1 Tokens n When a ScannerScanning Tokens 1 Tokens n When a Scanner
Tokens typedef enum bookkeeping tokens ENDFILE ERROR TypedefTokens typedef enum bookkeeping tokens ENDFILE ERROR Typedef
Java Tokens Annwesha Banerjee Tokens Smallest individual thingJava Tokens Annwesha Banerjee Tokens Smallest individual thing
The Sci Tokens Authorization Model JSON Web TokensThe Sci Tokens Authorization Model JSON Web Tokens