Document ACME device attestation across ACME docs#522
Merged
Conversation
Refresh the ACME docs to cover ACME device attestation (ACME DA) as a supported, standardized capability rather than a speculative future extension. - when-to-use-acme: remove the outdated "draft RFC ... may support in the future" bullet and add ACME DA as a supported scenario - acme/README: add an "ACME vs. ACME device attestation" callout - step-ca/acme-basics: add an ACME-vs-DA distinction to the device-attest-01 section and link the DA platform page as primary further reading - how-to-use-acme: link ACME DA from the read-more block - why-use-acme: note ACME DA as the modern SCEP replacement for device identity Links point to https://smallstep.com/platform/acme-device-attestation/.
tashian
force-pushed
the
carl/acme-da-docs
branch
from
970449c to
f43fff4
Compare
GitHub Actions traffic intermittently gets throttled by datatracker.ietf.org, producing Status: 0 (dropped connection) false positives even though the RFC links are live. Skip them like other flaky external domains. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
areed
approved these changes
Jun 4, 2026
|
|
||
| <Alert severity="info"> | ||
| <div> | ||
| <strong>ACME vs. ACME device attestation.</strong> Standard ACME issues certificates to servers and workloads, proving control of a domain or IP address through the <code>http-01</code>, <code>dns-01</code>, or <code>tls-alpn-01</code> challenges. <a href="https://smallstep.com/platform/acme-device-attestation/">ACME device attestation (ACME DA)</a> extends the same protocol to issue hardware-bound certificates for <em>device</em> identity, using the <code>device-attest-01</code> challenge to verify a device's built-in security module. Reach for ACME DA when you're identifying devices rather than servers. |
Contributor
There was a problem hiding this comment.
Reach for ACME DA when you're identifying devices rather than servers.
It's not so clear-cut since you can use a tpm on a server.
Contributor
Author
There was a problem hiding this comment.
Yeah it should say "identifying devices rather than hostnames"
Here's a fix: #523
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Refreshes the ACME documentation to present ACME device attestation (ACME DA) as a supported, standardized capability rather than a speculative future extension. Based on a docs audit of the ACME pages.
certificate-manager/acme/when-to-use-acme.mdxdevice-attest-01, modern SCEP replacement).certificate-manager/acme/README.mdxhttp-01/dns-01/tls-alpn-01vs. hardware-bound device certs viadevice-attest-01).step-ca/acme-basics.mdxdevice-attest-01section; added the DA platform page as the primary Further reading link (kept both blog links).certificate-manager/acme/how-to-use-acme.mdxcertificate-manager/acme/why-use-acme.mdxNotes
/docs/platform/acme-device-attestation/, which is a 404. The page actually lives on the marketing site athttps://smallstep.com/platform/acme-device-attestation/, so links use that full URL (the convention here for marketing-site links).draft-ietf-acme-device-attest, Proposed Standard) lists Smallstep folks as contributors, not co-authors, so I avoided a flat "co-developed the standard" claim.Verification
vale --no-wrap --glob='!step-cli/reference/**'→ 0 errors on all changed files (one pre-existing heading warning, untouched).markdown-link-check→ new DA URL resolves; no new dead links.🤖 Generated with Claude Code