EMS : Endpoint Management and Security
Terms and Concepts
- IAM : Identity and Access Management
- ZTA : Zero Trust Architecture
- Endpoint Security Architecture
- ABAC : Attribute Based Access Control
- ZTA : Zero Trust Architecture
- EMS : Enterprise Mobility and Security : Device Lifecycle Control stack
- MDM : Mobile Device Management
controls mobile device functionality and converts it into a single purpose or dedicated device. It has features like device enrollment, remote control, device lockdown, and location tracking. - EMM : Enterprise Mobile Management
offers all MDM features, and also provides Mobile Information Management (MIM), Bring Your Own Device (BYOD), Mobile Application Management (MAM) and Mobile Content Management (MCM). - UEM : Unified Endpoint Management
provides enterprises management of mobile devices as well as endpoints like desktops, printers, IoT devices and wearables from a single management platform.
- MDM : Mobile Device Management
SPIFFE/SPIRE
Secure Production Identity Framework for Everyone (SPIFFE)
SPIFFE is a set of open-source specifications for a framework capable of bootstrapping and issuing identity to services across heterogeneous environments and organizational boundaries. The heart of these specifications is one defining short-lived cryptographic identity documents, "SPIFFE Verifiable Identity Document" (SVID), and the API by which they are issued. Workloads use SVIDs when authenticating to other workloads, for example by establishing a TLS connection or by signing and verifying a JWT token.
A SPIRE server is a production-ready implementation of the SPIFFE API that performs node and workload attestation in order to securely issue SVIDs to workloads, and verify the SVIDs of other workloads, based on a predefined set of conditions.
- Origin: CNCF project, inspired by Google’s internal service identity system (Borg + Loas).
- Purpose: Issues SPIFFE IDs, which are workload identities, e.g.,
spiffe://$trust_domain/$service_name, in the form of an SVIDX.509-SVIDJWT-SVID
- Focus:
- Designed for service-to-service authentication in distributed systems, including zero-trust environments.
- No DNS-based proof. Instead of third-party, hierarchical trust, proof of workload identity is done via attestation plugins (K8s, AWS IAM, etc.).
- Certificates (SVIDs) are usually short-lived (minutes to hours) and signed by a private CA inside the trust domain.
ACME Device Attestation (ACME-DA) | Article
ACME-DA is an IETF draft extension to ACME that adds a challenge type for device identity rather than domain ownership.
Instead of proving you control example.com (HTTP-01/DNS-01/TLS-ALPN-01),
the client proves it is a specific hardware device,
usually via something like TPM, Secure Enclave, or another hardware root of trust.
- Origin: ACME-DA is a successor to Simple Certificate Enrollment Protocol (SCEP), which was originally designed for issuing X.509 certificates to network devices.
- Purpose: Automate issuing a certificate to a device without pre-provisioning secrets or relying on DNS ownership. ACME-DA is especially useful in Mobile Device Management (MDM); security software enabling organizations to secure, monitor, manage, and enforce policies on employee-owned mobile devices; providing a secure "Bring Your Own Device" (BYOD) environment to enterprises.
- Challenge type:
device-attest-01(proposed). - Mechanism:
- The device has a manufacturer-provisioned identity key + attestation cert (often in a TPM or secure element).
- ACME server sends a challenge.
- The device signs it using the key and returns an attestation statement (e.g., TPM quote, FIDO attestation).
- CA verifies this attestation against trusted manufacturer root certs.
- If valid, CA issues a certificate to that device.
- Output: Usually an X.509 certificate with identifiers tied to the device’s attested identity.
ACME-DA v. SPIFFE/SPIRE
| Feature | ACME Device Attestation | SPIFFE/SPIRE |
|---|---|---|
| Identity basis | Hardware root of trust (TPM, secure enclave, etc.) | Workload attestation (platform, k8s API, cloud metadata) |
| Trust roots | Manufacturer CA roots | Private trust domain CA |
| Target use case | Securely enroll physical devices | Securely enroll workloads/services |
| Cert format | Normal X.509 with DNS, IP, or device identifiers | X.509-SVID (SPIFFE ID in SAN URI) or JWT-SVID |
| Cert lifetime | Usually long-lived (months–years) | Short-lived (minutes–hours) |
| Scope | Device provisioning/bootstrap | Ongoing workload identity in distributed systems |
Relationship
- ACME-DA is closer in spirit to SPIFFE/SPIRE than normal ACME is, because both are about automating issuance based on attestation, not just DNS.
- In fact, you could imagine SPIRE using ACME-DA as an upstream CA enrollment method for its nodes or agents; attesting a host once to get a bootstrap cert, then using SPIRE to issue short-lived workload certs.
- But they’re not direct predecessors or replacements:
- ACME-DA is about provisioning trust into a device from a public or private CA based on hardware identity.
- SPIFFE/SPIRE is about distributing and rotating trust inside a running environment based on workload identity.