IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Thu, 03 October 2019 13:00 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197D7120870; Thu, 3 Oct 2019 06:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=1ex/GzOS; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=EYWw+2DP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mF1ABk8CHLGH; Thu, 3 Oct 2019 06:00:07 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60045.outbound.protection.outlook.com [40.107.6.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A0512001A; Thu, 3 Oct 2019 06:00:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UdxWIleCpeT7pPWj3s4FjQW1amUSQj60mE6gumHbQwI=; b=1ex/GzOSjucg1DjegdO6poJuH4csqUFTwN6AD/v6LdEh2LDr/POXLogZwBerBcTrJEMifRi6MVzGaHeDj9IniBRc6uI5vCmIHldiAly2EFVPBMLFU1dbWi9dB0BS8enYTynDX4PsB+0E7ESmXmqLudJHO+uKEqyzv3WfFR8tWEM=
Received: from DB7PR08CA0002.eurprd08.prod.outlook.com (2603:10a6:5:16::15) by VI1PR08MB3773.eurprd08.prod.outlook.com (2603:10a6:803:bb::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.17; Thu, 3 Oct 2019 13:00:01 +0000
Received: from DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::202) by DB7PR08CA0002.outlook.office365.com (2603:10a6:5:16::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2284.20 via Frontend Transport; Thu, 3 Oct 2019 13:00:01 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT060.mail.protection.outlook.com (10.152.21.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Thu, 3 Oct 2019 12:59:59 +0000
Received: ("Tessian outbound 081de437afc7:v33"); Thu, 03 Oct 2019 12:59:55 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: b527421fb0e23395
X-CR-MTA-TID: 64aa7808
Received: from 190fade6e57c.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.13.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 4F046057-734C-467B-A05C-B08C494F3497.1; Thu, 03 Oct 2019 12:59:49 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04lp2058.outbound.protection.outlook.com [104.47.13.58]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 190fade6e57c.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Thu, 03 Oct 2019 12:59:49 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z31G4HItBMZOaT1MoFZq3ObBxbE0bFG3VmG9Xik6pmD8Ci5oiX0j/Wdb2wEU+GHhluRMua76XQJo56c7KVwiSLeTH0/1L15gW3dFWeuyu334GgehzCNeVPrkotGCRv8mPXOU3cTUHq1ehicys10RUU0zG1a3Ck6m65BFguCQrV1XuAgqjtDQAQIrIPyGx1GfTzXMqOYa2OMwthJYgWfHNfsY2MQCiz+UcxAO4Ppi+wtWcPYHSikyoDxJNG6DjDgytxYir0gp05lTVRBBjKdja61jvP88GfQF44ZRhUKCXd5vZp+gl5ahteeFTGaPHkVicoNOzGfKQ9IFuoCQMKr+eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gv8424ixDTJ5p88oeVgkfo2nG3DQumloE9ulM19iiKQ=; b=U2ublPLDenjErlRfr2Y3WRN7tpZkej8CIItgFRbtGBeJkQGDoK3pKmNhIFF3rKHX3lSChq5dGZosRe88tjJizK8qPyLUlE8o19poMAzxkmH2i2kUYUHOeYZyPvI/MuKqYMqu/unP8tdM5vgsGOFuNjF+XBVdM9hewH9vlI0c8ZFhKzTRmqBYnW4gQEp51Dcbjj7dJKIFbny/6Sr7ExiwdlopiAFaAsOfWpLL/mPveXcCvHhdtBeUdFuke6M4QVReJVTQukWPKg/59o2RhJ7hjtDcTcPgpU81bhfOaxAL8xZPwFbw9groBN1Tb1/4G7HkBFAR010PlH2wClGCcp8YWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Gv8424ixDTJ5p88oeVgkfo2nG3DQumloE9ulM19iiKQ=; b=EYWw+2DPKvn4h0x6NF5iQaqdcBpwaxdlK6odVtIzRrqB2vqFypZHcMFZRg1rOgoenTcrFBuKlDEsOKaEISwJegnqbAsaZAa1NBnd9/2n+0soDMj14S7nuSJYrPw3yFZ/ebGXcMOtkP+U7eqhtV1G4tmGrW6QlL0HKzRvoC0VrwM=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4502.eurprd08.prod.outlook.com (20.179.6.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.17; Thu, 3 Oct 2019 12:59:47 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a%2]) with mapi id 15.20.2305.023; Thu, 3 Oct 2019 12:59:47 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
Thread-Index: AQHVeUwbMyQSTFCeskqUe6Nd01h8AqdI8wmA
Date: Thu, 03 Oct 2019 12:59:47 +0000
Message-ID: <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com>
References: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com>
In-Reply-To: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 1ff7a868-0cf1-4c3f-043a-08d748019927
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: AM6PR08MB4502:|AM6PR08MB4502:|VI1PR08MB3773:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB377379B5609B930E32F60B3B9C9F0@VI1PR08MB3773.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 01792087B6
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(396003)(39860400002)(366004)(376002)(199004)(189003)(66066001)(102836004)(8936002)(36756003)(64756008)(316002)(478600001)(8676002)(110136005)(81166006)(66476007)(66556008)(91956017)(76116006)(66446008)(81156014)(66946007)(256004)(6486002)(229853002)(6436002)(6512007)(14444005)(2171002)(4326008)(58126008)(7736002)(99286004)(71200400001)(2616005)(446003)(486006)(11346002)(71190400001)(476003)(305945005)(6246003)(3846002)(86362001)(6116002)(561944003)(33656002)(5660300002)(25786009)(2906002)(186003)(26005)(76176011)(14454004)(6506007)(53546011)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4502; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: LSTl0SQPA9uPtPAO5KKDF1yPpS8E88qo7SrxBHhygS65Cjmx8MHaj62xFOX/c9RpsV6HcXqhPPA0/qe333SmE2lqvm1lYJufefrM9fB0MeM07FMv8YyekAQRDwVMxdu12UGBiGbMBPUJKn4MMw12NfFyiVMDMFKGeGVuH6U4IIoTRdDldq6L61Ka92wA5OjzZYb9KHKxtjKA1YC/FiL/UOUEXdKcey9psizDI2TOO1xjCUbS8pvi8oM1kQKZkQXgclRc94EKFYIpJ7k8ncJ/qglVrZNs7A8o0yZoahQlbIVZr4/OnotNdxvsJeC9WctV5ChKlhKSlWmINIqbyFuNGZOTjB3rpBuh+iyJ3vaTxZKXgoRKNiyTYSXhgf+jwlAROf5YqIb081Ko3rslFN7Qe24ogKUVI0grezdPaW7OsvQ=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D9F1D15E81075643BC0FCD8D8E64FF9E@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4502
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT060.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(376002)(136003)(396003)(199004)(189003)(40434004)(6246003)(50466002)(6506007)(47776003)(70206006)(70586007)(6486002)(486006)(11346002)(63350400001)(229853002)(436003)(446003)(2906002)(66066001)(8936002)(8676002)(58126008)(81156014)(81166006)(110136005)(54906003)(336012)(36756003)(86362001)(2171002)(2616005)(76130400001)(126002)(476003)(561944003)(4326008)(6512007)(316002)(305945005)(356004)(26826003)(14454004)(478600001)(33656002)(186003)(14444005)(22756006)(5024004)(450100002)(6116002)(3846002)(7736002)(99286004)(23676004)(2486003)(76176011)(5660300002)(26005)(53546011)(102836004)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3773; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b75da93e-75f0-460c-26c4-08d748019200
X-Forefront-PRVS: 01792087B6
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: i7S+rmH8U8TsyAa7eggD4iOFkpxuBR+jaZFxBjp9W+UX/IK+GIjTlWWC0FRQEWpEm7C0xw7pD7N6iaIZV4+HQ14x4YM4V8ZcYALp/tYgvJqHHh8VIrZ5eKg4Q67OryBGr/MYp1Hx4JLXgPNRRSWZ83Wi4fWbN+Sg9TWU0uZWquFJCRGLsHP8XSL/XpUsF0X2Aaq6DxO9CSznTQxx/duO1ioA8p6pkQjF9sYIl4ej4p+19sKjDN0Sr9YgLPK5QxZYukD9jy+1J8zjpvGmbbCia94BR6QpKHD5O3F/m1JUelUJmT0nVrG+2Lv8x4/M1xKJSWAzcRUofvfKUmM/5faH+dXTkEpT7jZ2Ynrl+ZFBm+IVfMj7ZIIYxBcJ94liuvEH1v+IdSYmAo0RH/Ds+zSuiSMmU5WFMEWFiSywvn3cWWE=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Oct 2019 12:59:59.6601 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ff7a868-0cf1-4c3f-043a-08d748019927
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3773
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/31uBdFS7aVoCsxPbLENTiu8MReI>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 13:00:12 -0000

Hi Ben,

First of all thank you very much for this excellent review.

On your DISCUSS points:

On 02/10/2019, 19:06, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote:
> RFC 8555 (and the IANA registry) list the 'status' field of the order
> object as not configurable, yet we propose to configure it (in
> Sections 3.1.1 and 3.1.2).  It would perhaps be possible to make this
> work procedurally, by updating the registry entry and maybe an
> Updates: header, but it may be worth a broader rethink.  Specifically,
> if we add a new field to the order instead, for the cancellation URL,
> then we do not modify the order directly (but instead request the
> server to take an action that does so as a side effect), and we also
> can avoid state-machine concerns about attempting to enter "canceled"
> state from a state other than "valid" by simply not making the
> cancellation URL visible until the order is "valid".

This is a great catch -- I wonder how we failed to notice it.  I don't
think tweaking the registry would be a good way to tackle this and I
agree with your proposal to remove the canceled state and add a
cancellation URL instead.  I am going to work on an update and have it
ready ASAP (though I'm on leave starting tomorrow, so it might take a
bit more than just a couple of days.)

> A more minor concern, but when we consider the examples in this
> document in conjunction with the examples in RFC 8555 itself, we find
> several protocol invariants violated: we reuse a nonce for different
> requests, but nonces are single-use; we use the same Order URL for two
> different order contents, the same certificate URL for two different
> (star-)certificates, and (not quite a protocol invariant, but "with
> very high probability" so) the signature on a request is duplicated.
> I also note that we reuse an account URL from RFC 8555, which is not
> inherently problematic, but my suggestion would be to generate a new
> one to make a clean break.

OK, no problems.

Cheers!


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email