IETF Logo Mail Archive

[Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Roman Danyliw <rdd@cert.org> Fri, 23 July 2021 19:15 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10E13A1392 for <acme@ietfa.amsl.com>; Fri, 23 Jul 2021 12:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFd_6BbPFmlc for <acme@ietfa.amsl.com>; Fri, 23 Jul 2021 12:15:00 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0106.outbound.protection.office365.us [23.103.208.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E08533A138F for <acme@ietf.org>; Fri, 23 Jul 2021 12:14:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=AuMAhuhX88HG0nt8PS+OakmojF6k+LhKyjHObNpIk5+8rbl0NOXC+rac4eNBZ1xQYSC4Gw+pSK6vixDW2/a4Qxc+smnriMsHwQedfdybL2zZ3+WfsL8dmPNS78Jk27zraFHfQ6SobCTK6J0EpC3xnFNYNcaIXszv7q2+2pZhB/p0x6vqKCtojQ9iTVZfSY+73l0hKBYI/VsxtfTgCLcVjPCcXsNeEEDjBfLo3KaE5z5qQPs2kTBbj/LVuNLNCW2SwsePC15ODipjIviH+V0MzeezTPSM6+5vZBn6rxuq4qkdMV0/07vcvR7XNcHwfxAsMj9GnWmVLQ6O0TsoESiy5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OXPw7sHUtKWOomwVoIAcWetg2wNguszhOEepRIBjy0A=; b=yu2G/+sMZqbnlledYlhCjJGudd2yOiG1oHhXvylQxOPkO5GVkZsaq6wsUWmPOsRKEI/t0ZmoLX68dzrgVTWpE6wnya8q1n/WH71jpcC1KqaH6z2dCCPknBkGaYLIb8+DQRnZQjvyo/uUr1XKgUBz/ptOWD18qjKxftPeFtrVJbvBHon5OaA91ev0nacQzto3RDLY4o7LH6WKN9Q6Onqoim40f7CfU35gQkODxNIf2IsN00OfU5bCGtX5lIjJk52JlAOolpUQZka1K51xL4CqambT2wwmp7BvwbgWwWVuAZIAh/UwEozCbdnYHADyeoDZg31dMyazZNEppXjoTN1YFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OXPw7sHUtKWOomwVoIAcWetg2wNguszhOEepRIBjy0A=; b=XJsqecfeRNHcFXHqKH7Lch+IEDEdycoOVLCIPEYxyX3Qm++AcMy8jftn3w8GxFz4qh8ZIXMrPY35x0ZKUFiLsHZCpHV959GbgfGfHsq3ujSGrHcCOUxjir+/6HrpjRov55PC/SJuQZmNG0DJjHcFerNzUqkONrNrU0+qpAY+eTg=
Received: from BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM (52.145.6.8) by BN3P110MB0225.NAMP110.PROD.OUTLOOK.COM (23.103.35.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Fri, 23 Jul 2021 19:14:57 +0000
Received: from BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM ([fe80::d874:d2:1196:9aa5]) by BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM ([fe80::d874:d2:1196:9aa5%10]) with mapi id 15.20.4331.035; Fri, 23 Jul 2021 19:14:57 +0000
From: Roman Danyliw <rdd@cert.org>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: Add/9nBpbNBLzKA5RcKzepF1UuMpmw==
Date: Fri, 23 Jul 2021 19:14:57 +0000
Message-ID: <BN3P110MB052974A1C8CD9907F111E4A0DCE59@BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-originating-ip: [71.112.171.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e818d683-5081-4c29-3c9e-08d94e0e28fa
x-ms-traffictypediagnostic: BN3P110MB0225:
x-microsoft-antispam-prvs: <BN3P110MB0225002B5DE880E3931059A0DCE59@BN3P110MB0225.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fZVVi0KhdG3EFKrZUuA7ol0TMK/tTSLkycYQnMMF/a4wSS9N0rCdKJjvpk5PvTqe806gSjUSw7vUa+aMeX1w2U9q+4JDT3KeLJGPzDCostNqVJoDF8cS37wEUsfdv0VM7+mCk5MyqN4sNl2QKi8Y8GBYl7HOEw/HrnVCajPTlXKmRlztwwIomB81trOtj32YPSEHwYOPEIv11Z1Z1TtjDNFdXGwP+qpqz8kKgdcqhVTFt8+OJaJnXBRul2hE8c2CfGEbtW/WyvRazlmSvuwTOYAMGHQiYdEOFK0QzFztWLbG4jmMnPMWcApv5Vwf96gIIPawrUWVBl1OOsx9MpJJw3wukreEDpBH9XGQhAARSSAtXlf08TGWUt5LjQkWJlIB+8T1R7zUmH9WjFq8ldM2y30/4y9WDcYy9IRdl6kCdlTGV/y5t3HOZi/uf3HD3Qizgr/5RG7Gllxk6y8u7/s01xjvI69LBfCCDif//eoAKd8PMcWwuFvrf1mY1XTzs+1TiSkpK40m/gkdPwMsYR8Jt+4NbaSfTo1a7FBWK6XgkqVjpCQj4aPQwSKENCn9zKe8tQ7Ahk1/sCiu+oLYbOmMKUJL7BirU/3s7bt90TQcZdaUS3WxmtJNReG23N1RI2cn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(39850400004)(396003)(346002)(366004)(376002)(9686003)(26005)(76116006)(52536014)(186003)(66946007)(64756008)(5660300002)(66446008)(66476007)(122000001)(7696005)(6506007)(55016002)(38100700002)(478600001)(33656002)(316002)(66556008)(86362001)(83380400001)(2906002)(8676002)(71200400001)(8936002)(6916009)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QE3ygxiFOE9zfpryaINwOvpTwp+8tjw7a1fxEcNYbPaX4OV91G6JK6oXew1A4yy14/GQ6iJWRng1MqstsunAv5QvxEBYmOJZ60tg73sgwUVx98CCGTTb8mdTVXdaB/YJJZCAdPwfk8zawHyR+uR81w18pc5V7AQRgcPtXVdvIx06+ArS31kCEuuRL2FxHdKyNADHYcu20OIQ7zUs9ftezL2ADCJuTXdP5hSPHWFsjcr1XDiBtnPssDVK/AMuL9hdk0zH21xgpkQ9ObhjVotRN7EGeceMT3aZIyqy+FKBZcBRb0eG3wcViUhnxEceMFUQDNe5LCi8+H89EicB4xicxi9R7+JvOx4cZLC9z6zcdxF7nV57kG4Rmv1JgsReOEDF00zH2ksb0jOZYK6P/hxtbu5b/2hNzXChUvEgUVv9osQcqtBWBhmbXzinguWMRgL/8xXDl38ScGcrjkH/Q1dVWT9w0NeVrfcRtfFaHV72k0z/Zt6tCLNiJ0oguIaE0F8qQ1xGLjXwE3yR0xa8wzzdAyTjZNDmoSOmETng4UXGfKTz/TXRTizWLfUDauFnGU/RBuM+fS4IzZ6APiu4HXMXxlAJTzCozOLCkC8iWEVId6DLZKVNqr9wXCe8FiK4ohxUKx0QyFaB5UQNZ7EoYMXyaMYWRIdO0rs1hDFkaWoUnz8RSCLSd1+8+gho09IiI8FxANLeMzpo/j7P76oZMz+bdNxXiOvRCb8mFBRviqeeFk4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e818d683-5081-4c29-3c9e-08d94e0e28fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2021 19:14:57.2783 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3P110MB0225
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7HaJSiLnZ21zppL8p6MMIr6JEaI>
Subject: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 19:15:03 -0000

Hi!

I conducted an AD review of draft-ietf-acme-dtnnodeid-04.  Thanks for all of the work on this extension to support DTN.  My feedback is as follows:

** This document proposes an update to draft-ietf-dtn-bpbis.

-- Editorially, if that's the case, the document header has a typo of "-ietf-dtn-bpbis".  The abstract should explicitly state that what document is being updated and how.

-- On the process side, this arrangement is rather unusual.  No quarrels with the substance of the update which will improve extensibility.  However, this particular document has experimental status and the document being updated (draft-ietf-dtn-bpbis) is proposed standard (PS).  Having a lower maturity document updating one of higher status is my concern -- "experiments fail".  Was this issue considered?  Discussed with the DTN WG?  I'll note that draft-ietf-dtn-bpbis has not yet been published (although it is in the late state of the RFCEd queue).  Could the changes just be added there directly?

**I need a little help on DTN addressing.  The text notes that that the intent is to issue certificates with DTN Node IDs as a URI in subjectAltName.

(a) From the ABNF in Section 4.2.5.1.1 of draft-ietf-dtn-bpbis-31 of the dtn schema says:
   dtn-uri = "dtn:" ("none" / dtn-hier-part)

   dtn-hier-part = "//" node-name name-delim demux ; a path-rootless

   node-name = 1*(ALPHA/DIGIT/"-"/"."/"_") reg-name

   name-delim = "/"

   demux = *VCHAR

(b) The dtn schema does have circumstances where there is an authority part to the URI.  The definition of reg-name in Section 3.2.2 of RFC3986 seems to suggest sufficient flexibility such that it would not represent a name valid (at least in syntax) in the DNS

(c) Section of 4.2.1.6 of RFC5280 says the following about URIs in the SAN:

   URIs that
   include an authority ([RFC3986], Section 3.2) MUST include a fully
   qualified domain name or IP address as the host.

Given the constraint of (c) and the flexibility afforded with the definition of a node ID in (a)+(b), will DTN Node IDs always satisfy the requirement from (c) to be FQDN?  Is language needed to ensure that (likely in a few places in the document)?

** Section 1.  Editorial.  The paragraph starting with "Once an ACME server validates ..." jumps immediately into discussion a "uri" without explicitly describing it.  The text also transitions from the previous paragraph talking DTN Node Ids being URIs and now talking about "uri".  I would have appreciate a bit more hand-holding use the ACME terminology of a new "identifier type" and the need for a new DTN specific "challenge type".

** Section 1.  
This document also updates BPv7 to explicitly use the IANA
   administrative record type registry in Section 6.

Please explicitly cite a reference to BPv7

** Section 1.2.

   When a ACME client requests a pre-authorization or an order with a
   "uri" having one of the DTN Node ID schemes, the ACME server offers a
   challenge type to validate that Node ID.  

As noted in section 1, please explicitly state that what a "uri" is - a new ACME identifier type.  I would recommend:

When a ACME client requests a pre-authorization or an order with a "uri" identifier type with a value being one of the DTN Node ID schemes, the ACME server offers an "dtn-nodeid-01" challenge type to validate that Node ID.  

** Figure 1.  For clarity, it would be helpful to number the arrows between nodes and also use the corresponding numbers in the narrative text.

** Section 1.3.  The explicit guidance on extracting the CDDL from the XML is very useful.  Thanks for including it.

** Section 1.4.  Per the definition of "Challenge Bundle", shouldn't text clarify that it's the BP agent of the ACME server?  The Response Bundle helpfully makes that distinction.
OLD
     It is a Bundle created by the ACME
      server to challenge a Node ID claim.

NEW
It is a Bundle created by the BP agent managed by the ACME
      server to challenge a Node ID claim.

** Section 2. 
   Identifiers of type "uri" in certificate requests MUST appear in an
   extensionRequest attribute [RFC2985] containing a subjectAltName
   extension of type uniformResourceIdentifier having a value consistent
   with the requirements of [RFC3986].  Because the
   uniformResourceIdentifier is encoded as an IA5String it SHALL be
   treated as being in the percent-encoded form of Section 2.1 of
   [RFC3986].  

Section 1 invokes the use of the PKIX profile [RFC5280].  The above described guidance is only part of the constraints on using a SAN on the URI.  Section 4.2.1.6 of [RFC5280] covers the rest.

** Section 3.  
   "token-chal"  This token is unique to, and constant for, each ACME
      authorization.  

This sentence reads to me as saying inconsistent things - "unique to ... each ACME authorization" suggests that each authorization gets a different token.  "... and constant for each ACME authorization" seems to suggest is the same token across all ACME authorizations.  That doesn't seem right.

** Section 3.  Editorially.  I found the validation process being described as two separate lists of action, one for the client and one from the server, instead of interleaving them hard to follow.  However, I yield to the WG on this one.

** Section 3.3.
   Source Node ID:  The Source Node ID SHALL indicate the Node ID of the
      ACME server performing the challenge.

Is it the "Node ID of the ACME server" or the "Node ID of the BP agent of the ACME server"  

** Section 3.4.  Typo. s/Each Each/Each/

** Section 3.4. Typo. s/the the/the/

** Section 3.4.1.

   *  The Response Bundle was received within the time interval allowed
      for the challenge.

It would be helpful to state if this check based is based on the Creation Time and Lifetime fields.

** Section 4.  The text here is generic describing the functionality of the gateway.  Figure 1 presented an architecture where only the Response Bundle would pass through the integrity gateway.  Is it envisioned that the Challenge Bundle could use it as well?

** Section 8.  It would be worth repeating that the Security Considerations of draft-ietf-dtn-bpbis apply to the BP-to-BP agent communication.  Likewise, that RFC8555 applies to the ACME client/server communication.

** Section 8.  Section 1.1 states that the communication between the ACME client and ACME server and their respective BP agents is out of scope.  However, the integrity of the entire ACME issuance process rests on security of this communication.  Can the risks of and considerations for that communication please be documented?

Regards,
Roman

v2.23.0 | Report a Bug | By Email