IETF Logo Mail Archive

Re: [Acme] draft-ietf-acme-star

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 09 September 2019 08:16 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C3C120099 for <acme@ietfa.amsl.com>; Mon, 9 Sep 2019 01:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=e3fPQ/pM; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=ej2iI5ba
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDZOryqbYN5v for <acme@ietfa.amsl.com>; Mon, 9 Sep 2019 01:15:58 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60075.outbound.protection.outlook.com [40.107.6.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 136D9120046 for <acme@ietf.org>; Mon, 9 Sep 2019 01:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RuvmOXeIKCaJpX69i1DPKa8fa8tyt4SNl38mOtwRdfM=; b=e3fPQ/pMC1LYnNug7PVG7o42/0XInhxa2SSzgmlil54jWICEGYRDgRvo5a10PjFgXe0x2mj72pD3Xna2W638fL6meZVdcrViMwata4qoH41xyWB0ntKb7qOHiFUBVSTlBg10LFznZE5UYfmDLH6WMMJVQ0R3P4qSu6BdkqcXqqQ=
Received: from DB7PR08CA0039.eurprd08.prod.outlook.com (2603:10a6:10:26::16) by DB6PR08MB2918.eurprd08.prod.outlook.com (2603:10a6:6:1b::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Mon, 9 Sep 2019 08:15:52 +0000
Received: from AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::202) by DB7PR08CA0039.outlook.office365.com (2603:10a6:10:26::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.14 via Frontend Transport; Mon, 9 Sep 2019 08:15:51 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=temperror action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT028.mail.protection.outlook.com (10.152.16.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.14 via Frontend Transport; Mon, 9 Sep 2019 08:15:48 +0000
Received: ("Tessian outbound aa6cb5c8f945:v27"); Mon, 09 Sep 2019 08:15:43 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 90849c4a99c0be85
X-CR-MTA-TID: 64aa7808
Received: from bf010c365e9b.2 (cr-mta-lb-1.cr-mta-net [104.47.9.51]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8D66BFE1-A6C9-4503-AE9F-8D4E37694896.1; Mon, 09 Sep 2019 08:15:38 +0000
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03lp2051.outbound.protection.outlook.com [104.47.9.51]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id bf010c365e9b.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 09 Sep 2019 08:15:38 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PbyxRn5EMnvmCYE991t1t1p5DljeHR1qdtiyoQiUPmqgrmh25KE3bM53+nVLgBUAwv/k0NQ4sSzxvULy7F8lLDTcs+XBi76W1M5AQkzznsaZPIro03vpcCfmJGPd6bEeoAgBfjA1UtCux/Fbj5XJGVpL3KcKa7Lz+/GtXSU39J80KPlsZXFhcILFU0/0UijntJiTk/73htRCo5fR25da5xqbMrXj721YQrOKD1c9P06w7D7NeJipFrxfpdqii2olVp5a6uCsnpUsD6GIiJZOLRNtidlZwlHEj1YkHZAqmIsJq1fWErrXthtxjzipM4g+UIF0jgEr4D4VA5T9ImhDhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xPiY/f9Kfc32Up7QtbUpAIy1Av6LWz8A8uQdtCpqK6Q=; b=Nn19rj9xqWH1hOtVWXfsQCQP/2wwEf8fb2MnqgsBxhQRPX2Jq/h8wgaaPImKhWLgQhPmz843La8W7FcelUonft/jRqRRoULWlVpvYvIlpMPpDlwU56v2XdJTzCIMyd2a/4vyb0i02qk8cKw2RqERpgHGxMiz7rv3ZhmB9TzJivcJxiFIfyLzAuG/4ugWfRqeU4om1YvN8q30bSAXerlfPv+ElN1S+akopf0ziM9LXws0Mm+w65LGtM8nwi5/goI3gQ1FfxsbJYYqKyVKuLcU4OZ5sYzRRhRrGncH+tT1WA+JCrAAgY/j/SLZxbXNN1QRHA5jvIR1v8RwAoDSYP+Ksg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xPiY/f9Kfc32Up7QtbUpAIy1Av6LWz8A8uQdtCpqK6Q=; b=ej2iI5baxx5WrFcHY+vAQKSrUnTe8Z9Y/yPI5ci4j7vTU71xYMdP4AHZsabsbO4H7vHwI0UFzOzvC+bvloloFWWaN0Npdm8P4pp0abGx4fL+6wIWLrODR1OaN4I/KBboW87r00ozm+y2HToM7yLfBxyPJPYPIieZkMgniP3zFqg=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB3573.eurprd08.prod.outlook.com (20.177.114.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.18; Mon, 9 Sep 2019 08:15:36 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2%5]) with mapi id 15.20.2220.022; Mon, 9 Sep 2019 08:15:35 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Richard Barnes <rlb@ipv.sx>, IETF ACME <acme@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] draft-ietf-acme-star
Thread-Index: AQHVXbBEG0DHphQ3ZkGWV02/jAyxnacjIuWA
Date: Mon, 09 Sep 2019 08:15:35 +0000
Message-ID: <94D1B74E-8AD8-4623-8DFB-E9C132BBB940@arm.com>
References: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com>
In-Reply-To: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: f2b8bdef-f1b3-4e1c-6599-08d734fdec45
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM6PR08MB3573;
X-MS-TrafficTypeDiagnostic: AM6PR08MB3573:|AM6PR08MB3573:|DB6PR08MB2918:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB6PR08MB29181AE0AC626A959F162E209CB70@DB6PR08MB2918.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 01559F388D
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(39860400002)(366004)(396003)(189003)(199004)(76176011)(110136005)(478600001)(25786009)(58126008)(316002)(2906002)(66066001)(6116002)(229853002)(33656002)(6436002)(14454004)(102836004)(486006)(476003)(2616005)(53546011)(6506007)(11346002)(446003)(186003)(26005)(4326008)(8936002)(81166006)(81156014)(8676002)(7736002)(66446008)(64756008)(5660300002)(305945005)(76116006)(91956017)(3846002)(6486002)(99286004)(86362001)(71190400001)(71200400001)(53936002)(36756003)(14444005)(256004)(6246003)(6512007)(66946007)(66476007)(66556008); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3573; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: oQJVjKeyWh2i7NkbZNyerf5BD9po2wM7Bhx03E7OWxTB/IABkLO5z8kKbdB5NYZhggiwl49vkIQCK8gvvT95O9MuiCk5TgdipMtmBt/LcZ3U4Sa7GOWj47Q3pIdB+9hakRHlnHAJGDyQPnowy8gjw9+QAoxOaXFGwaKbXQu993ky/92D1o5XjR6y4ATnxfY7sdPjU9vBBkExzE/GtZ+6lM6IkD34cepeEDUH1GaVdT615og41ZvDogktHrt6B3QTTUtdMjgpFF1+p10NjpJDpfZXM8BSOC1ayPCeIAP+m1VozA7GfqEzF6ZQmG6+bQ88cdLwc2XzgLAHqC8aZ/wEGydkpmwCqvMbO8YPhN7ugTUGA2j2hK49jEv+XaJal64jNyLJXRyLtaSE20F5N2ag0ORh1RQT/5RKnBHyyZ6LXhs=
Content-Type: text/plain; charset="utf-8"
Content-ID: <03B53EF3643F5C48841A6FF04F7362DF@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3573
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT028.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(376002)(346002)(39860400002)(2980300002)(189003)(199004)(40434004)(36906005)(316002)(14444005)(81166006)(81156014)(8676002)(5660300002)(66066001)(356004)(5024004)(6512007)(6486002)(110136005)(50466002)(8936002)(58126008)(478600001)(7736002)(22756006)(26826003)(2906002)(47776003)(14454004)(229853002)(6116002)(76130400001)(70206006)(102836004)(186003)(36756003)(25786009)(3846002)(70586007)(99286004)(486006)(2486003)(23676004)(76176011)(86362001)(6506007)(53546011)(4326008)(33656002)(6246003)(305945005)(11346002)(446003)(2616005)(476003)(126002)(26005)(436003)(63350400001)(63370400001)(336012); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR08MB2918; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 0af86e3a-e843-40a7-ec95-08d734fde42c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(710020)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB6PR08MB2918;
X-Forefront-PRVS: 01559F388D
X-Microsoft-Antispam-Message-Info: jlLFRIYSIVQCjuFO8LsXTtNQEGX94sfP5gfsi9JEQ18X+caPUzVeQng83PnmkRtmL4EpWcu6bJUrmtu9WI5Q9n/hYLB6ym1ZE0Lm/ADgJ/noPHN3jkei+FgiF9Sj31GAzgxwV8zuBCk8FXWr/fAtLJCPwSdg0+/yjCTDs3EZdPJUqMz5522fjfaOavxZZRb09DVKzeYQ2W1yC1jP7LOKODvWteLQRNyBtYZg64ednrOsijGPtdpXos3rPJ089Z99/XBPmFzaVOScp/rEx18qSKLMQfxqdtdvpTrk7MIeM554lJCG659sq4Bne2NbtRRBIJO5LyKAG5UUII6V2LSCK3H3BKw942W+7EWQpYrlAhmSO3pMrthn25NZ002nrQWHb0SO0g6UiL6xyfQfcEuf33P4La1rO//HyQLzMI05liY=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Sep 2019 08:15:48.9324 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f2b8bdef-f1b3-4e1c-6599-08d734fdec45
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2918
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/D8MMrfAT_DsCDMbjOBusUBmTuF4>
Subject: Re: [Acme] draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 08:16:01 -0000

Hi Richard,

Thank you for the detailed review. As you note yourself, this is quite
late in the document life-cycle (the draft completed IETF LC over a
month ago), which is unfortunate, given that every one of your comments
is an actual protocol change. As far as we understand, none of them can
be seen as a "showstopper" mistake in the protocol, and therefore we
propose to move forward with the current draft version. Please let us
know if we missed anything.

Cheers, Thomas (on behalf of the authors)

> On 28/08/2019 at 15:52, Richard Barnes <rlb@ipv.sx> wrote:
>
> I had a chance to take a look at this draft as a result of being a
> designated expert on the registries.  I approved the registrations,
> but independently, I have several major concerns about the draft.  In
> no particular order
>
> - The use of the "STAR" acronym is not helpful.  This is not an
> acronym that will be familiar to a reader, and less so an implementer
> who has not fully read and absorbed this spec.  Instead, you should
> say what you mean, e.g., for the "meta" fields:
>
> star-enabled -> auto-renewal-allowed star-min-cert-validity ->
> min-cert-validity star-max-renewal -> max-auto-renewals
>
> - Likewise, "recurrent" is not a common word in English.  If you want
> to use a single word, "recurring" is more common, but referring to
> "auto-renewal" would be even better.
>
> - It would be even cleaner to group all these "recurrent" fields into
> a sub-object, so that you wouldn't have to worry about them being
> present if "recurrent" wasn't set.  In other words, just signal the
> "recurrent" boolean by the presence of the object, and specify the
> parameters in the object.
>
> { "auto-renew": { "start": ..., "end": ..., "lifetime": ..., } }
>
> - The idea of "predating" is toxic.  Pre-dating a certificate means
> making the notBefore date earlier than when you actually issued it,
> which is a huge problem for a real CA to do.  That's not what you mean
> here..  You just want there to be some overlap between certificates.
> Say that instead ("recurrent-certificate-predate" -> "overlap") and
> adjust Section 3.5 accordingly.
>
> - The Not-Before and Not-After headers should be removed.  On the one
> hand, it's not clear to me that it's any easier to parse these headers
> than it is to parse the certificate.  On the other hand, there are
> existing HTTP headers that express almost exactly the same semantics,
> e.g., Expires.
>
> - It's not clear that there's any reason to negotiate certificate-GET
> on a per-order basis.  Just have the CA allow it or not unilaterally
> and delete the "recurrent-certificate-get" field.
>
> - The "star-certificate" attribute is unnecessary.  Instead, you
> should just say that when auto-renewal is enabled, the "certificate"
> attribute points to the current certificate, and use "previous" link
> relations to expose earlier certs.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email