IETF Logo Mail Archive

Re: [Acme] draft-ietf-acme-star

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 13 September 2019 12:41 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2EF1200EB for <acme@ietfa.amsl.com>; Fri, 13 Sep 2019 05:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=GiDYF3yz; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=oAMh//wk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ycNlX86FwFBs for <acme@ietfa.amsl.com>; Fri, 13 Sep 2019 05:41:49 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50069.outbound.protection.outlook.com [40.107.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AFC41200E9 for <acme@ietf.org>; Fri, 13 Sep 2019 05:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PqLFscO4MxCnqQD2HzrPwYer+RUmhEBFNjXGz7tgMjg=; b=GiDYF3yzI/54kCgAC/xwgZgPsYGjEq+TO2RXWu/TYkuDghtlz/JrbVAEJX85s9xMgG/G4Wjl8gLJ7ecOYxguhAacCYSlNA9Vxqi0VgGJ4TrRh6g5Ygx1FQjindA85SePJCOwsOMCqD2C8nSTxy0nemgcdd0/jwdQCZ1O9ijNY6Q=
Received: from VE1PR08CA0004.eurprd08.prod.outlook.com (2603:10a6:803:104::17) by AM0PR08MB2993.eurprd08.prod.outlook.com (2603:10a6:208:5d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Fri, 13 Sep 2019 12:41:45 +0000
Received: from AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::202) by VE1PR08CA0004.outlook.office365.com (2603:10a6:803:104::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.13 via Frontend Transport; Fri, 13 Sep 2019 12:41:45 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT039.mail.protection.outlook.com (10.152.17.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14 via Frontend Transport; Fri, 13 Sep 2019 12:41:44 +0000
Received: ("Tessian outbound 5061e1b5386c:v31"); Fri, 13 Sep 2019 12:41:40 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 47dcebe3b5575e16
X-CR-MTA-TID: 64aa7808
Received: from c72f48558773.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.1.50]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 6967FC83-D439-47E4-8061-6B7F309DD583.1; Fri, 13 Sep 2019 12:41:35 +0000
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp2050.outbound.protection.outlook.com [104.47.1.50]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c72f48558773.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 13 Sep 2019 12:41:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lvVZAFYP03STWyBnWYj2PrIG4U36DTPEJLUVZ3wiheYdiJE8CmW78BRF9k69o5Dp6xWZblBxkwUYWdT/8BKMl0RGZDPFvls24LVDvfS8slSI3vBPEdqZPE8BIBNKtndAYrLRaJb9qcz2UZ5bqF8yPB5CG2WF1bk2y6ZV8EK4MnBR/ANaz6nQTUxebvLWA7yULuYw1Fyi6hufpzAClYZVO0fxlPu1WYys4SR4+Te+iAKuR8sI+85odEblr29DujJSVnHlcmC5bmBhKVr9JEAJgZmGdaU154xBTe7MZt+as1ehG+XrQ3ZT7Eas2MuT9IKjcYg2GGW6nDYaGc7lygntWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PA/tXbbMo2WjtOfWHG9VNkJGhXSaBggIQPBRJVGZgq0=; b=FmETzzLeU/yer9PFgEzpbRzTCzoAy7gAN3mIBrH9JnWroJA5H/9Wn7DGVIVBtctGleE88+wHMTbSUpYsMepOZf3HQrgvAul30EPrnwo8CMd5AgamqO6uD9TPb8D5/xnDsfdOvvjBYybl6KrMNfkaptFpPV50MufjY4vYDoWPc0wq/whOHIE0dU4V0MFCPNHVrBd67BkE5kms5HCxlvu+2YW9wlUAR1uIZPiQvUiP60tH2/IR5JG5JjehYrxTvb2RmOvJdN38p0OqIObmYF3mk2fOEVE3mIonVLUnHI7tnvwWYgL9QsF4BbLLcHAcq3Yokmr64UhRsZVoiItiu6vhdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PA/tXbbMo2WjtOfWHG9VNkJGhXSaBggIQPBRJVGZgq0=; b=oAMh//wkAiwVCGyPIoXhlnLTDTG6/XsR8Ja9wb5Y5niapHlDs+7KOuQBBmUqHqUMYEiPbjTy+hJU1bgTwFdTh6ob+mPc2bNwCSEfSPFZ+jjMXBRHKOpWadSjMR85bwfJGXOimDL3qLnBBHkDy9tZJFgPlWH85wEp9r1h7D9vGCY=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4391.eurprd08.prod.outlook.com (20.179.18.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.21; Fri, 13 Sep 2019 12:41:33 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2%5]) with mapi id 15.20.2263.021; Fri, 13 Sep 2019 12:41:33 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: "Salz, Rich" <rsalz@akamai.com>, Richard Barnes <rlb@ipv.sx>, IETF ACME <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] draft-ietf-acme-star
Thread-Index: AQHVXbBEG0DHphQ3ZkGWV02/jAyxnacjIuWAgADhwYCAAAP2AIACwzCA///7bACAAu9QgA==
Date: Fri, 13 Sep 2019 12:41:33 +0000
Message-ID: <09E9471E-1E91-49C0-A6A6-2CEFD7B1793E@arm.com>
References: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com> <94D1B74E-8AD8-4623-8DFB-E9C132BBB940@arm.com> <CAL02cgTM+dTJ6enzpnb=dSCzbDMR+3Xadp4r4a3xuzzhxPgJag@mail.gmail.com> <1D779B7D-3661-49B6-BC75-A41B69F3768F@akamai.com> <81C03A03-8189-4BB6-A4B1-131B25831ED7@arm.com> <CAErg=HHmwF+=NjSBqsKRw28P5rLV1vY+oZKY9WNGcQLN7ujCYA@mail.gmail.com>
In-Reply-To: <CAErg=HHmwF+=NjSBqsKRw28P5rLV1vY+oZKY9WNGcQLN7ujCYA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.55]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 1b0f6efc-f4fe-4f1a-38b6-08d73847bbdc
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM6PR08MB4391;
X-MS-TrafficTypeDiagnostic: AM6PR08MB4391:|AM6PR08MB4391:|AM0PR08MB2993:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM0PR08MB2993B73D2C693B9C686680819CB30@AM0PR08MB2993.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0159AC2B97
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(136003)(396003)(346002)(366004)(189003)(199004)(52314003)(33656002)(4326008)(2906002)(3846002)(6116002)(11346002)(476003)(486006)(7736002)(305945005)(25786009)(446003)(508600001)(2616005)(26005)(86362001)(186003)(6916009)(102836004)(316002)(58126008)(54906003)(6506007)(71190400001)(5660300002)(14444005)(256004)(99286004)(71200400001)(53546011)(76176011)(76116006)(66476007)(66946007)(8936002)(8676002)(81156014)(81166006)(66066001)(91956017)(6486002)(229853002)(6436002)(14454004)(6512007)(66446008)(66556008)(36756003)(53936002)(6246003)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4391; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: +XWToG/6rmFhLEAEK0Pjg40CzY8iuNMYxhckU+em0IEA9okOc1CqIed+lu9g36wW/7+aYnwv4GzF1pevBVDn1mRcG+4q0ZhGfgYIkydazMG7vIWIlIKRh2mNh6qvPew2L37pgW5SagpbPGuQGxPUtBpSWcEKX95kzLWYkywwYlVobOh5etFfmjuh8MqYQ8g2pfLLkSiJfIsuO8aZHZcNEWeAQWZrtHdBtcCdOJY/IKc5lfKWLtrB94Z2xVS2fUBhB8gSh3Iq+r4IWhPM3eCyMako9geUc+EufGrPI8p0MFXn20WrteqGHngYvtpMYWnoMmpGmMMDGsu+sFH/XKLLSGQwx2m3M33I20/+jDGbyvxagVoPaPwn/D1hgUfx8hxUbRvOO7bsfvshoZdtGawpNiYHZV3+Ri6NiIETeKnL6ww=
Content-Type: text/plain; charset="utf-8"
Content-ID: <9D4CDFFF155C4D4CB54CB1B556B64F51@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4391
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT039.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(136003)(376002)(39860400002)(52314003)(40434004)(199004)(189003)(8676002)(8936002)(436003)(316002)(36906005)(305945005)(63350400001)(86362001)(76130400001)(47776003)(76176011)(4326008)(58126008)(50466002)(336012)(2616005)(11346002)(2906002)(186003)(54906003)(36756003)(7736002)(25786009)(14454004)(6246003)(5660300002)(66066001)(356004)(22756006)(26826003)(5024004)(229853002)(81166006)(81156014)(6862004)(33656002)(446003)(6486002)(508600001)(2486003)(23676004)(3846002)(53546011)(6512007)(14444005)(26005)(102836004)(6116002)(70586007)(70206006)(99286004)(6506007)(126002)(476003)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB2993; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: c7129ee8-4295-4fcf-e0ab-08d73847b5a9
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(710020)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM0PR08MB2993;
X-Forefront-PRVS: 0159AC2B97
X-Microsoft-Antispam-Message-Info: vmsJN8frR0wNy8II9xl0AdzdzwfyvYAv8kiHNrBzwH6TjCyvN54+whsLz2Tb/H+5psaYwI5wsOrn02DnmQnu9urlZdZSZbfiZcjEyaI/J+oO2qF4zDBZZakphVGAUxz6QhxkYzCfgpLvi6hC5m3NVdgQaFYQeq0r8LcSrALEHFmTMP6hCP8dnrxArewFw7jq74TGGAeL6KmN3G/AfZ10tV3rBxrqQ0LqbW+2T8ma1pGyTglrCxYjvyxRiKHqB7pON2LB5E8FPIbflI4foaLv6ldGdggnZXp8WSo25zWCTV3Hz2RR/e6kVR0PM969OwJmmo6OFqfXUIbYl5j6zDm11Md8lIfrLCJ6Zy6yQ9Tp4MBBlJF2EQhoZLFnDR8gIUwiVDv50GSvcwnzcqwjq0tA9W41zMK96wbfSJbAKGwv+0g=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2019 12:41:44.1249 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b0f6efc-f4fe-4f1a-38b6-08d73847bbdc
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB2993
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EryafDZWXBTEPl8WKV2piCmHt3g>
Subject: Re: [Acme] draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 12:41:52 -0000

Thanks Richard for raising this and Ryan for taking the time to explain.

On 11/09/2019, 17:52, "Ryan Sleevi" <ryan-ietf@sleevi.com> wrote:
> I'm not Richard, but with respect to publicly trusted certificates,
> issuing a certificate with a notBefore set prior to that certificate
> was issued is seen as, minimally, problematic, and at times has
> resulted in a complete removal of trust in that CA, particularly
> if/when such actions have lead to bypasses of technical controls
> enforced based upon the notBefore.
>
>
> The clock skew problem is, admittedly, real, and the general solution
> as practiced by industry-recognized CAs and Subscribers is to generate
> the request and issue the certificate in advance of its actual
> deployment, rather than to issue the certificate and then back-date it
> to facilitate deployment.
>
>
> To that end, the language about "amount of pre-dating added to each
> STAR certificate" (in 3.1.1) is, as Richard highlighted, about the
> overlap that exists.  The language in Section 4.1, however, should be
> clarified to be clear that the CA/ACME server MUST NOT set the
> notBefore to before the request, but instead about ensuring that the
> STAR client requests the 'next certificate' in advance of the actual
> deployment.  This may substantially alter the protocol, it's unclear,
> but it's extremely unwise, if not outright fatal to interoperability,
> to issue a certificate with a notBefore set prior to the request, and
> it seems that is what is meant by Section 4.1.

OK, this adds a new constraint ("no back-dating") that we hadn't
factored in the initial design, and I agree this is a blocker.

I think the question is whether and how can we accommodate this
constraint with the ability to work around clock-skew -- IOW, keeping
recurrent-certificate-predate (*) while not messing up CA's cert
issuance best practices.

It seems to me that this might still be possible modulo
recurrent-certificate-adjust (rcp) being upper bounded by
recurrent-cert-validity (rcv), i.e., slightly changing the calculations
in 3.5 like this:

     notBefore = nrd[i] - predating
     notAfter  = min(nrd[i] + rcv, red)

     predating = max(predating_S, predating_C)
     predating_S = f * rcv (.5 <= f < 1)
     predating_C = max(rcp, rcv)

This should still leave a fair amount of knobs to ACME clients (rcp and
rcv) to play with their clock-skewed customers.

Would that work for you?

The (brutal) alternative is to get rid of recurrent-certificate-predate,
but removing the ability to address (at least partially) the clock skew
problem looks like a missed opportunity.

Anyway, whatever road we take, it looks like there's a bit of editorial
work to do in sections 3.1.1, 3.3, 3.5 and 4.1.

Cheers, t

(*) We'll rename it to "recurrent-certificate-adjust".



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email