Re: [Acme] Proposed ACME Charter Language

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 15 May 2015 15:11 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B39141A1BC8 for <acme@ietfa.amsl.com>; Fri, 15 May 2015 08:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFk7bBmF52nM for <acme@ietfa.amsl.com>; Fri, 15 May 2015 08:11:10 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 6691D1A039D for <acme@ietf.org>; Fri, 15 May 2015 08:11:10 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id BBDA9F984; Fri, 15 May 2015 11:11:06 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 0F9AF20040; Fri, 15 May 2015 11:10:43 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Ted Hardie <ted.ietf@gmail.com>, Randy Bush <randy@psg.com>
In-Reply-To: <CA+9kkMAJ-925hQ+wawkLvEjTaf5f1JRHdrGMtCRhGt9Q8Ntc1Q@mail.gmail.com>
References: <6A9C3116-8CC9-472C-8AA8-F555D060834C@vigilsec.com> <55351EAB.1060905@cs.tcd.ie> <E81896AA-245F-48B7-9B38-86AC30D2F82A@vigilsec.com> <553523E4.2090808@cs.tcd.ie> <84718B26-1DA3-4D46-8B6F-B615806229D7@vigilsec.com> <CABcZeBOy2yBEMGMxcDy=E3fvc+OF1sZfvOV7twJHAvKqtrxtLg@mail.gmail.com> <28919F11-9336-41F6-9922-4E3E2DC4E935@gmail.com> <BD7B96B1-CD50-408F-AA06-49C20AB102A6@vigilsec.com> <CA+9kkMAH+U25ZhLq1HhGFHKMAECu+Y1ZJH-h4bOrEXaUQ15LjQ@mail.gmail.com> <87d225qwbq.fsf@latte.josefsson.org> <B30EDBDF-0803-4AB0-9EBB-DD726F617C5B@vigilsec.com> <2dc5d20a27664efe994398ec508f0e7e@ustx2ex-dag1mb4.msg.corp.akamai.com> <1E6924DE-D59C-4323-9658-766937368B98@vigilsec.com> <7F45C649-4C78-441E-8649-45D0F74168C2@vigilsec.com> <m2617wyu1v.wl%randy@psg.com> <CA+9kkMA18=KBtSWnS3murcFT7tfxNAe1Oi2YFNSkhOXTPDAFTw@mail.gmail.com> <m24mngytae.wl%randy@psg.com> <CA+9kkMB4uYr1SVUEqFKOB7AmPe793Mb-zAVU0GCK5d=XH9rsCg@mail.gmail.com> <m23830ysez.wl%randy@psg.com> <CA+9kkMAJ-925hQ+wawkLvEjTaf5f1JRHdrGMtCR hGt9Q8Ntc1Q@mail.gmail.com>
User-Agent: Notmuch/0.20~rc1 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Fri, 15 May 2015 11:10:38 -0400
Message-ID: <87bnhl511t.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/EtbYzu8KGoeZ3rl0DGYCkqW3OTk>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Proposed ACME Charter Language
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 15:11:14 -0000

On Wed 2015-05-13 19:36:51 -0400, Ted Hardie wrote:
> ​So, the point I'm getting at is that the system ought to provide
> an automated way to request revocation if the requester can meet
> the same bar as it would take to request or renew a certificate.  If 42
> is one of the ways to meet that bar, well and good.  If 42 is not one
> of the ways to meet the original bar, then putting effort to automating
> revocation on that basis seems off to me.

There is at least one scenario where automated revocation seems
legitimate but automated issuance does not: posession of the
end-entity's secret key.

That is: If i have the secret key, i *also* need to prove something else
(control of the domain) to get a certificate issued.  But if i have the
secret key to an already-issued certificate, i should not need to prove
control of the domain to get the certificate revoked.

If I compromise your secret key, the nicest possible thing i can do with
it is get it revoked.  There is no reason to prevent this action from
anyone who has access to the secret key.

I think i like Russ's first suggestion best:

>> ACME certificate management must, in an automated manner, allow an
>> authorized party to request revocation of a certificate.

because it lets the WG (and implementers/deployers) decide to include
types of authorization that might be relevant for revocation but not for
issuance, while still covering the general case.

        --dkg