IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 03 October 2019 14:19 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5EE120954; Thu, 3 Oct 2019 07:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvGXfhKqtN13; Thu, 3 Oct 2019 07:19:21 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1392F12093D; Thu, 3 Oct 2019 07:19:20 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x93EJCI7014148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Oct 2019 10:19:14 -0400
Date: Thu, 03 Oct 2019 07:19:11 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <20191003141911.GS6424@kduck.mit.edu>
References: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com> <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Imqf7WXtXU0zGkMoksv7AqxKBcg>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 14:19:25 -0000

On Thu, Oct 03, 2019 at 12:59:47PM +0000, Thomas Fossati wrote:
> Hi Ben,
> 
> First of all thank you very much for this excellent review.
> 
> On your DISCUSS points:
> 
> On 02/10/2019, 19:06, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote:
> > RFC 8555 (and the IANA registry) list the 'status' field of the order
> > object as not configurable, yet we propose to configure it (in
> > Sections 3.1.1 and 3.1.2).  It would perhaps be possible to make this
> > work procedurally, by updating the registry entry and maybe an
> > Updates: header, but it may be worth a broader rethink.  Specifically,
> > if we add a new field to the order instead, for the cancellation URL,
> > then we do not modify the order directly (but instead request the
> > server to take an action that does so as a side effect), and we also
> > can avoid state-machine concerns about attempting to enter "canceled"
> > state from a state other than "valid" by simply not making the
> > cancellation URL visible until the order is "valid".
> 
> This is a great catch -- I wonder how we failed to notice it.  I don't
> think tweaking the registry would be a good way to tackle this and I
> agree with your proposal to remove the canceled state and add a
> cancellation URL instead.  I am going to work on an update and have it
> ready ASAP (though I'm on leave starting tomorrow, so it might take a
> bit more than just a couple of days.)

So, it turns out that I was confused on this (probably a remnant of my
confusion on the related issues during the processing of RFC 8555) --
https://tools.ietf.org/html/rfc8555#section-9.7.2 is clear that the
"configurable" column refers only to "included in a newOrder request".  The
usage here is not in the newOrder request, and thus is not inherently
problematic, if my (new) understanding is correct.  But hopefully we can
get some more input, e.g., from people who better remember the discussions
around the time of draft-ietf-acme-acme's processing.

-Ben

> > A more minor concern, but when we consider the examples in this
> > document in conjunction with the examples in RFC 8555 itself, we find
> > several protocol invariants violated: we reuse a nonce for different
> > requests, but nonces are single-use; we use the same Order URL for two
> > different order contents, the same certificate URL for two different
> > (star-)certificates, and (not quite a protocol invariant, but "with
> > very high probability" so) the signature on a request is duplicated.
> > I also note that we reuse an account URL from RFC 8555, which is not
> > inherently problematic, but my suggestion would be to generate a new
> > one to make a clean break.
> 
> OK, no problems.
> 
> Cheers!
> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email