IETF Logo Mail Archive

Re: [Acme] Alexey Melnikov's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Sun, 29 September 2019 19:03 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D78512008C; Sun, 29 Sep 2019 12:03:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Bk7gFTSu; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=Y55m9LiI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOK5ykYcd6pS; Sun, 29 Sep 2019 12:03:31 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80075.outbound.protection.outlook.com [40.107.8.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D83120041; Sun, 29 Sep 2019 12:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xpQRu5t8brLLJ2RQGRUw8z17ASTwqObdW2Q6mWYN1tM=; b=Bk7gFTSuP/Svu6RfCL6Amf+IyVgNFGhpmlDXGb7JYsvFwnxrYEqpNg2xEwAczl+qrjxqNjEHo85F8QXAcnbkMWXY+cahmhSMjwTXY0E2U8MAB2GWgQFCL3GV4/kHgSNf/n70k+Y7H3jD3WQBytz9yRULwkuZXD4OrSu2Q08b6fA=
Received: from VI1PR0801CA0079.eurprd08.prod.outlook.com (2603:10a6:800:7d::23) by VI1PR08MB3422.eurprd08.prod.outlook.com (2603:10a6:803:7c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.23; Sun, 29 Sep 2019 19:03:25 +0000
Received: from DB5EUR03FT043.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::202) by VI1PR0801CA0079.outlook.office365.com (2603:10a6:800:7d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.17 via Frontend Transport; Sun, 29 Sep 2019 19:03:25 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT043.mail.protection.outlook.com (10.152.20.236) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Sun, 29 Sep 2019 19:03:22 +0000
Received: ("Tessian outbound 851a1162fca7:v33"); Sun, 29 Sep 2019 19:03:19 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 2ac8daed581aff0f
X-CR-MTA-TID: 64aa7808
Received: from 32ed77a8964a.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.59]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id A458CFD2-324F-4935-B920-E08EBF7D8000.1; Sun, 29 Sep 2019 19:03:14 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2059.outbound.protection.outlook.com [104.47.4.59]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 32ed77a8964a.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384); Sun, 29 Sep 2019 19:03:14 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WTfeZIvSYPw6oEr11CLV+03+H7BYA0rz31DNoSgmr4eAgtpuHa9oO1U9MxPeDbPxExneIm5KOo9XgTK+MoxaBvhU5ZHdMdGa1tDaQnbc6zOVWrN1ZagA5MIlSOVOM8jwdO+zuXl+08T/C7STqy+ap2oVldRRGOaeRdKodAjgYbuQTFs02S790A/3IYzpzG2nEfCCOQ2KZRbiptHB1+VGW1Nur0UxQjc4xv9MVeNePv0QHT8aZ1mrnANr0GQIsr4xbVS0Gy95A0xDOUo/DxqUWhK6ick0CgZ3DXgI4c/1O7io0xjX1gQ1qTTU75SsvSKg8YimqEfC3w/adxw5PHVA6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zFs2YWyeDT4ipCesqWnXQSWgR+TY/OsYotZmyMpR9+0=; b=PRPOKKlzGJ4qLlmx3KZyg/63L+UuUPh0j5OyWA3HzON5hAGN1H3gnRoX1SPaLPTbl1rVLDexeaShhWcFZqX7FS40rfPHiHdTt1sdbkGxSee5HDRiiJVoc4PKz//9owjA274ydD2xC+Gjl6g6PdY54FfTFHu6th+bXGsicszk0a8Za0zCvmukV5kC4eUo78t/binyNVJrsvmQ2ft1JBLECCVyFc3whTr6eoWb2CbSBDtNasmXOnvuzYpAlOQyxHNqCTOFJ7ZlNqGleMa6dsQNUezO1wB+KWLnXomzMCYCPvA7lpEu4ptquKgGqt+b1qxZtm+Lb9p9yPouYLk9JutSVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zFs2YWyeDT4ipCesqWnXQSWgR+TY/OsYotZmyMpR9+0=; b=Y55m9LiI5D8LO63PB1fSlgxDV6NOx/l9fSz2PEV4ydynihsFlTJ5HJM9oOXljKqmLwrTFUoafYKP2oM4+3jOjfrS796ccAPC4YQRUxdulXP9PEN/HE0zhbuwjnxQSYDD3LUow4OQJTZkyp7AAeWgym54STi/+mN8oMeu8++alx4=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4006.eurprd08.prod.outlook.com (20.179.2.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.17; Sun, 29 Sep 2019 19:03:13 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a%2]) with mapi id 15.20.2305.017; Sun, 29 Sep 2019 19:03:13 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
Thread-Index: AQHVduMTRHPB2h1WxUGZiLsCN6CeBKdDFBEA
Date: Sun, 29 Sep 2019 19:03:12 +0000
Message-ID: <E43AE79C-3733-414D-B97B-19D4860F1246@arm.com>
References: <156977456805.21721.14788916437504551807.idtracker@ietfa.amsl.com>
In-Reply-To: <156977456805.21721.14788916437504551807.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: f4f1095e-9e8a-4f07-aab2-08d7450fb328
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: AM6PR08MB4006:|AM6PR08MB4006:|VI1PR08MB3422:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB3422A2CB7B871F71416303409C830@VI1PR08MB3422.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 017589626D
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(376002)(366004)(39860400002)(346002)(199004)(189003)(20264003)(66066001)(305945005)(86362001)(71190400001)(91956017)(14454004)(6246003)(14444005)(478600001)(256004)(66476007)(66446008)(64756008)(66556008)(66946007)(71200400001)(76116006)(36756003)(316002)(110136005)(58126008)(54906003)(7736002)(6512007)(76176011)(2616005)(99286004)(26005)(476003)(8936002)(6486002)(33656002)(229853002)(3846002)(2906002)(8676002)(6116002)(102836004)(186003)(446003)(25786009)(11346002)(81166006)(81156014)(5660300002)(486006)(4326008)(53546011)(6506007)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4006; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: v5NxBFW6FsQNh1UHkSTiz7kjcC4TRw/w5J6lDXFcsCfjADQNo8j1vAuRuqjIXxIw3WDGHnroYKaQfuAnbFV5H9fx+hKVaUE/GhzfY53l4METe2aMmplhDG5QPNCooOldoLa0GZdZjQpO2NUgXn2KhSUfWYC9RrwUXxWaJ9fsAbpG11V2W/nVTyKah7SKYrIDhUauXIIuJbkV9jEpcQW7sC8H24sJ/dfrQNQXIhX2J3bq45FJSPSXZMjrCzG/WXnwryIH16zcnAxaZQ66nFkx5BS/bi54d6wlLUriuYgGoB+liC/qfYaYyLTyERsjdr549KLFGF+P4XrFGpOBo6x6h0qmBv3r5RWSGiUp50pyzjYYx/QC3t86fNqYmCspildzOtSC6Y4L8B2giF/gtBRgUzOBOKn83gEUZ8IwfOnQZyU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B2A87881119BC74CB16FC26CF1BA1C63@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4006
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT043.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(39860400002)(396003)(376002)(189003)(199004)(20264003)(40434004)(50466002)(58126008)(33656002)(6512007)(22756006)(63350400001)(76130400001)(4326008)(436003)(110136005)(2486003)(7736002)(54906003)(26005)(316002)(305945005)(23676004)(186003)(53546011)(6506007)(14444005)(36756003)(76176011)(336012)(5024004)(102836004)(6246003)(47776003)(66066001)(99286004)(229853002)(486006)(6486002)(478600001)(86362001)(356004)(476003)(3846002)(6116002)(5660300002)(126002)(8676002)(14454004)(25786009)(81166006)(81156014)(8936002)(446003)(70206006)(450100002)(70586007)(2616005)(26826003)(11346002)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3422; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 570fdc71-e1cc-4b66-0e10-08d7450fad5b
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(710020)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR08MB3422;
X-Forefront-PRVS: 017589626D
X-Microsoft-Antispam-Message-Info: vZWrniJektPVv/SLV2L0OJdOPtq81jBQN7FdkbfHWySi19JPnLwGopY5p48hMaVzHxQP2f/9BfmiHaShB85jpMKmYZdnNFCV54eqnDYZ5qZGzpYk112bv0+5zgWa7esyCehm/mIqA2a5Grn7g3Koqzjsi8NTqDq6skfCSENWMzKlNRqb2kRP3kyZxs4qyqR5uGKuSg1/HGbVTf0V5/2sa5D3qY7K5dIWTAQZKJO6O2PeP39u4cn3f5ugQENSQzmvylHMCgH0tR9c2TPl7pHG//Zwc+NnZjeyLn6sgQdNHzPuArkIfTlMyRA41K3BZ8gBCFxu0nICt2wgwKjCxKvcz5twUe1QzJW8zg2sUApa5X6DPuU6DW2xNWBu0+7WPi1i0/uiwpQLih4xBqQaegcJNl6fMM5X3tBhpjiQXa91skU=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2019 19:03:22.7796 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f4f1095e-9e8a-4f07-aab2-08d7450fb328
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3422
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/MOfYCoKajUBoAcuYCh2SHhOLAss>
Subject: Re: [Acme] Alexey Melnikov's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2019 19:03:34 -0000

Hi Alexey,

Thank you very much for your comments.

On 29/09/2019, 17:29, "Alexey Melnikov via Datatracker" <noreply@ietf.org> wrote:
> I have one small issue that I would like to discuss before recommending
> approval of this document:
>
> Section 6.4 and 6.6 don’t seem to specify IANA registration procedure for new
> subregistries.

Are you saying we should say explicitly what the contents of the new
sub-registries are?  If so, something like the following would work for you:

Section 6.4., paragraph 4:
OLD:

      +-----------------------+------------+--------------+-----------+
      | Field Name            | Field Type | Configurable | Reference |
      +-----------------------+------------+--------------+-----------+
      | start-date            | string     | true         | RFC XXXX  |
      | ...

NEW:

    Initial contents: The fields and descriptions defined in
    Section 3.1.1.

      +-----------------------+------------+--------------+-----------+
      | Field Name            | Field Type | Configurable | Reference |
      +-----------------------+------------+--------------+-----------+
      | start-date            | string     | true         | RFC XXXX  |
      | ...


Section 6.6., paragraph 4:
OLD:

             +-----------------------+------------+-----------+
             | Field Name            | Field Type | Reference |
             +-----------------------+------------+-----------+
             | min-lifetime          | integer    | RFC XXXX  |
             | ...

NEW:

    Initial contents: The fields and descriptions defined in Section 3.2.

             +-----------------------+------------+-----------+
             | Field Name            | Field Type | Reference |
             +-----------------------+------------+-----------+
             | min-lifetime          | integer    | RFC XXXX  |
             | ...

If this is not what you want, please guide me as I'm slightly lost :-)

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> 1.1. Name Delegation Use Case
>
> The proposed mechanism can be used as a building block of an efficient
> name-delegation protocol, for example one that exists between a CDN or a cloud
> provider and its customers [I-D.ietf-acme-star-delegation]. At any time, the
> service customer (i.e., the IdO) can terminate the delegation by simply
> instructing the CA to stop the automatic renewal and letting the currently
> active certificate expire shortly thereafter. Note that in this case the
> delegated entity needs to access the auto-renewed certificate without being in
> possession of the ACME account key that was used for initiating the STAR
> issuance.
>
> Can you explain the last sentence? I am reading “in this case” as the delegated
> entity needs access to renewed certificate once delegation is cancelled, which
> doesn’t make sense. Please let me know if I misunderstood.

"in this case" refers to "name delegation", sorry for the confusion.

When using the default POST-as-GET method to retrieve the cert, the delegated
entity should be in possession of the account key to sign the request.
However, sharing key material between the delegating and the delegated party
is not ideal -- in fact, it's what we want to avoid in the first place here.

What about:

Section 1.1., paragraph 1:
OLD:

    [...]
    certificate expire shortly thereafter.  Note that in this case the
    delegated entity needs to access the auto-renewed certificate without
    being in possession of the ACME account key that was used for
    initiating the STAR issuance.

NEW:

    [...]
    certificate expire shortly thereafter.

    Note that in the name delegation use case the delegated entity needs
    to access the auto-renewed certificate without being in possession of
    the ACME account key that was used for initiating the STAR issuance.


Cheers, thanks!


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email