IETF Logo Mail Archive

Re: [Acme] Secdir last call review of draft-ietf-acme-star-delegation-06

Russ Housley <housley@vigilsec.com> Mon, 22 March 2021 19:30 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E123A0BEC for <acme@ietfa.amsl.com>; Mon, 22 Mar 2021 12:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qSUVUkNNbb7 for <acme@ietfa.amsl.com>; Mon, 22 Mar 2021 12:30:21 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165883A0BED for <acme@ietf.org>; Mon, 22 Mar 2021 12:30:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 46B57300BA0 for <acme@ietf.org>; Mon, 22 Mar 2021 15:30:18 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ar7RYUE86Nt3 for <acme@ietf.org>; Mon, 22 Mar 2021 15:30:12 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id D4D913001A8; Mon, 22 Mar 2021 15:30:11 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <966179D0-B67B-4CDF-9A4C-CF9F0B1D04E2@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FBFB2F3E-FEF9-40DA-B06F-0A92C322A744"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Mon, 22 Mar 2021 15:30:12 -0400
In-Reply-To: <2FF4DF9C-2CE4-4E88-8334-D2D953E06BD4@gmail.com>
Cc: IETF ACME <acme@ietf.org>, last-call@ietf.org
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Thomas Fossati <Thomas.Fossati@arm.com>
References: <161575930310.2025.16866904323712710819@ietfa.amsl.com> <3DDC13CC-4789-459D-9DA2-E023BC372D8C@arm.com> <2FF4DF9C-2CE4-4E88-8334-D2D953E06BD4@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Mytj8TKbLz3qCq_4NcNUn81vtN0>
Subject: Re: [Acme] Secdir last call review of draft-ietf-acme-star-delegation-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 19:30:26 -0000

Yaron and Thomas:

Comments below ...

>> Abstract: It says: "...  party access to a certificate associated with
>> said identifier."  This is odd wording, and it is incorrect.  The
>> party needs access to the private key that corresponds to the public
>> key in the certificate, and the certificate needs to contain the
>> subject for "said identifier".  Clearly, all of that should not go in
>> the Abstract, but what does appear in the Abstract needs to be
>> technically accurate.
> 
>    https://github.com/yaronf/I-D/issues/139 <https://github.com/yaronf/I-D/issues/139>

I think it would be better to avoid the phrase "own a certificate".  Some certificate policies explicitly says that the issuer owns the certificate, and your use of "own" has nothing to do with that concept.  You are after a private key under the control of the CDN and a certificate that contains the domain name of the party performing the delegation.

>> Section 1 says: "...   name matches the authority ...".  I find this
>> description confusing.  I think it would be more clear to say that the
>> cache server needs to present a certificate whose subject name matches
>> the domain name of the URL that is requested.  The current wording is
>> very easy to confuse name of the Certification Authority.
> 
>    https://github.com/yaronf/I-D/issues/140 <https://github.com/yaronf/I-D/issues/140>

The proposed working looks fine.

>> Section 1 says:
>> 
>>   While the primary use case we address is delegation of STAR
>>   certificates, the mechanism proposed here accommodates any
>>   certificate managed with the ACME protocol.  See Section 2.4 for
>>   details.
>> 
>> This is not much of a hint that long-term certificates are supported
>> in addition to STAR certificates.  Further, a hint about the handling
>> of revocation is appropriate here.  Support for long-lived
>> certificates is in conflict with the title of the document.  Please
>> adjust the title of the document accordingly.
> 
>    https://github.com/yaronf/I-D/issues/141 <https://github.com/yaronf/I-D/issues/141>

This is very clear.  Thanks.

>> Section 2.3.2 says: "Besides, when delegation is for a STAR
>> certificate, ..." (in four places in this section).  I find this part
>> of the document structure a bit confusing.  Maybe it is the lask ot
>> adequate warning about support for long-lived certificates.  Maybe it
>> the the mixing of STAR certificate and long-lived certificate
>> processing in one section.  I suggest that separate sections be used
>> to present STAR certificate and long-lived certificate processing
> 
>    https://github.com/yaronf/I-D/issues/142 <https://github.com/yaronf/I-D/issues/142>

The restructuring is quire difficult to review in the markdown.  I cannot be sure this addresses my comment.  That said, the word "besides" does not appear in the document, so this has probably been sorted out.

>> In Section 2.3.4, the text is begging for one more sentence.  Please
>> say something about the fact that the STAR certificate will expire
>> shortly after the automatic renewal process is stopped by the IdO.
> 
>    https://github.com/yaronf/I-D/issues/143 <https://github.com/yaronf/I-D/issues/143>

The proposed working looks fine.

>> Section 2.4 is not sufficient to explain the revocation processing.
>> Only the NDC has the private key needed to make the ACME revocation
>> request, but this does not get stated in the text.  Also, it is not
>> clear to me how the NDC knows where to send the revocation request
>> since the IdO is the ACME account owner.  In addition, the phrase
>> "would create a self-inflicted DoS" needs more explanation.
> 
>    https://github.com/yaronf/I-D/issues/144 <https://github.com/yaronf/I-D/issues/144>

As with issue 142, it is difficult to review in this form, but I think the concern has been resolved.

>> Section 5.6 registers a string name for each extendedKeyUsage OID.
>> There should be a way to provide the OID in dotted decimal format as
>> well.  New OIDs are being assigned all the time, and some of them may
>> not be registered with IANA.
> 
>    https://github.com/yaronf/I-D/issues/145 <https://github.com/yaronf/I-D/issues/145>

I see the regex in CSR-template/template-schema.cddl, but I think there should also be text in Section 5.6.

>> Section 5.6 registers a string name for each type of subjectAltName.
>> This include otherName, which are identified by an OID.  New OIDs are
>> being assigned all the time.  For example, draft-ietf-anima-autonomic-
>> control-plane-30 creates a new otherName.  There should be a way to
>> provide the the otherName OID in dotted decimal format as well.
> 
>    https://github.com/yaronf/I-D/issues/146 <https://github.com/yaronf/I-D/issues/146>

This comment is not about authorizations.  Of course, for each name form in the SubjectAltName, the ACME CA needs to confirm control over the requested name.

Why are you explicitly allowing email address with no discussion of this point?  Email address raises the same concerns as the otherName.

>> Minor Concerns:
>> 
>> Abstract: Please spell out ACME, CDN, and STAR.  These are not marked
>> as "well known" in the RFC Editor abbreviation expansion list.
>> 
>> Section 1.1: Please change CA to "Certification Authority".  See
>> Section 3 of RFC 5280.  This changes is also needed elsewhere in the
>> document.
>> 
>> Section 1.1: Please add CDNI, uCDN, dCDN, PASSPorT, CSR and FQDN to
>> the list of terms.
> 
>    https://github.com/yaronf/I-D/issues/147 <https://github.com/yaronf/I-D/issues/147>

It is not clear to me why some were added, but others were not.

>> Section 1 describes [I-D.mglt-lurk-tls13] as an ongoing effort.  This
>> is not accurate.  The LURK BoF did not lead to a WG or an effort in an
>> existing WG.  I think the best way forward is to drop this reference.
> 
>    https://github.com/yaronf/I-D/issues/148 <https://github.com/yaronf/I-D/issues/148>

Not clear that LURK will gain acceptance, but TLS-Subcerts is about to be passed to the IESG.

>> Nits:
>> 
>> Section 2 says: "... in this draft ...".  Please use a work that will
>> still be appropriate when this document becomes an RFC.
>> 
>> Section 2.4: s/Sec. 7.6/Section 7.6/  (and many other places)
> 
>    https://github.com/yaronf/I-D/issues/149 <https://github.com/yaronf/I-D/issues/149>

Thanks for making this change.

>> IDnits reports:
>> 
>>  ** There are 3 instances of too long lines in the document, the
>>     longest one  being 4 characters in excess of 72.
>> 
>>  == There are 4 instances of lines with non-RFC6890-compliant IPv4
>>     addresses in the document.  If these are example addresses, they
>>     should be changed.
>> 
>> [I suspect these are not IPv4 addresses, but OIDs in dotted decimal.]
> 
>    https://github.com/yaronf/I-D/issues/150 <https://github.com/yaronf/I-D/issues/150>

I cannot check this in markdown format.  Please run IDnits.

Russ

v2.23.0 | Report a Bug | By Email