Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 10 October 2019 16:00 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0C71200E0; Thu, 10 Oct 2019 09:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJQuyxKGmUT6; Thu, 10 Oct 2019 09:00:26 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34A9C1200C3; Thu, 10 Oct 2019 09:00:26 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x9AG0HhT030662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Oct 2019 12:00:19 -0400
Date: Thu, 10 Oct 2019 09:00:16 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <20191010160016.GZ76545@kduck.mit.edu>
References: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com> <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com> <20191003141911.GS6424@kduck.mit.edu> <C117C671-827A-44CC-B438-9624E61A768C@arm.com> <20191005000717.GR6722@kduck.mit.edu> <F18E5713-0C18-4AB2-9FAC-55657CF7C204@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F18E5713-0C18-4AB2-9FAC-55657CF7C204@arm.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OQyHj5GwV8xMe7dr4CR68_zpqgA>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 16:00:29 -0000
On Tue, Oct 08, 2019 at 10:07:12AM +0000, Thomas Fossati wrote: > Hi Ben, > > On 05/10/2019, 02:07, "Benjamin Kaduk" <kaduk@mit.edu> wrote: > > On Thu, Oct 03, 2019 at 05:33:49PM +0000, Thomas Fossati wrote: I'm > > trying to think about the risk that a future use case for > > "allow-certificate-get" might want slightly different semantics for > > when it's used, or need the certificate to be at a different URL, or > > similar. Right now the GET option only applies to the > > star-certificate resource and trying to retroactively expand its scope > > could be messy. > > I might be seeing this from the wrong angle, but I'm not sure I > understand what the concrete risk is: "allow-certificate-get" is > isolated in the "auto-renewal" sub-namespace. A future, slightly > different "allow-certificate-get" can either be assigned to the > top-level namespace (if it provides general enough semantics) - and > deprecate the "auto-renewal" version - or carve its own special name > and exist in parallel. You are right -- I must have misread and missed the "auto-renewal" namespacing. Sorry about that. > > > Yes, one of the motivating use cases of this work was support of > > > delegation from content providers (name owners) to CDNs, where > > > multiple edge caches might need to fetch the same STAR cert. > > > > It might be worth mentioning that in the treatment of caching. > > OK, will add. > > > > Not sure I follow the line of reasoning. CSRs are one-off > > > proofs-of-possession and certificates are issued from CSRs with > > > varying validities. I think what you are saying instead is that > > > (end-date - start-date) of STAR certificates should be comparable to > > > (notAfter - notBefore) of "traditional" certs? > > > > That's what I was trying to say, yes. > > OK, will add. > > > > "timeliness issue" in the sense that with STAR you need to sit and > > > wait the cert to expire. I'm not sure it's the right English > > > word... > > > > "potential for lack of timeliness in the revocation taking effect" is > > perhaps a way to word it (I did not wordsmith very much). > > Thanks, that sounds very good -- at least to my Italian ear :-) > > > > > auto-renewal "lifetime". Alternatively, the CA can set an > > > > internal certificate generation processes rate limit. > > > > > > > > Wouldn't this run the risk of failing to meet the CA's guarantees > > > > on producing renewed certificates? > > > > > > Not if it refuses to accept new requests at the ACME interface. > > > > I'd consider noting that this limit has to take account of > > already-scheduled renewal issuances as well as new incoming requests. > > Maybe it's sufficiently obvious that it goes without saying, though; I > > don't think I have the same context that most readers will have. > > I don't think it harms to spell it out explicitly. > > Thanks again. Thanks for the updates! -Ben
- [Acme] Benjamin Kaduk's Discuss on draft-ietf-acm… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Thomas Fossati
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Thomas Fossati
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Thomas Fossati
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk