IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 10 October 2019 16:00 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0C71200E0; Thu, 10 Oct 2019 09:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJQuyxKGmUT6; Thu, 10 Oct 2019 09:00:26 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34A9C1200C3; Thu, 10 Oct 2019 09:00:26 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x9AG0HhT030662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Oct 2019 12:00:19 -0400
Date: Thu, 10 Oct 2019 09:00:16 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <20191010160016.GZ76545@kduck.mit.edu>
References: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com> <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com> <20191003141911.GS6424@kduck.mit.edu> <C117C671-827A-44CC-B438-9624E61A768C@arm.com> <20191005000717.GR6722@kduck.mit.edu> <F18E5713-0C18-4AB2-9FAC-55657CF7C204@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F18E5713-0C18-4AB2-9FAC-55657CF7C204@arm.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OQyHj5GwV8xMe7dr4CR68_zpqgA>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 16:00:29 -0000

On Tue, Oct 08, 2019 at 10:07:12AM +0000, Thomas Fossati wrote:
> Hi Ben,
> 
> On 05/10/2019, 02:07, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
> > On Thu, Oct 03, 2019 at 05:33:49PM +0000, Thomas Fossati wrote: I'm
> > trying to think about the risk that a future use case for
> > "allow-certificate-get" might want slightly different semantics for
> > when it's used, or need the certificate to be at a different URL, or
> > similar.  Right now the GET option only applies to the
> > star-certificate resource and trying to retroactively expand its scope
> > could be messy.
> 
> I might be seeing this from the wrong angle, but I'm not sure I
> understand what the concrete risk is: "allow-certificate-get" is
> isolated in the "auto-renewal" sub-namespace.  A future, slightly
> different "allow-certificate-get" can either be assigned to the
> top-level namespace (if it provides general enough semantics) - and
> deprecate the "auto-renewal" version - or carve its own special name
> and exist in parallel.

You are right -- I must have misread and missed the "auto-renewal"
namespacing.  Sorry about that.

> > > Yes, one of the motivating use cases of this work was support of
> > > delegation from content providers (name owners) to CDNs, where
> > > multiple edge caches might need to fetch the same STAR cert.
> >
> > It might be worth mentioning that in the treatment of caching.
> 
> OK, will add.
> 
> > > Not sure I follow the line of reasoning.  CSRs are one-off
> > > proofs-of-possession and certificates are issued from CSRs with
> > > varying validities.  I think what you are saying instead is that
> > > (end-date - start-date) of STAR certificates should be comparable to
> > > (notAfter - notBefore) of "traditional" certs?
> >
> > That's what I was trying to say, yes.
> 
> OK, will add.
> 
> > > "timeliness issue" in the sense that with STAR you need to sit and
> > > wait the cert to expire.  I'm not sure it's the right English
> > > word...
> >
> > "potential for lack of timeliness in the revocation taking effect" is
> > perhaps a way to word it (I did not wordsmith very much).
> 
> Thanks, that sounds very good -- at least to my Italian ear :-)
> 
> > > >    auto-renewal "lifetime".  Alternatively, the CA can set an
> > > >    internal certificate generation processes rate limit.
> > > >
> > > > Wouldn't this run the risk of failing to meet the CA's guarantees
> > > > on producing renewed certificates?
> > >
> > > Not if it refuses to accept new requests at the ACME interface.
> >
> > I'd consider noting that this limit has to take account of
> > already-scheduled renewal issuances as well as new incoming requests.
> > Maybe it's sufficiently obvious that it goes without saying, though; I
> > don't think I have the same context that most readers will have.
> 
> I don't think it harms to spell it out explicitly.
> 
> Thanks again.

Thanks for the updates!

-Ben

v2.23.0 | Report a Bug | By Email