Re: [Acme] Second AD Review: draft-ietf-acme-star
Roman Danyliw <rdd@cert.org> Thu, 11 July 2019 15:08 UTC
Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2526412030F for <acme@ietfa.amsl.com>; Thu, 11 Jul 2019 08:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id leim_gacPuPJ for <acme@ietfa.amsl.com>; Thu, 11 Jul 2019 08:07:56 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24AE0120303 for <acme@ietf.org>; Thu, 11 Jul 2019 08:07:56 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6BF7q7X023550; Thu, 11 Jul 2019 11:07:52 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x6BF7q7X023550
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1562857672; bh=ZW/grhfAg+zPdB/el+rWP9mMpaIbf8S+G739MN/qkgw=; h=From:To:Subject:Date:References:In-Reply-To:From; b=Qn4uvVvJ4hsMCqVgNMg59IGRNaKI+Is0uzb/0JD9ldnXuVZNLpPLAW0QOZGUT9DlK ew3R6FNtae7NueBzvyA+1jzk0DcrphQB0IEYrhypTfAe+wE5q0jmrSFtWfL3JVeC7X a+UozwPnMLBrLq0WH2IeFjGKrHlyHjO3nAtzx38A=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6BF7iol028734; Thu, 11 Jul 2019 11:07:44 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0439.000; Thu, 11 Jul 2019 11:07:43 -0400
From: Roman Danyliw <rdd@cert.org>
To: 'Thomas Fossati' <Thomas.Fossati@arm.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Second AD Review: draft-ietf-acme-star
Thread-Index: AQHVME+pqBBnRgjCJECNx8HuPcPLiaa6VksA
Date: Thu, 11 Jul 2019 15:07:43 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B33CD580@marchand>
References: <AA4F08D4-5890-4ADA-93FD-CF6DFD631884@arm.com>
In-Reply-To: <AA4F08D4-5890-4ADA-93FD-CF6DFD631884@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OUKIjVpo9wu9j0k0elo6iuyMGGM>
Subject: Re: [Acme] Second AD Review: draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 15:08:04 -0000
Hi Thomas! > -----Original Message----- > From: Thomas Fossati [mailto:Thomas.Fossati@arm.com] > Sent: Monday, July 1, 2019 4:58 PM > To: Roman Danyliw <rdd@cert.org>; acme@ietf.org > Cc: Thomas Fossati <Thomas.Fossati@arm.com> > Subject: Re: [Acme] Second AD Review: draft-ietf-acme-star > > Hi Roman, > > Thank you very much for the review. > > > I conducted as second AD review of draft-ietf-acme-star per the AD > > hand-off. I have the following feedback: > > > > ** (From the first AD review) Per the issue of PS vs. Experimental > > status - I reviewed Section 5, Shepherd Write-up and the ML thread of > > the previous AD review > > > (https://mailarchive.ietf.org/arch/msg/acme/ZWRzPxrWBrp_xjEn98A4HOBxk > c4). > > From that I see there was one prototype implementation (from MAMI, > > thanks!) and a hackathon. To following up, who has indicated interest > > in implementing this draft? > > Provided that as editors we have no say in the matter (we just do as told by > the working group), a few additional data points: > - The MAMI implementation is being integrated with the OSM orchestrator > [0] for NFV workloads; > - GSMA is considering ACME STAR as one of the reference solutions for > handling encrypted content in CDNI (see also [1]); > - In the past few months there's been discussion related to the use of > short-term certs for non-web use cases (see [2]), for example in the > ANIMA control plane [3]. > > [0] https://osm.etsi.org > [1] https://datatracker.ietf.org/doc/draft-ietf-cdni-interfaces-https- > delegation > [2] https://www.ietf.org/archive/id/draft-nir-saag-star-01.txt > [3] https://datatracker.ietf.org/doc/draft-ietf-anima-autonomic-control- > plane Given this information, I'm more comfortable with it being PS. All of the new text in -06 or clarifications below address my concerns. Thanks for the revisions and clarifications. I'll advance the draft. Roman > > ** Section 2.1. Per "The bootstrap phase ends when the Id0 obtains a > > confirmation from the ACME CA that includes a star-certificate > > endpoint", what's a "star certificate endpoint" and how is that > > different than an "order URL for the issued STAR certificate" (per the > > previous paragraph)? > > You are right that the wording is not precise enough. > > We have modified Section 2.1., paragraph 3: > > OLD: > > [...]. Per normal ACME processing, the IdO is given back an > order URL for the issued STAR certificate to be used in subsequent > interaction with the CA (e.g., if the certificate needs to be > terminated.) > > NEW: > > [...]. Per normal ACME processing, the IdO is given back an > Order resource associated with the STAR certificate to be used in > subsequent interaction with the CA (e.g., if the certificate needs to > be terminated.) > > And Section 2.1., paragraph 4: > > OLD: > > The bootstrap phase ends when the IdO obtains a confirmation from the > ACME CA that includes a star-certificate endpoint. > > NEW: > > The bootstrap phase ends when the ACME CA updates the Order resource > to include the URL for the issued STAR certificate. > > > > ** Section 2.2. Per "The CA issues the initial certificate, typically > > when the authorization is done", what is the circumstance where the > > certificate is issued before the authorization? > > Not sure how "typically" ended up here. > > Section 2.2., paragraph 1: > OLD: > > The CA issues the initial certificate, typically when the > authorization is done. [...] > > NEW: > > The CA issues the initial certificate after the authorization > completes successfully. [...] > > > ** Section 3.1.2. Per "The server MUST NOT issue any additional > > certificates for this order beyond the certificate that is available > > for collection at the time of deletion": -- what is "time of > > deletion"? Is that the same as the time order cancelation? -- What > > does "beyond the certificate that is available for collection" mean if > > the text below this sentence says that accessing the star-certificate > > URL should return a 403 error? > > Section 3.1.2., paragraph 4: > OLD: > > The server MUST NOT issue any additional certificates for this order, > beyond the certificate that is available for collection at the time > of deletion. > > NEW: > > After a successful cancellation, the server MUST NOT issue any > additional certificates for this order. > > > ** Section 3.3. The example shows a Link HTTP header but does not > > explain how it should be populated. > > As per ACME spec (Section 7.1) the Link header points to the directory > resource: > > The "index" link relation is present on all resources other than the > directory and indicates the URL of the directory. > > > ** Section 7. I didn't see any language in the Security Consideration > > about the impact/exposure of shifting to a model where certificate > > revocation doesn't occur. In Section 1, [Topalovic] hints at > > potentially cover this topic, but the site used in the reference > > section didn't resolve for me. It needs some treatment in the > > Security Considerations > > Thanks for catching the broken ref, updated: > > [Topalovic] > Topalovic, E., Saeta, B., Huang, L., Jackson, C., and D. > Boneh, "Towards Short-Lived Certificates", 2012, > <http://www.ieee-security.org/TC/W2SP/2012/papers/ > w2sp12-final9.pdf>. > > > With regards to the Security Consideration, we have lifted the text from (the > currently expired) draft-nir-saag-star: > > 7.1. No revocation > > STAR certificates eliminate an important security feature of PKI > which is the ability to revoke certificates. Revocation allows the > administrator to limit the damage done by a rogue node or an > adversary who has control of the private key. With STAR certificates > expiration replaces revocation so there is a timeliness issue. To > that end, see also the discussion on clock skew in Section 4.1. > > It should be noted that revocation also has timeliness issues, > because both CRLs and OCSP responses have nextUpdate fields that tell > RPs how long they should trust this revocation data. These fields > are typically set to hours, days, or even weeks in the future. Any > revocation that happens before the time in nextUpdate goes unnoticed > by the RP. > > More discussion of the security of STAR certificates is available in > [Topalovic]. > > > ** Section 7.2. The guidance in Section 7.2 seems appropriate for the > > identified privacy issue. However, it also seems to apply to the more > > basic security issue of guessing the URL too. -- Is there a reason > > why this isn't mentioned as a security issue too? -- Why is the > > recommendation for a server to choose URLs in a non-guessable only a > > SHOULD and not a MUST? Under what circumstances would it be > advisable > > for the URLs to be guessable? > > This is the same requirement level that we have in 8555 (Section 10.5); we > have added an explicit reference to avoid any future confusion. > > Section 7., paragraph 5: > OLD: > > In order to avoid correlation of certificates by account, if > unauthenticated GET is negotiated (Section 3.4) the server SHOULD > choose URLs of certificate resources in a non-guessable way, for > example using capability URLs [W3C.WD-capability-urls-20140218]. > > NEW: > > In order to avoid correlation of certificates by account, if > unauthenticated GET is negotiated (Section 3.4) the recommendation in > Section 10.5 of [RFC8555] regarding the choice of URL structure > applies, i.e. servers SHOULD choose URLs of certificate resources in > a non-guessable way, for example using capability URLs > [W3C.WD-capability-urls-20140218]. > > > Editorial Feedback: > > Please see https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-star-06 for the > details. > > > ** Section 1.0 Per the sentence "The Id0 can terminate the automatic > > renewal before the natural deadline", what's a "natural deadline"? > > Isn't it a "negotiated deadline" or "negotiated renewal window"? > > That's definitely better. Fixed. > > > ** Section 1.1 It seems odd to call out name delegation as the only > > formal use case. > > It's not the only formal use case, but one that is maybe non-obvious, so we > think it's worth calling it out. > > > ** Section 2.2. Per Figure 1, this isn't explicitly noted as an > > example so it strikes me as inappropriate to include "72-hours" as the > > auto-renew period is negotiated (as it is so specific and could be > > read as normative). Either call this an example or change "72 hours" > > to be something on the order of "short validity period". > > Fixed. > > > ** Section 2.3. Figure 2 is included in Section 2.3 but is not > > referenced in the text. > > Fixed. > > > ** Sections 3.1.1, 3.1.2. What is the role of the json blob after the > > first paragraph? It isn't referenced in the text and doesn't have a > > figure number. > > Removed -- in fact, the subsequent "attribute-name (optionality, type)" > makes it redundant. > > > ** Section 3.1.1. Add a citation to "Section 7.1.3 of RFC8555" for > > notBefore and notAfter. > > Fixed. > > > ** Section 3.1.1. Add the citation "Section 7.1.6 of RFC8555" to the > > sentence, "ACME defines the following values ..." to make it clear > > what part of ACME you are updating/extending. > > Fixed. > > > ** Section 3.1.1. The first few paragraphs describing the new STAR > > items in the request as "attributes". However, the last paragraph > > starting with "A STAR certificate ..." refers to "certificate" and > > "star-certificate" as a "key". Be consistent. > > Fixed (s/key/attribute/g). > > > ** Section 3.2. Typo. /The directory/the directory/ > > Fixed. > > > ** Section 3.2. As the meta field is being extended, add a reference > > to Section 9.7.6 of RFC8555. > > Fixed. > > > ** Section 3.2. Use attribute or key to referrer to the additions to > > the "meta" field, not both. > > Fixed. > > > ** Section 3.2, 3.3. Per the example, I recommend making this an > > explicit figure with a number that you reference instead of > > introducing it with a long sentence that ends with a colon. > > Fixed. > > > ** Section 3.4. The recurrent-certificate-get is referred to as an > > attribute, but here it is called a key. I recommend making this > > consistent. > > Fixed (see above). > > > ** Section 3.4. Does the sentence "If the server accepts the request, > > it MUST reflect the key in the Order" mean that if the server accepts > > the request to support unauthenticated GETs, it will keep the > > recurrent-certificate-get=true in the order response? If so, I'd > > recommend making this sentence a little clearer as without the assumed > > context of the section I didn't understand what it meant to "reflect a > > key". > > Yes, your guess is correct. The term "reflect" is used in various places in the > base ACME spec to the same purpose. Please, check if the following is > clearer: > > OLD: > > If the server accepts the request, it MUST reflect the key in the > Order. > > NEW: > > If the server accepts the request, it MUST reflect the attribute > setting in the resulting Order object. > > > ** Section 3.5.1. Per the array after the text "The notBefore and > > notAfter ... paragraph", why is this a JSON styled array? > > No specific reason; it seemed to me like a convenient way to compactly > express both intervals' ordering and extent... It turns out Yaron also didn't > like it and took your hint to reformat the content into a table. > > Cheers & thanks again for the great feedback! > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you.
- [Acme] Second AD Review: draft-ietf-acme-star Roman Danyliw
- Re: [Acme] Second AD Review: draft-ietf-acme-star Thomas Fossati
- Re: [Acme] Second AD Review: draft-ietf-acme-star frederic.fieau
- Re: [Acme] Second AD Review: draft-ietf-acme-star sanjay.mishra
- Re: [Acme] Second AD Review: draft-ietf-acme-star Roman Danyliw