Re: [Acme] draft-ietf-acme-star
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 11 September 2019 16:52 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F0D120AF4 for <acme@ietfa.amsl.com>; Wed, 11 Sep 2019 09:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.026, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0j7_yZyFQUWH for <acme@ietfa.amsl.com>; Wed, 11 Sep 2019 09:52:45 -0700 (PDT)
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6096120AF1 for <acme@ietf.org>; Wed, 11 Sep 2019 09:52:44 -0700 (PDT)
Received: by mail-ed1-f52.google.com with SMTP id f19so21228660eds.12 for <acme@ietf.org>; Wed, 11 Sep 2019 09:52:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V7ytQrBFdQkDSt8ls5JTPDeY5LwXSIRsh8m3LXML+dQ=; b=R/TPu3OWOYaBOdVUJUrEVQWu4cnNMoXBTN1ckM5/caDwMUrRgu/kOOvpSwwMXMoO7X RKMfi+WNrPcZkkyhSIuRhtrzmlGBM51x9zqxTkg0adlCL2hG6QRSKRAGZt9gmnClN0u3 sGygmHaIsJixNDbMRqNuhXuq9oGnOZP5kbtWTmbXXYXtO/bY2LyJqYGljc05yWrnFj0W pZAmMqtJqn2YIZkE3MWyRuVH7ZpQFUXGqFOJke2axjoBvXJzSFlcfEnE4t12ttzA49qU 6On8FXxcxEB3zha/7SIYzjG2RwXhIAqoVjwnF573b19UGFhAV+hZ//I3pqSfjX9U1Qnh iA7g==
X-Gm-Message-State: APjAAAW+9L481VaudcGAtH7Z8CXpv8qsll+GtDS8ULEQTYOREWKUchx2 D9FVTCvSPwvXx/4tL3rbSn3VHgWK
X-Google-Smtp-Source: APXvYqwXwCU6vSC7zKbWY25XyZybI1/KwnKuQrx9rpfAt7YxXdG5NbFnur2cQOy1wOSq/7FQs3oqCA==
X-Received: by 2002:a17:906:804d:: with SMTP id x13mr30294102ejw.134.1568220762723; Wed, 11 Sep 2019 09:52:42 -0700 (PDT)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com. [209.85.221.47]) by smtp.gmail.com with ESMTPSA id f36sm4147070ede.28.2019.09.11.09.52.41 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Sep 2019 09:52:42 -0700 (PDT)
Received: by mail-wr1-f47.google.com with SMTP id k6so13235642wrn.11 for <acme@ietf.org>; Wed, 11 Sep 2019 09:52:41 -0700 (PDT)
X-Received: by 2002:a5d:5642:: with SMTP id j2mr369704wrw.345.1568220761510; Wed, 11 Sep 2019 09:52:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com> <94D1B74E-8AD8-4623-8DFB-E9C132BBB940@arm.com> <CAL02cgTM+dTJ6enzpnb=dSCzbDMR+3Xadp4r4a3xuzzhxPgJag@mail.gmail.com> <1D779B7D-3661-49B6-BC75-A41B69F3768F@akamai.com> <81C03A03-8189-4BB6-A4B1-131B25831ED7@arm.com>
In-Reply-To: <81C03A03-8189-4BB6-A4B1-131B25831ED7@arm.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 11 Sep 2019 12:52:30 -0400
X-Gmail-Original-Message-ID: <CAErg=HHmwF+=NjSBqsKRw28P5rLV1vY+oZKY9WNGcQLN7ujCYA@mail.gmail.com>
Message-ID: <CAErg=HHmwF+=NjSBqsKRw28P5rLV1vY+oZKY9WNGcQLN7ujCYA@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Richard Barnes <rlb@ipv.sx>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b5c05059249d9c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QdnNbkY5QuDXQlzx9PPZG1i7Qcs>
Subject: Re: [Acme] draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 16:52:47 -0000
On Wed, Sep 11, 2019 at 12:09 PM Thomas Fossati <Thomas.Fossati@arm.com> wrote: > 2 The pre-dating that the ACME server MUST do on cert rotation to > prevent the client to fetch a not-yet-valid credential (i.e., the > overlap you mention). > > IIUC, you are suggesting to drop the former, i.e., removing the ability > for a client to request recurrent-certificate-predate, correct? Or are > you suggesting to only remove the RECOMMENDED from section 4.1? > I'm not Richard, but with respect to publicly trusted certificates, issuing a certificate with a notBefore set prior to that certificate was issued is seen as, minimally, problematic, and at times has resulted in a complete removal of trust in that CA, particularly if/when such actions have lead to bypasses of technical controls enforced based upon the notBefore. The clock skew problem is, admittedly, real, and the general solution as practiced by industry-recognized CAs and Subscribers is to generate the request and issue the certificate in advance of its actual deployment, rather than to issue the certificate and then back-date it to facilitate deployment. To that end, the language about "amount of pre-dating added to each STAR certificate" (in 3.1.1) is, as Richard highlighted, about the overlap that exists. The language in Section 4.1, however, should be clarified to be clear that the CA/ACME server MUST NOT set the notBefore to before the request, but instead about ensuring that the STAR client requests the 'next certificate' in advance of the actual deployment. This may substantially alter the protocol, it's unclear, but it's extremely unwise, if not outright fatal to interoperability, to issue a certificate with a notBefore set prior to the request, and it seems that is what is meant by Section 4.1.
- [Acme] draft-ietf-acme-star Richard Barnes
- Re: [Acme] draft-ietf-acme-star Thomas Fossati
- Re: [Acme] draft-ietf-acme-star Richard Barnes
- Re: [Acme] draft-ietf-acme-star Salz, Rich
- Re: [Acme] draft-ietf-acme-star Thomas Fossati
- Re: [Acme] draft-ietf-acme-star Ryan Sleevi
- Re: [Acme] draft-ietf-acme-star Salz, Rich
- Re: [Acme] draft-ietf-acme-star Thomas Fossati
- Re: [Acme] draft-ietf-acme-star Roman Danyliw
- Re: [Acme] draft-ietf-acme-star Thomas Fossati
- Re: [Acme] draft-ietf-acme-star Thomas Fossati