IETF Logo Mail Archive

Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 08 October 2019 10:19 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7CFE120169; Tue, 8 Oct 2019 03:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=TamWaRd9; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=k6CrblGq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZuranfJBdwxH; Tue, 8 Oct 2019 03:19:36 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20087.outbound.protection.outlook.com [40.107.2.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910841200C3; Tue, 8 Oct 2019 03:19:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dw7hyergEGiWh0S7iF2hst3w3tMWKcnnjrysPbG0414=; b=TamWaRd98hn+8db49ZIpVkR523SYiQ54bBJ7vfJjcJx+rPoMQW3qVdUyQIAjgunDyJOl7H8C1eZzbz1OFJOXn0xPBBX2pUABVmPtvBhWZyqINB4MU9SM5FVowI7a4z4n3WOL/q4OxjovLy8vr0k0UkxCvmNTu0AD9skwHbPjZdE=
Received: from DB6PR0802CA0042.eurprd08.prod.outlook.com (2603:10a6:4:a3::28) by AM0PR08MB4242.eurprd08.prod.outlook.com (2603:10a6:208:148::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.25; Tue, 8 Oct 2019 10:19:31 +0000
Received: from VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::204) by DB6PR0802CA0042.outlook.office365.com (2603:10a6:4:a3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2327.24 via Frontend Transport; Tue, 8 Oct 2019 10:19:31 +0000
Authentication-Results: spf=fail (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: Fail (protection.outlook.com: domain of arm.com does not designate 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT019.mail.protection.outlook.com (10.152.18.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Tue, 8 Oct 2019 10:19:28 +0000
Received: ("Tessian outbound 6481c7fa5a3c:v33"); Tue, 08 Oct 2019 10:19:26 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: a2c8c4f93fb18452
X-CR-MTA-TID: 64aa7808
Received: from 8c5eabcc792f.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.14.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id C31D1500-660F-47CE-A3E8-1EBD2572EB84.1; Tue, 08 Oct 2019 10:19:21 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2054.outbound.protection.outlook.com [104.47.14.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 8c5eabcc792f.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 08 Oct 2019 10:19:21 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C9R46SLsw+IJLhd1TFKK+Ba0qBDplivkZ9vC318gsNGpIGn2t/K9K+Ts+1iRkH4U0wQWacgFfRFUjlyok5FQpsO1vYWWjZ8C40gVdcvdce9x8twH4uoTvbGkwCLvlgxR66NTuC29OmWHOjC+kPGgR1g9AKIsmwEXLmcJg0yy9gYHC6zIQNVgwTidxJS9svgc3sYNGmBXeA4YdYW7+9d6qpAKfLxGvifOaikEH0e1Fg3tYaIpJ8c5B7KIJTuQ/0FvvSHgK1g9t9VcR9Ng2xjA8KvfpKGm+Ku7iI0J0wtAPBpX1Vu5ub7HOehtrVX3EbmcvoWRqisSu7hDkWziA6rTEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fLFwnB/4jD03orTUNyvfaij8n9fRrl5hVzG+pYaAENk=; b=XFfml2Ihsa81US75CL9pqXzQKdYspMOax0KuFtAB0k2oOfI5v5EDD5CI0JLav0G248MkISMaolFvZ9FjoA7Qj6HwAadkXK9LGbazz5nImniBG+Z+ufMwhEnrxi9IkyhKyveo65x8Kxlr61mzA8Eu6At0iweA9Djf+UKr3Wjd26bH+Tfrh3NG2RiH2f1b+vmokXZyueNUtfqti9Ikm18BJs+qiy5tAgCYfrKPtaI+xZxx4Tem8BTIkdJOKjShWmpz8I8Jt6LvWMyjZTHSnzc1wnWGeWfeieichsMkbiAY9sGy+IImJecmFx34fkoYh6URhDhh+RBC4GRVH7echJdjnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fLFwnB/4jD03orTUNyvfaij8n9fRrl5hVzG+pYaAENk=; b=k6CrblGqiT2QSKdLfQadvBB6ixyIgg61Dis+lOYh4ZGTQozG6jYOp+5mznufWUl+rOh6st8P8+Td1guuI/BTA1HtqJtiXFY0UP04ztArQMxjQMZy3Ze/v3G6Ah+tEaeCvi1lPG8ZWJkXJeAbxgE/ldn2OEufJPvphjxvmJLVXME=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4309.eurprd08.prod.outlook.com (20.179.6.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.24; Tue, 8 Oct 2019 10:19:19 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a%2]) with mapi id 15.20.2327.025; Tue, 8 Oct 2019 10:19:19 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)
Thread-Index: AQHVee1v827HYp1a1Ee+kBvDNv6dPKdQoJgA
Date: Tue, 08 Oct 2019 10:19:18 +0000
Message-ID: <E90A5597-4744-4E73-B2F0-8D20BBE8C2C5@arm.com>
References: <157010887094.16204.10515624307041176363.idtracker@ietfa.amsl.com>
In-Reply-To: <157010887094.16204.10515624307041176363.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.50]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 7aff2d6c-45b4-4086-6353-08d74bd900f1
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: AM6PR08MB4309:|AM6PR08MB4309:|AM0PR08MB4242:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM0PR08MB42423C98F036D07BAAB8C2049C9A0@AM0PR08MB4242.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 01842C458A
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(39860400002)(136003)(396003)(376002)(189003)(199004)(6116002)(66946007)(76116006)(66476007)(71190400001)(36756003)(229853002)(14444005)(186003)(256004)(6512007)(71200400001)(6436002)(6486002)(58126008)(66556008)(54906003)(316002)(110136005)(3846002)(66446008)(64756008)(2906002)(4326008)(6246003)(91956017)(33656002)(7736002)(99286004)(476003)(5660300002)(102836004)(486006)(2616005)(86362001)(66066001)(224303003)(478600001)(446003)(11346002)(76176011)(6506007)(53546011)(26005)(8936002)(81166006)(81156014)(25786009)(305945005)(66574012)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4309; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 40y7KkrSrl1tKac1HdOwtkVLFxGf7bonJExENXXQGkY9Km9gESsfxOOoJ2eFCWUFV9nXAb51pQdaZduhai20nzql/b/B4bz5L7MVA4zikme9cJCK+v2UCfd+mLIpP7eyQ9JJiNwII1Rkzroub0vfoPSg+pTTXD6Z4MNSQvL0Pj2vxDx+ZcQb/7ZcJtvbF8WkZNmcHjQjHv2h50BEKQ/rv591pE0pL2veLlSOGP5wLLM0wCBpQhm2Ms6Q7AnvNdYQfYeoNKQerUJY7DbPOG+3prAi03Um2tmoumuYYmoCodeLMcU5FG31SvHWQykyySWkjaFalOUyhMZfi5Dbsa7epIbv/A3TvLwTA6uvjP4RwNCkqQIQ+SrR18aMAo98Wt+xGSBCW04Hlh7n6g8ZU3Y3+PwG2aw/6yPr6Cjaf685mFM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A4A66124FDF91B4AB850F4B32DBFEAA6@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4309
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT019.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(396003)(376002)(39860400002)(1110001)(339900001)(40434004)(189003)(199004)(316002)(22756006)(54906003)(58126008)(36906005)(6116002)(3846002)(110136005)(2906002)(86362001)(50466002)(6486002)(14454004)(6512007)(229853002)(356004)(224303003)(14444005)(2486003)(23676004)(336012)(5024004)(11346002)(476003)(126002)(436003)(53546011)(6506007)(26005)(450100002)(102836004)(186003)(25786009)(486006)(26826003)(33656002)(478600001)(305945005)(7736002)(4326008)(76176011)(6246003)(99286004)(81166006)(8936002)(81156014)(47776003)(5660300002)(66066001)(2616005)(36756003)(70586007)(76130400001)(70206006)(66574012)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB4242; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Fail; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 51bb0e11-ad36-4fac-de56-08d74bd8fae8
X-Forefront-PRVS: 01842C458A
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /AYv5plv7+ZwpuTr55vQCNbvSC3ntb9SjUYKHU8QESLWlykTS2IRXHefOXB07LVzXgcAimUDa6O8Q7CuRmnVk40OQ3K4mjKwi2Kc42uJndVzRtRJpL+LDMh7z0ShZssrVvqRkJ1o4NVscyZDiyb4A+j34LF5sZYbU4/Z6RhlIXD4raVQUTb9K8/50R8hbozI36d29geUXegrfRHr9LLsa12ZUTDqvLYbBdJIOGywS5pNjYv1IKQxvmx81xHvy6e/7vp9cYsFGpreBolfB2nrQXnjfUDmH/6XItxw6PziV78UlFqxBrHk+Nbnt4qfwVASxVwye7YP90oXFUEO2zfdZ71xmszJRsPqXRtVZe0vb46UcMJ6B+txX4D+SGNhPgBM9nDolk0zHlNgK1CNKU6i6RcC9ndymPxqedupcJjJLEg=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Oct 2019 10:19:28.9808 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7aff2d6c-45b4-4086-6353-08d74bd900f1
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4242
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QvbwPSVsJ7m7PWvpdcyo8zdKt7c>
Subject: Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 10:19:38 -0000

Hi Éric,

Apologies for the late reply.

On 03/10/2019, 15:21, "Éric Vyncke via Datatracker" <noreply@ietf.org> wrote:
> Thank you for the work put into this document. While I am balloting
> "no objection", I support Alexey's DISCUSS.
>
> I am also wondering what is the impact of the increased rate of
> request to the ACME server. While sections 4 and 5 answered most of
> the questions popping up in my mind when reading the document; I am
> still concerned that going from a 90 days to a 3 days validity is
> probably multiplying the load by 30 on ACME server, are the free
> existing ACME server ready to continue their free services?

This is a very good point.  Unfortunately I have no figures WRT the cost
split between issuance and the authorization/validation phases, so I
don't know whether 30x is actually the right multiplier.

Regardless, I think the main shift here is about trading the cost of
automatic renewal (timer, signature, state update, and the glue logics
that goes with it) vs maintaining the revocation infrastructure (CRL and
OCSP) for EE certs.  (Note that revo is not just a cost on the CA but on
clients and servers as well.)

Hopefully, we have given enough knobs to an ACME CA to reasonably
dimension the offered service, should they decide to provide STAR to
their users.

Cheers, thank you!


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email