IETF Logo Mail Archive

Re: [Acme] AD review of draft-ietf-acme-authority-token-05

"Peterson, Jon" <jon.peterson@team.neustar> Mon, 12 July 2021 22:57 UTC

Return-Path: <prvs=08277a9074=jon.peterson@team.neustar>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6504E3A1678; Mon, 12 Jul 2021 15:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=N86ng3mE; dkim=pass (1024-bit key) header.d=neustar.onmicrosoft.com header.b=ajtNamga
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCVLD-Rlho9o; Mon, 12 Jul 2021 15:57:23 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA1503A16BE; Mon, 12 Jul 2021 15:57:16 -0700 (PDT)
Received: from pps.filterd (m0078668.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16CMtfLZ028589; Mon, 12 Jul 2021 18:57:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=847JDQRL3ZcKLnKnkrXUyU5wk6VnUvfufEkcW7aONcY=; b=N86ng3mEcpvLqMCKZNQfCNapJ8FBpdfnm5i2fe2pqTfT38tKqauF5FwjE8ySzWikB6ZC 9ZY+Zu4baU8JeYKdO5/H74VWkR5jKeQJ3vKwdtHlwRTPY704bZdgCGonqPOo4W3HHYCL bquuXj+zk1WCNttL6EWJiUvCl1ARSVbT+oymvkQMUHNf9+5h0pWIqKVS4M6rN3Wyo/7O wBP6GmaPivxeQcFpt8d/jc4T65uXB0NdL0mjC0hKZJNVa0EGKhQJwlWJ5t7QS5fTjBgO 1hGV/9droKvShTfP3O8OemWXdYqBmeR9cK2fez1VE6FUfvM5ZbWnxZJ0yG/9huBH4FpI qg==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by mx0b-0018ba01.pphosted.com with ESMTP id 39rsds8qmj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Jul 2021 18:57:13 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VtItNinPRSZVJHvwUdQrQ0FeFtYTGm4w8uLlqVc45Bv7yaSO0JDrp7EqQvquU2DDFMpJiROeMRDs7ekPCbEpIc0KxEp/j5wNELPwJkwUaf7gnu5fYT5XtXXmInSevt6vszwpU8rNr1hPkEq0qA6OxeuGixWi6L49utblkvLPdfQUb7YZ7uGaNtLMhHnngHduBYJIHbAelPKAhEX5MdrPLBsNm+MbZbhwcwQW34xDSIvEDBZNVItmfjiiQz7y5OxUrjLS/+l2LdmNn1/gdaMF0wLSNSFuXWW+uP/kE/2wiIB2lyUb04DA2olnuHbZoAW2TqyB1H5HD9kJ1xCOsreAmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=847JDQRL3ZcKLnKnkrXUyU5wk6VnUvfufEkcW7aONcY=; b=izGwPSvl2zyYVpOqs5KUFxPiltCF/EpJpR3QIO3u3G8c3OjuF18YGFpHJ49flcBOG1fg0SUytIolcFsPkbdcOD4LQR+rXQX/OdTsrSrdTZAHuFSxqH5LqyBnW0D7NMLw2+2mc/VwpvUgD0LZU8ygWRfiklRhxKcFW7TOzslUdHyD8TCLBNOZlQdULMlXNJmC7J/ewppyRbrVCtQquoduH7Spq4ABZliPTWKD7z522ARQMqw4W4rISOAwN3E4aOYdNHoaJ3bU0dPhisNxQvp+pPctwAuxI0kSxP/jEay8y2+MoDHjYubNc/SNoCFGBABEj8X4WQpMhe3yDoi+OgBXaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=847JDQRL3ZcKLnKnkrXUyU5wk6VnUvfufEkcW7aONcY=; b=ajtNamga249SXsg8wR5dY7/PGM112lxd3s5uYfcXZeKofVV5NhC4j3BEN9R7ENrs9mFRRqXYIi+JseL0660zCki5KKKMgG7qE3iVIMshAGQNF6gq9aq455cxzptSvMsWJRZK3ZySpHgJc6Dj5lniHamqD2SLeEF3HpmY/n7Q1NI=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by SJ0PR17MB4632.namprd17.prod.outlook.com (2603:10b6:a03:375::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20; Mon, 12 Jul 2021 22:57:11 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::4093:43ea:c83:1e99]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::4093:43ea:c83:1e99%4]) with mapi id 15.20.4308.027; Mon, 12 Jul 2021 22:57:11 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Roman Danyliw <rdd@cert.org>, "acme@ietf.org" <acme@ietf.org>
CC: "draft-ietf-acme-authority-token@ietf.org" <draft-ietf-acme-authority-token@ietf.org>
Thread-Topic: [Acme] AD review of draft-ietf-acme-authority-token-05
Thread-Index: AQHW6ejlOEYeQcveQkikId7N6kJ3Waq2j80AgCoPh8CAW30v8IAEfNGA
Date: Mon, 12 Jul 2021 22:57:11 +0000
Message-ID: <DE0959B4-84DC-40AE-A13D-40C8F79D9E4E@team.neustar>
References: <9FF54993-6265-49F5-9663-63A99DB7762B@akamai.com> <5bcc3911ebce4a78a26a98df1575210d@cert.org> <cf930a798fcd433c889a61ca16f0a3d0@cert.org> <DM3P110MB05386DAABC8EAFF8FF322ECFDC189@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <DM3P110MB05386DAABC8EAFF8FF322ECFDC189@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=team.neustar;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 882d0dca-0e96-4913-c90c-08d945886248
x-ms-traffictypediagnostic: SJ0PR17MB4632:
x-microsoft-antispam-prvs: <SJ0PR17MB463278E0AFA63A33DD0BC2D2E2159@SJ0PR17MB4632.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ThyZPGs+lmpkaTQ64wINpAhsjssogu5hmCixAcyXn3AXDRTXQxprAInX/BLQnw87/tesNhff1bVDvLkbSDuYHr2LtoVv504nt9GrtugcdYHkZRtTmuE4MoIPn6IFpZbENV9AMB23WcIt7lzdtCQVyv72Gx9CY6oXyhhMLHGYEsdangBin/hJpr+X/V5R8+fpC/BDbl4SfYAoILa2XHZYo703rUwFKUxoDpty8VpEtlfJCj3GT9/kS6Tjk1sMnrCP9jo0KQrz/fVoqzyg3IpKbCnkGky5eunDiNsFY7IrFvG+TVaNt2hKxCsq48ppgPJcafjNkCVDDC7VU0wFoQjZpbwUotmPbL5ke7cJVCMJkRMv9eDn0Scm4TWh2HywBVnJk3gwAKqxaU10oJIejg7y3XtcrHFRIYj01mVM9n3IiCR84AyD53VYvTHs2tbz9aJhqGI/J59ZAy9kZOEuuhbms6zCdC5lYNTuoQAvKFVffMoa8R/MufvdS3toe4142TcPD9vyp9ymk43YePNXtaqHfLKslBgm9uDOKlvXni1DwmGRmrmyX1n/1rAvw1+4/wCrKtnjug++WPLjPqydNxIW+yB9Hjz0tdgFYW5h5NcIIjw8m+i3mhxyKRpcxgQ6pZGh7LnyyQSa2l8trNsuws/+NdohuxGbck1PfcEOOcaJr0SmRHWWRjsjaqKk+GtTEkmvA8JOsFKyVslkI8G2gHd8rty7Y7Alho4auXhvxvk0Nkc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(366004)(396003)(376002)(39860400002)(2616005)(186003)(478600001)(71200400001)(66476007)(122000001)(8936002)(38100700002)(2906002)(66556008)(66446008)(6486002)(6506007)(64756008)(76116006)(66946007)(4326008)(6512007)(83380400001)(110136005)(8676002)(316002)(86362001)(33656002)(5660300002)(46492011)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: O+Wz45G3it54DP9v9+2I+GJoIOEOkIAM5TvsEzbPMqTIS0wvXdIRXeLp6Alu6TrsNZs9qtAleSO8bOoxY/dHSm2f+FvUMecY2QFMxTXMzqNFRskLnynCk0Dh6elsA9cJh8mXLOHTKfSt/EU3Wsu5Tl+T7j4yTFR1GfK83XMIWNB/sYJFitHul7HR/ifT5LkUJ0e0gY+ihwxGHr9XKg8hYcXH+ZfkniZjojsnXXA5I0zPIHI2jJriLcTTUhouN9lJIh1LtkuAqUgAxgRvhpwixS5/1VYNhRZMuX4QU9DYLW2rIzCeLymjg2SZ7MlyQ3MEJhQxU7v9W+f5OCbKaObbBJO/QW2UINWFC68YPmIFPcjF/Xl2Y47evJtvWuLCGbVBPQ0jFj9V+Yo0fwdMhR7qiLskysgKV/Awy3T22/lCF2K3jtf4Kr+YkKW8EFCJCU5sQ9zuKAxY7QJGC0EFqYjXrgYjmkZu5gdJwy4vmdumIoFxAx8Gn+haeXM8s8M4yOz8HYMj8KgdH1XZzwlDn7ZOmsrT+HluyH2Nuu6IEx6aBBYSsblmFBJOrVgvdYo+u/lW1Y9QTHpKh76R5xrxoBSPNLCovECx0y6VE2xOsdM4dDjSTV25GIS/SzZHbdLp13ekpBFeU/vLdPa0eIjb2op6k7yOY/eHaFtjDHjY6EbtqpaiVBnNKgSi8acQbdgAt34meSt/WrJvF6V4zTYov6ZP7Hzr6xpHmh2itkDk/UhdoO7l7lzH5frY2YfpBycC9A8ZZLGsoT3PCZdKJQWjXX/DJOs1QiMNGiqatnEkSV2GPoJPpQHvILLSnHS3TH2+XhTzldD69G02NMbh9C4vsH7gN/2wmF+ZqPx+MOI4UleO2n8N0jn+lz3tXigakXDf7892PFwc9z3/DKLj1seH582CGvwW9mR2LF7Bm3ZbCvF8b9YUr8MXscClKSx/zS8iS4CwQj7xNlYhyTf2Ehan/l7IePk/GQPlbdYRtD52I9kfkM+njI8fc+IwOtzupF1HfcBjg/EZ1WeXAkunAgZ9e7DWavpVQjzWCBFLwD8vPGtcM0ISmhMVDk1QpHIS938K4hvmJg/Lisikc5O8X1UbCJuCF6xeVyX/1NeNR4VyG0lkkmpd3cLvqIr248/XyBaayLnxe9aG8X4Ndr1p0YFuBEP31eUpHqxrMd1LRXEMWXycJYuD5hC2+K/boi1J6j8tl5xJpduezJ2kQEBYAQ3A3BZN65l3B50FpFidt91SltvQQaxGPd6Y5m0TPxOBAd4Nx9zPf4CPj+Qk0IbuGm1yy/hDopE7h5UhNey5MsjqsiB4L3ijmg5z8ct7eMIzi27lbU34WRwvYUYwaHDkBfSvzWYzKg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5E0744388E71F44C9798460F9071CE3E@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 882d0dca-0e96-4913-c90c-08d945886248
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2021 22:57:11.5792 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0OK4njW1mUTjJB3KdnQTugeXoCC4KFdd5ahG+ncrtt9X+TkdMuHebdI1/M3HRC/7e+1LIKueJmDq6ihOrCZ7QBb2Y0+Hq+d3VtzLFQZWnqM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR17MB4632
X-Proofpoint-GUID: lF5zSHcUOsJhcN29yapuLcbRXbLEcfCV
X-Proofpoint-ORIG-GUID: lF5zSHcUOsJhcN29yapuLcbRXbLEcfCV
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-12_14:2021-07-12, 2021-07-12 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 bulkscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 mlxscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107120156
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SPXYqGtqoBi-nb2J56_8jP9BWJo>
Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 22:57:36 -0000

Hi Roman,

Thanks for the thorough review, and sorry for the delay...

We've posted a new version of the draft, which tries to put a dent in some of your concerns.

    > > >
    > > >     ** What is the intended status of this document? The document
    > > > says Informational; the datatracker and the shepherd's report says
    > > > Proposed Standard.  TnAuthlist is PS.  These four places need to be
    > consistent.

We've moved this to PS.

    > > >     ** Are there implementations of this document?  The rough
    > > > history in ACME seems to have been PS should have implementation
    > experience.
    > > > Is the link to STIR decisive here (to make it PS)?

We hope this will get some use with STIR deployments, yes.

    > > >     ** ID-Nits reported the following issues with references being
    > > > listed but not
    > > > used:
 
We divided references into normative and informative, and nuked ones that seemed particularly superfluous (including say acme-telephone).

For the most part, the new version incorporates your proposed changes to the text throughout (and hopefully it's a little better editorially). There are only a few cases where this warrants a bit more comment:

    > > >
    > > >     ** The tkauth-type="atc" type doesn't seem to describe all of
    > > > the required information described by Section 3.1 - 3.3 and Section
    > > > 9 (Security
    > > > Considerations) as being needed for a token format.  Specifically:
...
    > > > Perhaps this section is spelling out
    > > > requirements for both of those collectively?  If so, this should be
    > > > explicitly stated (perhaps in the intro to Section 3, reminded in
    > > > Sections 4 and
    > > 9).

We've taken the tack you suggest above of clarifying that this requirements need to be satisfied by a combination of authority-token and its tkauth subtypes.

    > > >
    > > >     ** Section 3.  The text notes that authority tokens can be used
    > > > for ACME challenges, but this document doesn't add a new challenge
    > > > type to the "ACME Validation Methods" registry.  Section 6 provides
    > > > an example using token- tnauthlist which seems to suggest a
    > > > type="tkauth-01", but that isn't specified in
    > > > draft-ietf-acme-token-tnauthlist
    > > or this document.

That's fixed, and hopefully overall the IANA considerations are a bit cleaner.
    > > >
    > > >     ** Section 3.1.  Per "... future specifications must indicate
    > > > how a token conveys to the CA the name(s) ...", is there a reason
    > > > this isn't a normative MUST?

As a matter of specmanship, I try to use normative language to constrain what implementations do, not what future specifications do. I understand opinion is divided on the subject.

    > > >     ** Section 3.2.  Per "an Authority Token could attest to all of
    > > > the resources that the client is eligible to receive certificates
    > > > for", couldn't this leaks information to a CA, if that single CA is
    > > > not
    > > responsible for all of the scopes?

Added a little text about that.

    > > >
    > > >     ** Section 4.  What would be the circumstance where the x5u/iss
    > > > would not equal the token-authority?

I don't know if we have an existing case where it does, but it is at least conceivable. If you feel super strong about it, we can cut it.

    > > >
    > > >     ** Section 4.  Should the values of tktype be constrained to the
    > > > IANA "ACME Identifier Types" registry?

This is another one where I don't have a super strong feeling... it would certainly be helpful if it were, but it doesn't seem like it's worth normative language to that effect.

    > > >
    > > >     ** Section 4.  The example in this section is missing the full
    > > > payload/protected /signature structure to show the actual binding
    > > > provided by the server

We added that, but we're basically punting examples to tnauthlist in this version of the draft otherwise.

    > > >
    > > >     ** Section 5.  This token acquisition protocol seems underspecified:
    > > >     -- How does the client authenticate/do authorization with the
    > > > HTTPS
    > > server?

I think the precise security used by a web service is not in the scope of this as such... if you feel we need to flesh that out substantially, let us know.

    > > >
    > > >     -- Is there any semantics to the resource locator to make for an
    > > > interoperable/discoverable URI?

I don't think that's particularly necessary, but if you feel otherwise, let us know.

    > > >
    > > >     -- Does the client get to request a scope?

Yes, I hope that's clear.

    > > >
    > > >     ** Section 5.1.  It might be useful to show a full server
    > > > response example given a particular client request

Again, punting the examples to the tnauthlist draft, since basically a concrete example requires all the stuff defined in tnauthlist anyway, to your point here:

    > > >
    > > >     -- How is error handling managed with the HTTP error code?  The
    > > > TnAuthlist draft actually specifies this behavior more that this
    > > > base
    > > document.
    > > >
    > > >     -- Section 5.  Shouldn't a successful response from a Token
    > > > Authority return a body of type "application/jwt" if an "authority
    > > > token" is being returned per Section 4?

tnauthlist has it as we do here; just keeping alignment with that.

    > > >
    > > >     ** Section 8.  This text registers "atc" as an ACME identifier.
    > > > When and how is that used?  I thought that identifier profiles
    > > > specified an identifier and that the atc what the challenge/verification type.

This was a point of misalignment with tnauthlist; we've rectified that by deleting this "atc" ACME identifier.

    > > >
    > > >     ** Section 8.  Is there a reason that the "atc" claim from
    > > > Section
    > > > 4 not being registered in the "JSON Web Token Claims" registry?

Added.

    > > >
    > > >     ** Section 8.  Per the registry of "token types", there don't
    > > > seem to be enough details here:

We tried to clean this up as well.

Again, thanks for the review, and let us know what we should still be fixing in here.

Jon Peterson
Neustar, Inc.

v2.23.0 | Report a Bug | By Email