IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 08 October 2019 10:07 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23AA4120169; Tue, 8 Oct 2019 03:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=iThUJTjU; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=zjFnofPA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5xlqK-8uYD4; Tue, 8 Oct 2019 03:07:28 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0607.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 324D61200D7; Tue, 8 Oct 2019 03:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ToarTKhIrXyYa51ntKpcL7ZCK+mdWFs8P61yj9N6XMo=; b=iThUJTjUlemzMeQTVia1Z0AIWHuy1Fj5HISrKVmFIDZothskWo//6/LNu517DiFco0HUzrgNOExB1bnmA0w5dKRMBslvrtk8s3Sud2FhJoZPNZWSm5AbjCsfZo/BIkZ5/53lwVu0CaIs1Z+NMkjWHM/6b8LhK4tq31Nr6XrqfjY=
Received: from DB7PR08CA0048.eurprd08.prod.outlook.com (2603:10a6:10:26::25) by DB6PR08MB2661.eurprd08.prod.outlook.com (2603:10a6:6:17::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Tue, 8 Oct 2019 10:07:24 +0000
Received: from AM5EUR03FT003.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::209) by DB7PR08CA0048.outlook.office365.com (2603:10a6:10:26::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16 via Frontend Transport; Tue, 8 Oct 2019 10:07:24 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT003.mail.protection.outlook.com (10.152.16.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15 via Frontend Transport; Tue, 8 Oct 2019 10:07:22 +0000
Received: ("Tessian outbound 0cf06bf5c60e:v33"); Tue, 08 Oct 2019 10:07:19 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 396828ac39d526ac
X-CR-MTA-TID: 64aa7808
Received: from a580b1e05b94.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.14.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5F6AFE97-7736-402F-AE5F-7BD6A09FBE90.1; Tue, 08 Oct 2019 10:07:14 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2054.outbound.protection.outlook.com [104.47.14.54]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a580b1e05b94.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 08 Oct 2019 10:07:14 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BF0tXYTl5FWjK7fc9edlmP1j+PuxGt9e9eYUK7GSqsvjZ0df1+4G0z90DHo1PoCNguc3QMFvxZkm7ae92vxlvmndHZXvO0RssjN6Bw1GSrkswnSujLTTSbOjwIUXBz3zQhJD8dgdtMxz8n/5qh7MtAX7iZ367oBUCWyNyEtifG6hxtcB1SWLUQdZZji7Ke9TkVEmQzJZ7xlEy10JBBJyiC5Zl/Wqt5T8+bEkMFhPv3PZ3k0fyrsSiKi5koilA03rztyWECX7jmm/wUQDFtXQmyAJ/H/b0PcFdUXaVL+XanMtkBMgfhBaKp+P9OAMcBs5xN6tHlo9E9yzgmWK3Dj9kQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=njs4bTbCpBaRIdyFTjdMDhEU7uuZi+MSJWAJjQ5VNS0=; b=CY1r5Zc5jqtbsLKRA5Bm/yToA58E5RMRHkUayJiEOtTZkIThiCeaF64hCHBSr3Q6Khj0lVmp2ccgmXxYBNZk6t7WL+NlXCerMcGey1dbhvcdOGDSp6VxfbsyAyPEdBNE4vIdXgESTYyIK4XV9FNUjLpbPawSElEQKzzOol3T6xzAU2H9Xi82LJgLEI8VoYvevTjcrT1x9Dxdrk71LJ1Abn9XfVHgUG8Gv6jyFA2pJj1nViqTvBqyzUDXuRX7RaFPydQVXN87kGrU5Fi2YBFFmTQTSHFklmsw9/UGAPjAAq7DS1aWIocUh66ccaaMt54NL222orf4PaIJp57eG1O5cQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=njs4bTbCpBaRIdyFTjdMDhEU7uuZi+MSJWAJjQ5VNS0=; b=zjFnofPAvsHh+xpH0PwQLcPDvkMLdof1b/VfvGJr71l4g6XjexLoc1LgeiYwby3vIJ2wHGxNAf2MsAUwgvUWz22CNL7HQ5QTSq62x9I4zi9CeyvHsHIN2shAM3ImiqN3RVYUm4E4m1tU+fnXGXpvKUjODVa28YewVINyMLSY12E=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB3878.eurprd08.prod.outlook.com (20.178.90.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.24; Tue, 8 Oct 2019 10:07:12 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a%2]) with mapi id 15.20.2327.025; Tue, 8 Oct 2019 10:07:12 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
Thread-Index: AQHVeUwbMyQSTFCeskqUe6Nd01h8AqdI8wmAgAAFbICAAEckgIAB74GAgAVvXoA=
Date: Tue, 08 Oct 2019 10:07:12 +0000
Message-ID: <F18E5713-0C18-4AB2-9FAC-55657CF7C204@arm.com>
References: <157003958107.8961.10411719007130526381.idtracker@ietfa.amsl.com> <AB791FFF-011A-4A6E-B136-23C6204288B6@arm.com> <20191003141911.GS6424@kduck.mit.edu> <C117C671-827A-44CC-B438-9624E61A768C@arm.com> <20191005000717.GR6722@kduck.mit.edu>
In-Reply-To: <20191005000717.GR6722@kduck.mit.edu>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.50]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 5aa92f94-e3aa-4e26-c69e-08d74bd74fdb
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: AM6PR08MB3878:|AM6PR08MB3878:|DB6PR08MB2661:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB6PR08MB266171986221D39934EB31659C9A0@DB6PR08MB2661.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 01842C458A
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(366004)(136003)(396003)(39860400002)(199004)(189003)(6116002)(7736002)(33656002)(476003)(26005)(76116006)(66446008)(71190400001)(66946007)(71200400001)(91956017)(66556008)(64756008)(66476007)(66066001)(25786009)(99286004)(6506007)(6916009)(53546011)(11346002)(76176011)(446003)(81166006)(81156014)(102836004)(86362001)(486006)(8936002)(2616005)(8676002)(3846002)(2906002)(305945005)(14444005)(316002)(6436002)(229853002)(14454004)(186003)(478600001)(54906003)(58126008)(5660300002)(256004)(6512007)(2171002)(4326008)(36756003)(6246003)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3878; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 5drVNT/4MQCVjEeXbSOhPaxylUZ7yMRpc7+Xql12sV2VwgcGIFnaHDd6eM8Y0eJvzw1RMGGCmY0Ixj9pr1XQAUTqDuWKV4GOq/MTStLBjxkg6iX4q6jLYxGtz6dm7By1CXEXRIZeqX55AV5I2FnwhEWKkMqrGzLddH2UOlnsRaksI3Re9tiUA0tPJ/oCOG0mMaN4eLEWv8JZW0SNUITkeAhMkoVfc0YrzM2ZCIa29XPVsKydfaq+uK2lCYHzPyllT0IXOJL3k1t/amRGgUSHntOdZltQv1hWlr9HtW5RZ+cGPO8qXhkF+g7JYVvQ+eKD3iqMJdApHBhKO9jORUe68kW+toLJ1p8wk5QvQhyPvBQscX5ScAu27+Iy/z44LkEW8/7foesalvw5hIoboyqBtfb0TDJ8hDJ43g2iXIyMKNU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <3DFB8336A604E841AA63D79637B4EC2B@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3878
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT003.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(39860400002)(136003)(376002)(40434004)(189003)(199004)(86362001)(7736002)(6486002)(8936002)(126002)(22756006)(486006)(2906002)(11346002)(436003)(63350400001)(476003)(446003)(2616005)(5660300002)(58126008)(5024004)(14444005)(229853002)(50466002)(4326008)(54906003)(336012)(6512007)(36756003)(305945005)(356004)(70586007)(102836004)(66066001)(26005)(186003)(47776003)(6862004)(53546011)(3846002)(14454004)(478600001)(23676004)(6246003)(76130400001)(25786009)(36906005)(81166006)(70206006)(76176011)(6116002)(26826003)(2171002)(8676002)(316002)(33656002)(81156014)(450100002)(99286004)(6506007)(2486003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR08MB2661; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: a729e467-4226-4f2a-12a7-08d74bd749bb
X-Forefront-PRVS: 01842C458A
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Ir10Pg2dzF4l2BN79b0jCrONr+yKqQgBL/9ZbdkrQC88XgLamsI1PaOlmDHUsRDq1tXX3hlPv57Ie+71c5dPmPSa8S98g/pxi/YZ6LI/lo49k7Nb4Aa03HdVacKrP8eDF5yUQLa3R9HF+AiV9ty1INnMZ9QB1Da4S9w745sdpU2k/1NKf/973nIx83HJD4DnilLyvbVToSFRqO6Nq+8Co258G9qnJkYW6YxnWOpGAVFf4q03Evb+5ewi/L154YyG5hStfx7T7QQS9GiC+GdtXKWShNn+NKjyh4BdfRwBMaIFnzsta4kaKdMg9dkMA2hlI0dhT4YkFJOq95CABXd2SciIRKu3Bb4YOMMlIoYHMBnsPK75wP8hswFU64crCDRuj6oqPtw9ekkQRSypQpWChVT3VjmRyDU1J+2HfwKC9jY=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Oct 2019 10:07:22.4548 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5aa92f94-e3aa-4e26-c69e-08d74bd74fdb
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2661
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TgS8gxyIpgxyqO7fWkXSTspWBVs>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-09: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 10:07:31 -0000

Hi Ben,

On 05/10/2019, 02:07, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
> On Thu, Oct 03, 2019 at 05:33:49PM +0000, Thomas Fossati wrote: I'm
> trying to think about the risk that a future use case for
> "allow-certificate-get" might want slightly different semantics for
> when it's used, or need the certificate to be at a different URL, or
> similar.  Right now the GET option only applies to the
> star-certificate resource and trying to retroactively expand its scope
> could be messy.

I might be seeing this from the wrong angle, but I'm not sure I
understand what the concrete risk is: "allow-certificate-get" is
isolated in the "auto-renewal" sub-namespace.  A future, slightly
different "allow-certificate-get" can either be assigned to the
top-level namespace (if it provides general enough semantics) - and
deprecate the "auto-renewal" version - or carve its own special name
and exist in parallel.

> > Yes, one of the motivating use cases of this work was support of
> > delegation from content providers (name owners) to CDNs, where
> > multiple edge caches might need to fetch the same STAR cert.
>
> It might be worth mentioning that in the treatment of caching.

OK, will add.

> > Not sure I follow the line of reasoning.  CSRs are one-off
> > proofs-of-possession and certificates are issued from CSRs with
> > varying validities.  I think what you are saying instead is that
> > (end-date - start-date) of STAR certificates should be comparable to
> > (notAfter - notBefore) of "traditional" certs?
>
> That's what I was trying to say, yes.

OK, will add.

> > "timeliness issue" in the sense that with STAR you need to sit and
> > wait the cert to expire.  I'm not sure it's the right English
> > word...
>
> "potential for lack of timeliness in the revocation taking effect" is
> perhaps a way to word it (I did not wordsmith very much).

Thanks, that sounds very good -- at least to my Italian ear :-)

> > >    auto-renewal "lifetime".  Alternatively, the CA can set an
> > >    internal certificate generation processes rate limit.
> > >
> > > Wouldn't this run the risk of failing to meet the CA's guarantees
> > > on producing renewed certificates?
> >
> > Not if it refuses to accept new requests at the ACME interface.
>
> I'd consider noting that this limit has to take account of
> already-scheduled renewal issuances as well as new incoming requests.
> Maybe it's sufficiently obvious that it goes without saying, though; I
> don't think I have the same context that most readers will have.

I don't think it harms to spell it out explicitly.

Thanks again.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email