Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 08 October 2019 10:31 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3BBF120142; Tue, 8 Oct 2019 03:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KkY0ilta; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=e4Ge6dvM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c518sHLNxB1b; Tue, 8 Oct 2019 03:31:16 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A68691200B8; Tue, 8 Oct 2019 03:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2846; q=dns/txt; s=iport; t=1570530675; x=1571740275; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pm+rgbuugFrNxpbzfa0/8o+7ZWSvSPEggHkBfLA3KBw=; b=KkY0iltapZMZCbT7bZADT9raCeifNwleNaFxocYeUHdDFzdSH+ToP8o+ NxVikMYiR6pBR4RunEzv40RJ0P9sHD4KNHjodXsFga0B8D/v+q5iJR+Xd gugBJ3w/fHgEMfR0zxEqw0hMzwxRypmQmV/UyC223n0uESJGFb7Lirdia s=;
IronPort-PHdr: 9a23:Rj3I6RzDJTCSRVnXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YhSN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZuIF1z9J/3nRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAABvZJxd/5BdJa1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7gUspJwOBQyAECyqEI4NHA4pKglx+ln+BQoEQA1QJAQEBDAEBLQIBAYRAAheCLCM4EwIDCQEBBAEBAQIBBQRthS0MhUwBAQEDEhERDAEBLgkBDwIBCBgCAiYCAgIwFQULAgQBDQUigwCBawMdAQKiaQKBOIhhdYEygn0BAQWFCBiCFwmBDCiKcIEeGIFAPyZrJx+CFzU+hBEBEgEJFhchAoJTMoImjG2DAo5kjnMKgiKQPFqEBBQHgjovhx+POINCimuBP5d3AgQCBAUCDgEBBYFpImdxcBVlAYJBUBAUgU+BJwECgkmKU3SBKY1wDRcHgicBAQ
X-IronPort-AV: E=Sophos;i="5.67,270,1566864000"; d="scan'208";a="643810345"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Oct 2019 10:31:13 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x98AVDoS002706 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Oct 2019 10:31:13 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 8 Oct 2019 05:31:13 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 8 Oct 2019 06:31:11 -0400
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 8 Oct 2019 05:31:11 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mrPIB2qPTdooAHR508EMseOpjGztw7EnB27hrjuT/QQLM6NuUeN+SqVFTo3Sn64Hwd58fkHpzCOBPa9KefDdw45be9SG4jb/yFsCC8X6whcsWvtsEnym50EMU9TB+LBxMS+AfVZiYVwJwtae2Dor44CrNamOPQhvjP7gpzjxazmINdwPZ+UuAsTkjS3ezutvrTgiEeOwpoO1vj2jc+xMcf0i5WdMC3tqRkMCXMc1vslJE+QfrGWnGbyZNJugYdyuioXFCKc/cW4JnsJw5uGhvisklaz44g5hkqoel4GcjmHiu1ebqUZt0KwxTaODEpDB/53VGkfyOUbAnKYxBe0YZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pm+rgbuugFrNxpbzfa0/8o+7ZWSvSPEggHkBfLA3KBw=; b=lwF4l1iZTIlczq/FvvWye5S3uPqi7gbnFtEizsfvo+iXr2v3GYhQdLIYMZ8xQVXsfEAm+E9jOFKDnJUEZB2xfnYdK+8FbIbSdku9B0ECqweauOx4bPXneK6FcQzX2zyApduVNBqtobR5l3cABLRcqHQiFvuysxJ3oNhLV/u79fB3n0kfqnHngutCp+VW0ZrTs1MGqgmkK08NHLjkWQynGaeciy7kvLf/yGO6e1d3KKv+0570ExyocrYax/jDXTJ4kyP9Lz73pTsVpQRoyCtO5vZc9bw0Kb92PYOUz3pTAFO3hCCxO3D5fX167boWoulChI441NFKciqM2SAt/oF7eA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pm+rgbuugFrNxpbzfa0/8o+7ZWSvSPEggHkBfLA3KBw=; b=e4Ge6dvMNxIUYyU3GclbeviUxts4Ct3k+zliQm8sjxY7NT8z5iWvgEnJ3rgJvNlxMu6780UpEAnSbOMap2VLCLp1Fn164hnGwrpTehm4zAHb3mIp+In2/a07KiIS/jR+OGjnYaU7praLcQiD8XB0x+4ZOe+F66ZZJf0L05Ix2qs=
Received: from MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) by MN2PR11MB4448.namprd11.prod.outlook.com (52.135.39.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.25; Tue, 8 Oct 2019 10:31:10 +0000
Received: from MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::e4f8:d335:c018:c62a]) by MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::e4f8:d335:c018:c62a%7]) with mapi id 15.20.2327.026; Tue, 8 Oct 2019 10:31:10 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)
Thread-Index: AQHVee1v827HYp1a1Ee+kBvDNv6dPKdQoJgAgAAUEgA=
Date: Tue, 08 Oct 2019 10:31:09 +0000
Message-ID: <E1E4593F-1CEB-46DD-9A3B-778096EC5AC6@cisco.com>
References: <157010887094.16204.10515624307041176363.idtracker@ietfa.amsl.com> <E90A5597-4744-4E73-B2F0-8D20BBE8C2C5@arm.com>
In-Reply-To: <E90A5597-4744-4E73-B2F0-8D20BBE8C2C5@arm.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c0:1002::a4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7edbea95-0e78-402f-9a8a-08d74bdaa2af
x-ms-traffictypediagnostic: MN2PR11MB4448:
x-microsoft-antispam-prvs: <MN2PR11MB44484265691143EA36D9B608A99A0@MN2PR11MB4448.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(346002)(366004)(376002)(199004)(189003)(40434004)(7736002)(110136005)(316002)(6486002)(6436002)(224303003)(229853002)(4326008)(305945005)(6512007)(54906003)(58126008)(6246003)(66476007)(256004)(14444005)(5024004)(66446008)(66946007)(64756008)(66556008)(86362001)(91956017)(76116006)(71190400001)(14454004)(478600001)(71200400001)(8936002)(36756003)(25786009)(53546011)(2906002)(186003)(99286004)(6506007)(66574012)(6116002)(76176011)(33656002)(102836004)(46003)(486006)(446003)(2616005)(5660300002)(476003)(81166006)(81156014)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4448; H:MN2PR11MB4144.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RAwkJM6ZBxkjAn00R+Re4aburdNlZLOV359vIdhKrhKvXl0dsQuNDXG/oC1rz1p4V1xr2uILb4bMJddtA0PuZXbf1jFS6v6sL0In3uRams+q2axcSBMLUBKdxOPSio4n0k0KzZ5suIwmdiKAM9s0OHOcybn70p8vvF/MXvoOZkS2k8PPU/ca+qsMutv94KqAM0FtF4pHBIt1W5haxjzcDmaiAF1Xcq/QQfgBtAR41ZOYrgOF8pEMHTi9oY/PkCb4LPUOzCn9zysWlM+JNFj1VeyENyGIFhXK8mC14V06p378P//0wtG+SE8G7kwCGbG97su/mNmmGyacgAhbM2yjzQ+P5TQyKla3d3sItRg3qwN7j7nS/SmzJjk5bPfZAAQAY0v33nNI8HiNpo2bhWPYIFv35evkBO/DX7Clme8CHWQ=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <B959CCE216A23C488B0EA010960B1F49@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7edbea95-0e78-402f-9a8a-08d74bdaa2af
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 10:31:09.9256 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nQaIxqzPSTboEEeABpgkFP3WdyPhTjVHMIjPUKMF3ghveFEoqaBuoLino+4BV9oQOu3z4H8r05PBK5VNVhRU2w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4448
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.26, xch-rcd-016.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ZIpJkQcprbkahyQ15nwJpEdXFeQ>
Subject: Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-star-09: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 10:31:18 -0000
Thank Thomas Even being late, it is useful to know that the authors have considered this aspect. Regards and thank you for the work done for this document -éric On 08/10/2019, 12:19, "Thomas Fossati" <Thomas.Fossati@arm.com> wrote: Hi Éric, Apologies for the late reply. On 03/10/2019, 15:21, "Éric Vyncke via Datatracker" <noreply@ietf.org> wrote: > Thank you for the work put into this document. While I am balloting > "no objection", I support Alexey's DISCUSS. > > I am also wondering what is the impact of the increased rate of > request to the ACME server. While sections 4 and 5 answered most of > the questions popping up in my mind when reading the document; I am > still concerned that going from a 90 days to a 3 days validity is > probably multiplying the load by 30 on ACME server, are the free > existing ACME server ready to continue their free services? This is a very good point. Unfortunately I have no figures WRT the cost split between issuance and the authorization/validation phases, so I don't know whether 30x is actually the right multiplier. Regardless, I think the main shift here is about trading the cost of automatic renewal (timer, signature, state update, and the glue logics that goes with it) vs maintaining the revocation infrastructure (CRL and OCSP) for EE certs. (Note that revo is not just a cost on the CA but on clients and servers as well.) Hopefully, we have given enough knobs to an ACME CA to reasonably dimension the offered service, should they decide to provide STAR to their users. Cheers, thank you! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Acme] Éric Vyncke's No Objection on draft-ietf-a… Éric Vyncke via Datatracker
- Re: [Acme] Éric Vyncke's No Objection on draft-ie… Thomas Fossati
- Re: [Acme] Éric Vyncke's No Objection on draft-ie… Eric Vyncke (evyncke)