IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Roman Danyliw <rdd@cert.org> Tue, 26 October 2021 15:49 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 321F33A13F3 for <acme@ietfa.amsl.com>; Tue, 26 Oct 2021 08:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f714yBWTMrZY for <acme@ietfa.amsl.com>; Tue, 26 Oct 2021 08:48:57 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0129.outbound.protection.office365.us [23.103.209.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AC213A13EF for <acme@ietf.org>; Tue, 26 Oct 2021 08:48:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=jY4Jntgb6z7a8yVJp647VwOzhaF2hy60tPy6hqYFZ1qrIBnMEkWGuxf+Ei50ssHLGlu7rEfTwOnzyTyGPqggYJLcv5ngU3H8Aj8fdKvPrgT4kgy55EkbzRvagG7i2DKAO2SZ9E73xvQYRZ/cD8gDuWc9KY4lo0Q+RtIs4I3A1eCP6HvPLWYsZhHCvmNZM2Bx73WSLpLvQX9gPTznBwyQmADM2+/c7NK92Kk48kpvZv72X+0ipGRQ+c8iX55pKyJ9ECQQnD6To15azfb/wHpLBIRcgBg9BX6FcsmFncAU8DJHcrc6m/PQ85ripHTbullcoAAdacpv9EyGuZfCoiN1rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7QeO5v90HX6N2zmNgrHwgIdPoluyOd3gXkwpPVm7xl8=; b=sbNa8zQlf4DxB4lB8Q8Ny2Z9PAFu6ts3x1JcbzftktojBp9JQdZl4D/BT5Ybk2RGI+12jwizDvEhb4GYNoKmdJINhyW1xrgSDmqI+aE30I3ibS4qAe4h/4UpgxKaO0xaxj3bQZ8t/djQOnoF7cJuUPoYg+Y/V/+nMzmAVfyASmGqiJqHVuD3Od5jvZZh+UZeJNOC0wqYLY3/acMpJtTruRRqWdYV9SqlBAQVVqDnYauNA5bsPfCGHN/+nGJCzyiMicC2GEOFQcNzFBrYEC9bh67i18ERr/V0NsPMfcAKUNnrw0sCg5VEGkZ8TDgb9OSGe1CXfjr54pBKJoZHQqEdpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7QeO5v90HX6N2zmNgrHwgIdPoluyOd3gXkwpPVm7xl8=; b=QvfkSL+enjQxv+ImESBdMhzCMesaByuspLad8gGkdWN392KLHDj/UiwOiLpj9WYJZenVnTWPAuxAccPARKAwx4YqDwMGG7i1W8jlYhukkS+JQmtOboDvVw73F8VHea1TuQj9siyoWwOJrKscISZYhybrbcAFXGaLpE5KJyttXKc=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0644.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:135::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Tue, 26 Oct 2021 15:48:49 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4628.020; Tue, 26 Oct 2021 15:48:49 +0000
From: Roman Danyliw <rdd@cert.org>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: Add/9nBpbNBLzKA5RcKzepF1UuMpmxKiK+Xw
Date: Tue, 26 Oct 2021 15:48:49 +0000
Message-ID: <BN1P110MB093979E855771E53BCA67AB4DC849@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <BN3P110MB052974A1C8CD9907F111E4A0DCE59@BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN3P110MB052974A1C8CD9907F111E4A0DCE59@BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 89eeefc8-852c-4bfc-eacf-08d998981a7d
x-ms-traffictypediagnostic: BN1P110MB0644:
x-microsoft-antispam-prvs: <BN1P110MB0644BD2B2FD965A3A2C2FFE4DC849@BN1P110MB0644.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JpzbYud2BA7KfKVV/Izft67fsSdEIgpMlWkQa/dCxj/jIdQo5xRKzmeOMM5vy4NHSA8+A3I0NkkhaCtBk2yRDR8E/NKmeZYrQogZGAfm5C5zWUtlviYhx9iQjT7bxgE3+3hFr5uu5OttaHEDBvuObxEjTK4jSTXXu94FSE3kakY4z3qdip1QPcyv5ovJ0Z37G7B0vlOFlPln0OnLO8PJOrTrxg0Q6P6Adlh2qddST4QrDa3VYNoMen6fWw5CKFkg1o9aHcyBZrOYSBgWuqnGO6Q+yyw7HpbucjLtluuvIvKeSW7nQ5q1Hjpqn61Bb7Dq657o+QCB4JuE8UFwqmEkVOYWBE+U/GcEw3VgT4qGyedKrCX0cny6OQRW1oSwJbIOkH0rCADNC4+9wHVkxX345KUF8+0Szb+hpB1BxqJi3YRVOL/xEK1isRDvjTtx+E5WOptASzUBv1oApqx1N52AMcFXOYuwwuqeaaoVo47nZU+xg3yI/P+ZqxLen76umdPSW/pRHS1r1d9VPU4SoKvMrFnfDergF691/ztha9uF924zbjMakrzY/PdWBLUgLKFqlaDdD/6r4E3i5jKA+Osc4rQVqR2FC1EXQcQEZ9wemDOD7gprw/Lfp7IZnoICGqQDxzzdZ7Wj2RS49/tQfTshZ0vXXSXM2q9VFfv/x6FL8jerg4ln48SFHPyCX2c4CFQJ8wdgWZZsGc4xlnlM2IvgwA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(6506007)(53546011)(2906002)(86362001)(186003)(52536014)(33656002)(83380400001)(498600001)(26005)(82960400001)(55016002)(66476007)(966005)(76116006)(8676002)(6916009)(66446008)(64756008)(66556008)(122000001)(5660300002)(8936002)(9686003)(38070700005)(7696005)(38100700002)(71200400001)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jRyf8nmd8suCxfr8PPcUlgIuHC47HaYuryudTfauyJHhT4ApT6NXeBmaboI+chzqFv2E8+VzUdZZ2728Pry2fZ04aZfy+Gg4tf0KbLolFYuY2PKu8Ge09fZdyZims9XGVIzVrCip7xme8farGa6Hsh4X84hwMxAgxOyuDlo3gbNTtrNxBODW5FCIQhn4p0MDB6UHKDYcSfiztvKh3g06ww8TYz8ymX71FGUPfnlgnjnt3UmFLfOB/9wokSStXInP64baWKVeUGFtQWxp9fcEORSGHtf7xs9RGnAEcdt0isSuw92eOwnut6ol5xS7oLrQn5rql+oLZJ+kIivcVslSFzK+VpXJmN0gFajbFN+WCKaTc/XX3Lf31UE9JqiVuvh85L/ZodyXjR/tk9Tp239+r4GfZjxj4gB/2u7lkxzXGTpPxKOc8kFa6d62pOK/6Pn2ku/vZBtBeYEDz7jdHL6zAfMPJ00No9NX7+KsDqWLCdf/BiuGGkg9hUORHMCfQ+UBzb24eMBu3OQYnS+SRunXCmReGpnxINgnbltysfp/E36O6E0LZvPOKV5b+/7M6ZgpKebdjZ1UPVa7wVc+qi12DdOYObbNyz+Sg2I5ZQ7DfxvJKXcZuC0lJRq42jiPAP3MobOLq/GQgyehwP9muyqXIPRzenw3FsyooI9b/4kv0mXS2O78MZfbkdStBX3lsTqs5cgZmqbOlM7OJqFmpzSZdQ==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 89eeefc8-852c-4bfc-eacf-08d998981a7d
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2021 15:48:49.5667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0644
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ZSBjJr2O3agt5b1dy6fENZ5x2CE>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 15:49:02 -0000

Hi Brian!

Thanks for all of the changes in -05 and -06 to address the feedback below, and the coordinated discussion in the DTN working group.  Please consider all of the -04 feedback resolved but this one remaining change. 

One more edit needs to be made in the change from using uri to bundleEID as the ACME identifier type.  The IANA registrations in Sections 8.1 and 8.2 still refer to "uri" as the type, when in should be "bundleEID".

-- Section 8.1, substitute the label as follows: s/uri/bundleEID/

-- Section 8.2, substitute the identifier type as follows: s/uri/bundleEID/

Regards,
Roman


> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Roman Danyliw
> Sent: Friday, July 23, 2021 3:15 PM
> To: acme@ietf.org
> Subject: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
> 
> Hi!
> 
> I conducted an AD review of draft-ietf-acme-dtnnodeid-04.  Thanks for all of
> the work on this extension to support DTN.  My feedback is as follows:
> 
> ** This document proposes an update to draft-ietf-dtn-bpbis.
> 
> -- Editorially, if that's the case, the document header has a typo of "-ietf-dtn-
> bpbis".  The abstract should explicitly state that what document is being
> updated and how.
> 
> -- On the process side, this arrangement is rather unusual.  No quarrels with the
> substance of the update which will improve extensibility.  However, this
> particular document has experimental status and the document being updated
> (draft-ietf-dtn-bpbis) is proposed standard (PS).  Having a lower maturity
> document updating one of higher status is my concern -- "experiments fail".
> Was this issue considered?  Discussed with the DTN WG?  I'll note that draft-
> ietf-dtn-bpbis has not yet been published (although it is in the late state of the
> RFCEd queue).  Could the changes just be added there directly?
> 
> **I need a little help on DTN addressing.  The text notes that that the intent is
> to issue certificates with DTN Node IDs as a URI in subjectAltName.
> 
> (a) From the ABNF in Section 4.2.5.1.1 of draft-ietf-dtn-bpbis-31 of the dtn
> schema says:
>    dtn-uri = "dtn:" ("none" / dtn-hier-part)
> 
>    dtn-hier-part = "//" node-name name-delim demux ; a path-rootless
> 
>    node-name = 1*(ALPHA/DIGIT/"-"/"."/"_") reg-name
> 
>    name-delim = "/"
> 
>    demux = *VCHAR
> 
> (b) The dtn schema does have circumstances where there is an authority part to
> the URI.  The definition of reg-name in Section 3.2.2 of RFC3986 seems to
> suggest sufficient flexibility such that it would not represent a name valid (at
> least in syntax) in the DNS
> 
> (c) Section of 4.2.1.6 of RFC5280 says the following about URIs in the SAN:
> 
>    URIs that
>    include an authority ([RFC3986], Section 3.2) MUST include a fully
>    qualified domain name or IP address as the host.
> 
> Given the constraint of (c) and the flexibility afforded with the definition of a
> node ID in (a)+(b), will DTN Node IDs always satisfy the requirement from (c) to
> be FQDN?  Is language needed to ensure that (likely in a few places in the
> document)?
> 
> ** Section 1.  Editorial.  The paragraph starting with "Once an ACME server
> validates ..." jumps immediately into discussion a "uri" without explicitly
> describing it.  The text also transitions from the previous paragraph talking DTN
> Node Ids being URIs and now talking about "uri".  I would have appreciate a bit
> more hand-holding use the ACME terminology of a new "identifier type" and
> the need for a new DTN specific "challenge type".
> 
> ** Section 1.
> This document also updates BPv7 to explicitly use the IANA
>    administrative record type registry in Section 6.
> 
> Please explicitly cite a reference to BPv7
> 
> ** Section 1.2.
> 
>    When a ACME client requests a pre-authorization or an order with a
>    "uri" having one of the DTN Node ID schemes, the ACME server offers a
>    challenge type to validate that Node ID.
> 
> As noted in section 1, please explicitly state that what a "uri" is - a new ACME
> identifier type.  I would recommend:
> 
> When a ACME client requests a pre-authorization or an order with a "uri"
> identifier type with a value being one of the DTN Node ID schemes, the ACME
> server offers an "dtn-nodeid-01" challenge type to validate that Node ID.
> 
> ** Figure 1.  For clarity, it would be helpful to number the arrows between
> nodes and also use the corresponding numbers in the narrative text.
> 
> ** Section 1.3.  The explicit guidance on extracting the CDDL from the XML is
> very useful.  Thanks for including it.
> 
> ** Section 1.4.  Per the definition of "Challenge Bundle", shouldn't text clarify
> that it's the BP agent of the ACME server?  The Response Bundle helpfully
> makes that distinction.
> OLD
>      It is a Bundle created by the ACME
>       server to challenge a Node ID claim.
> 
> NEW
> It is a Bundle created by the BP agent managed by the ACME
>       server to challenge a Node ID claim.
> 
> ** Section 2.
>    Identifiers of type "uri" in certificate requests MUST appear in an
>    extensionRequest attribute [RFC2985] containing a subjectAltName
>    extension of type uniformResourceIdentifier having a value consistent
>    with the requirements of [RFC3986].  Because the
>    uniformResourceIdentifier is encoded as an IA5String it SHALL be
>    treated as being in the percent-encoded form of Section 2.1 of
>    [RFC3986].
> 
> Section 1 invokes the use of the PKIX profile [RFC5280].  The above described
> guidance is only part of the constraints on using a SAN on the URI.  Section
> 4.2.1.6 of [RFC5280] covers the rest.
> 
> ** Section 3.
>    "token-chal"  This token is unique to, and constant for, each ACME
>       authorization.
> 
> This sentence reads to me as saying inconsistent things - "unique to ... each
> ACME authorization" suggests that each authorization gets a different token.
> "... and constant for each ACME authorization" seems to suggest is the same
> token across all ACME authorizations.  That doesn't seem right.
> 
> ** Section 3.  Editorially.  I found the validation process being described as two
> separate lists of action, one for the client and one from the server, instead of
> interleaving them hard to follow.  However, I yield to the WG on this one.
> 
> ** Section 3.3.
>    Source Node ID:  The Source Node ID SHALL indicate the Node ID of the
>       ACME server performing the challenge.
> 
> Is it the "Node ID of the ACME server" or the "Node ID of the BP agent of the
> ACME server"
> 
> ** Section 3.4.  Typo. s/Each Each/Each/
> 
> ** Section 3.4. Typo. s/the the/the/
> 
> ** Section 3.4.1.
> 
>    *  The Response Bundle was received within the time interval allowed
>       for the challenge.
> 
> It would be helpful to state if this check based is based on the Creation Time
> and Lifetime fields.
> 
> ** Section 4.  The text here is generic describing the functionality of the
> gateway.  Figure 1 presented an architecture where only the Response Bundle
> would pass through the integrity gateway.  Is it envisioned that the Challenge
> Bundle could use it as well?
> 
> ** Section 8.  It would be worth repeating that the Security Considerations of
> draft-ietf-dtn-bpbis apply to the BP-to-BP agent communication.  Likewise, that
> RFC8555 applies to the ACME client/server communication.
> 
> ** Section 8.  Section 1.1 states that the communication between the ACME
> client and ACME server and their respective BP agents is out of scope.
> However, the integrity of the entire ACME issuance process rests on security of
> this communication.  Can the risks of and considerations for that
> communication please be documented?
> 
> Regards,
> Roman
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email