IETF Logo Mail Archive

Re: [Acme] draft-ietf-acme-star

"Salz, Rich" <rsalz@akamai.com> Mon, 09 September 2019 22:57 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEEB8120013 for <acme@ietfa.amsl.com>; Mon, 9 Sep 2019 15:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 225aXg31DY6W for <acme@ietfa.amsl.com>; Mon, 9 Sep 2019 15:57:53 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0C3D120020 for <acme@ietf.org>; Mon, 9 Sep 2019 15:57:53 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x89MvM2T012122; Mon, 9 Sep 2019 23:57:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=YKnfqplTdv7v65HD6AkUicGfcZKUUMZvegyC86NEUOo=; b=GTAI+O1waCqva5bztLG0LKc7Ai/3Y+q1+75uB+mX/zvo/IZCj4T7UuZinhNpv5CFxTXd 40Ge5dSlngSKJKnYIhkRDO201jtXP4bmU0GMkTqUL40SbaHUtFfE4Fz0NtLB256n6Wev 8G7qOFPxNWy6PXTF5gZ6k4f5XsP4Iz0tYJ0YSNTj43GToi0//v6WUfUFIFomp5dTcnLD jS6555FrUP6SkIDHIIBLtsiH33F/OD7YUtYsVHryrWnqjhFgX/U6MaGn/try3AeT9yV6 a9l/dxHRuY+vYKQJUIKrA2lkoihMsp1tv5L+HP8BcH368p2lZDAAbXVb/bD0k43YRsnq CQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2uv1mdbwtm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Sep 2019 23:57:48 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x89Mlv8F030197; Mon, 9 Sep 2019 18:57:47 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2uv7vvugwa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 09 Sep 2019 18:57:47 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 9 Sep 2019 18:57:46 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Mon, 9 Sep 2019 18:57:46 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Richard Barnes <rlb@ipv.sx>, Thomas Fossati <Thomas.Fossati@arm.com>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] draft-ietf-acme-star
Thread-Index: AQHVXbBGQMARrGYScUGVmynz9ivKPqcjVTCAgADyhID//8DngA==
Date: Mon, 09 Sep 2019 22:57:46 +0000
Message-ID: <1D779B7D-3661-49B6-BC75-A41B69F3768F@akamai.com>
References: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com> <94D1B74E-8AD8-4623-8DFB-E9C132BBB940@arm.com> <CAL02cgTM+dTJ6enzpnb=dSCzbDMR+3Xadp4r4a3xuzzhxPgJag@mail.gmail.com>
In-Reply-To: <CAL02cgTM+dTJ6enzpnb=dSCzbDMR+3Xadp4r4a3xuzzhxPgJag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.196]
Content-Type: multipart/alternative; boundary="_000_1D779B7D366149B6BC75A41B69F3768Fakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-09_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1909090214
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-09_09:2019-09-09,2019-09-09 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 impostorscore=0 mlxscore=0 spamscore=0 mlxlogscore=999 priorityscore=1501 bulkscore=0 lowpriorityscore=0 suspectscore=0 phishscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1909090216
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ZfelSLkk7NB2V2bKOfV_VIbn97k>
Subject: Re: [Acme] draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 22:57:57 -0000

I don’t care about the STAR acronym not bring known by those who don’t know :) but I think Richard’s comments – most of which are, really, wordsmithing nits of message-field names – deserve more consideration.  After all, the STAR documents didn’t get much attention from the ACME members.

From: Richard Barnes <rlb@ipv.sx>
Date: Monday, September 9, 2019 at 6:44 PM
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] draft-ietf-acme-star



On Mon, Sep 9, 2019 at 4:15 AM Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>> wrote:
Hi Richard,

Thank you for the detailed review. As you note yourself, this is quite
late in the document life-cycle (the draft completed IETF LC over a
month ago), which is unfortunate, given that every one of your comments
is an actual protocol change.

Do you have any implementations that this would break?  Or is this just avoiding spec changes?

Most of the below should be pretty easy to address, so unless there's some massively deployed code base that's going to be broken, I would propose that they should be addressed before publication.

Note that there are some potential deployment blockers here, most importantly the implication that the CA should pre-date certificates.

--Richard


As far as we understand, none of them can
be seen as a "showstopper" mistake in the protocol, and therefore we
propose to move forward with the current draft version. Please let us
know if we missed anything.

Cheers, Thomas (on behalf of the authors)

> On 28/08/2019 at 15:52, Richard Barnes <rlb@ipv.sx> wrote:
>
> I had a chance to take a look at this draft as a result of being a
> designated expert on the registries.  I approved the registrations,
> but independently, I have several major concerns about the draft.  In
> no particular order
>
> - The use of the "STAR" acronym is not helpful.  This is not an
> acronym that will be familiar to a reader, and less so an implementer
> who has not fully read and absorbed this spec.  Instead, you should
> say what you mean, e.g., for the "meta" fields:
>
> star-enabled -> auto-renewal-allowed star-min-cert-validity ->
> min-cert-validity star-max-renewal -> max-auto-renewals
>
> - Likewise, "recurrent" is not a common word in English.  If you want
> to use a single word, "recurring" is more common, but referring to
> "auto-renewal" would be even better.
>
> - It would be even cleaner to group all these "recurrent" fields into
> a sub-object, so that you wouldn't have to worry about them being
> present if "recurrent" wasn't set.  In other words, just signal the
> "recurrent" boolean by the presence of the object, and specify the
> parameters in the object.
>
> { "auto-renew": { "start": ..., "end": ...., "lifetime": ..., } }
>
> - The idea of "predating" is toxic.  Pre-dating a certificate means
> making the notBefore date earlier than when you actually issued it,
> which is a huge problem for a real CA to do.  That's not what you mean
> here..  You just want there to be some overlap between certificates.
> Say that instead ("recurrent-certificate-predate" -> "overlap") and
> adjust Section 3.5 accordingly.
>
> - The Not-Before and Not-After headers should be removed.  On the one
> hand, it's not clear to me that it's any easier to parse these headers
> than it is to parse the certificate.  On the other hand, there are
> existing HTTP headers that express almost exactly the same semantics,
> e.g., Expires.
>
> - It's not clear that there's any reason to negotiate certificate-GET
> on a per-order basis.  Just have the CA allow it or not unilaterally
> and delete the "recurrent-certificate-get" field.
>
> - The "star-certificate" attribute is unnecessary.  Instead, you
> should just say that when auto-renewal is enabled, the "certificate"
> attribute points to the current certificate, and use "previous" link
> relations to expose earlier certs.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email