IETF Logo Mail Archive

Re: [Acme] Short term certificates - two options

Chris Drake <cnd@geek.net.au> Thu, 21 July 2016 10:05 UTC

Return-Path: <cnd@geek.net.au>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C179812DC83 for <acme@ietfa.amsl.com>; Thu, 21 Jul 2016 03:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.593
X-Spam-Level:
X-Spam-Status: No, score=-4.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_IADB_DK=-0.095, RCVD_IN_IADB_LISTED=-0.001, RCVD_IN_IADB_RDNS=-0.235, RCVD_IN_IADB_SENDERID=-0.001, RCVD_IN_IADB_SPF=-0.059, RCVD_IN_IADB_UT_CPR_MAT=-0.001, RCVD_IN_IADB_VOUCHED=-2.2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=geek.net.au
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qwS03Wd_uuz for <acme@ietfa.amsl.com>; Thu, 21 Jul 2016 03:05:34 -0700 (PDT)
Received: from srve.com (srve.com [208.69.183.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55AE912DA4C for <acme@ietf.org>; Thu, 21 Jul 2016 03:05:19 -0700 (PDT)
Received: from [172.22.0.102] (nsa.emsvr.com [120.151.160.158]) (authenticated bits=0) by srve.com (8.13.8/8.13.8/CWT/DCE) with ESMTP id u6LA3fJI015078 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 21 Jul 2016 10:04:05 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=geek.net.au; s=20131023; t=1469095472; bh=0X5JfhSAO7kfscXFYPAoq3JHnwBQALRvh5cKEwd6fng=; h=Date:From:To:CC:Subject:In-Reply-To:References; b=FfW7WewVc4hdb1vlfIDEcg1PPoRn8yfZpLVV7KJWxEgzGuc8j1mkOva64wcc/EPHo /wkFG1Hwr4r+eoyKXFHJ55C7pZGAqrsDC7NdoDwV5MFEfer3ozWXLDQLrmH6XrGC2p MQJZauMC0ERr/iKvhHxPvjx5bEOVlhsG9ko9o8Pv0s4rWJqr9K6z3MJ6eDzVepL93o 4vkhFuj/VfzD2eZzqHY1mtZgjsA4g6zR1fiFmBQhyCrmNcgTGE9bFR/P0bETImvI3M DWc3PcJKExuCOL4ilK9G3OqHzKkxJvLIxjRbCVDyF5IQMorpACu46bpZYQ3SYHV17q onEv5TycFjO1Q==
Date: Thu, 21 Jul 2016 20:03:41 +1000
From: Chris Drake <cnd@geek.net.au>
X-Priority: 3 (Normal)
Message-ID: <671590625.20160721200341@CryptoPhoto.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <630161d7-3859-a030-2965-89ce6935661d@gmail.com>
References: <826ed7ae-9358-a3fc-f816-bc5074395f99@gmail.com> <1769480434.20160721073216@CryptoPhoto.com> <630161d7-3859-a030-2965-89ce6935661d@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------01A0A51BA1C73D162"
X-Brightmail-Tracker: AAAAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Zk0kRdkBUd7x0rSBUqlVZx6yzlo>
Cc: ACME WG <acme@ietf.org>
Subject: Re: [Acme] Short term certificates - two options
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 10:05:36 -0000

Hi Yaron,

The premise seems wrong:
> These certificates allow the domain owner to terminate the TLS server's authorization when necessary, 

What that is technically true, it does not facilitate the *purpose* of the termination (which would be to prevent continued CDN content distribution) - clients can simply ignore the "expired certificate" problem and still get the content.

Trying to build a kludge to use certificates where session keys should be used instead seems a bad-idea(tm) to me.

Kind Regards,
Chris Drake


Thursday, July 21, 2016, 5:53:37 PM, you wrote:

YS> Hi Chris,

YS> The LURK CDN use case is described here: 
YS> https://tools.ietf.org/html/draft-mglt-lurk-tls-use-cases-02#section-5.3

YS> Personally I care more about the case of the TLS server being part of 
YS> the cloud infrastructure (e.g. Amazon ELB or even an on-premise F5 box),
YS> and talking to enterprise-based servers that hold the long-term credentials.

YS> Thanks,
YS>         Yaron

YS> On 20/07/16 23:32, Chris Drake wrote:
>> Hi Yaron,
>>
>> What is the use case for these?
>>
>> Kind Regards,
>> Chris Drake
>>
>>
>> Wednesday, July 20, 2016, 7:51:57 PM, you wrote:
>>
>> YS> Hi,
>>
>> YS> At the LURK BoF this week there was some interest in having a solution
>> YS> where a domain owner can delegate to some other entity (which we will
>> YS> call "the TLS server") the authority to terminate TLS connections on its
>> YS> behalf, using short-term certificates. These certificates allow the
>> YS> domain owner to terminate the TLS server's authorization when necessary,
>> YS> without requiring certificate revocation - which we know doesn't work
>> YS> reliably. The certificates' validity is measured in days, e.g. 3 days.
>>
>> YS> First, I would like to request the working group to adopt short-term
>> YS> certificates as a charter item.
>>
>> YS> Second, I would like the group's advice in choosing between two very
>> YS> different approaches to this problem.
>>
>>
>> YS> Option 1: Certificate Pull
>>
>> YS> This option is documented in the LURK draft [1], which will be modified
>> YS> to include feedback received this week, specifically to use more
>> YS> traditional certification request (CSR) flows. But the basic idea is
>> YS> very simple:
>>
>> YS> 1. TLS server generates a CSR once every 3 days for www.example.com,
>> YS> sends it to the domain owner using an authenticated REST API.
>>
>> YS> 2. Domain owner validates the CSR, forwards it to ACME server, gets back
>> YS> a short-term cert.
>>
>> YS> 3. Domain owner returns the cert to the TLS server.
>>
>> YS> If something bad happens, the domain owner simply stops forwarding
>> YS> requests from this particular TLS server.
>>
>>
>> YS> Option 2: Certificate Delegation
>>
>> YS> This option moves more of the responsibility to the ACME server.
>>
>> YS> 1. Domain owner contacts the ACME server and obtains a "delegation
>> YS> ticket" which is specific to the TLS server. The ticket is good for a
>> YS> long period, e.g. 1 year.
>>
>> YS> 2. TLS server regularly contacts the ACME server, proves ownership of
>> YS> the delegation ticket, and receives a short-term certificate.
>>
>> YS> If something bad happens, the domain owner contacts the ACME server and
>> YS> revokes the delegation ticket.
>>
>>
>> YS> Comparison:
>>
>> YS> 1. Option 2 is clearly more complicated to specify and to implement.
>>
>> YS> 2. Option 2 extends the ACME protocol. Many clients can ignore it, but
>> YS> servers will need to implement it.
>>
>> YS> 3. Option 1 requires the domain owner to have a server available
>> YS> regularly, even if it is only a short REST interaction once every few
>> YS> days. Option 2 doesn't require any such server.
>>
>> YS> 4. Option 1 looks to the ACME server as a normal cert request, and
>> YS> therefore will swamp the CT logs with lots of short-term certs. With
>> YS> Option 2, we can log to CT the issuance of the delegation ticket instead
>> YS> of the actual certificates.
>>
>>
>> YS> I would appreciate your input!
>>
>> YS> Thanks,
>>
>> YS>       Yaron
>>
>>
>> YS> [1] https://tools.ietf.org/html/draft-sheffer-lurk-cert-delegation-00
>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email