Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 09 June 2021 22:59 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD5A43A29E7; Wed, 9 Jun 2021 15:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r22Z9CZ7SXPb; Wed, 9 Jun 2021 15:59:19 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE3F3A29E3; Wed, 9 Jun 2021 15:59:19 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 159Mx77W006470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 9 Jun 2021 18:59:12 -0400
Date: Wed, 09 Jun 2021 15:59:06 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Thomas Fossati <Thomas.Fossati@arm.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-acme-star-delegation@ietf.org" <draft-ietf-acme-star-delegation@ietf.org>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "rsalz@akamai.com" <rsalz@akamai.com>
Message-ID: <20210609225906.GS32395@kduck.mit.edu>
References: <161785721553.2892.15997097506064189797@ietfa.amsl.com> <79202B74-A6EB-4B5C-89FF-AF6D59BE236A@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <79202B74-A6EB-4B5C-89FF-AF6D59BE236A@arm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/cKMl9XjSIeGB_zjbQ-3mHFTv2Pw>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 22:59:25 -0000
Hi Thomas, Yaron, My apologies for having missed this until now, and for not having commented on the github versions of things. The changes in the -08 are generally quite good (thank you!), though I will re-ballot shortly with a few comments on them (but no discuss). A few final thoughts inline... On Mon, May 10, 2021 at 06:05:37PM +0000, Thomas Fossati wrote: > Hi Ben, > > Thanks a lot for your in-depth review. > > We think we have addressed all your comments, but please check [1] and > its attached PRs for confirmation. > > The only points we didn't address are listed below, along with the > reasons why we decided to avoid changing the existing text. > > On 08/04/2021, 05:47, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote: > > Section 2.3.2 > > [...] > > > > * MUST NOT contain the "notBefore" and "notAfter" fields; > > * MUST contain an "auto-renewal" object and inside it, the fields > > listed in Section 3.1.1 of [RFC8739]. > > > > (These are already required by RFC 8739 for STAR certificates, and > > this list is still scoped to STAR certificates.) > > True, but the NDC is not the same ACME client as the one specified in > 8739 so it seems worth being explicit. In my reading, the NDC/IdO ACME exchange is still a STAR exchange (albeit slightly modified), separate from the IdO/CA STAR exchange. In that sense the restrictions from 8739 would continue to apply, but I can see how it makes sense to you to reiterate the point ehre. > > Section 2.3.3 > > [...] > > > > [...] I wonder if we should use distinct delegation object URLs as > > well. > > This was deliberate: we decided to keep the same delegation order to > show that the choice of STAR vs non-STAR is orthogonal with respect to > the rest of the delegation configuration - it's basically the choice of > the NDC. Okay; thanks for confirming that it was an intentional decision. > > Section 2.4 > > > > An entity implementing the IdO server role - an "ACME Delegation > > server" - can decide, on a per-identity case, whether to act as a > > proxy into another ACME Delegation server, or to behave as an IdO > > and obtain a certificate directly. The determining factor is > > whether it > > > > This sentence confuses me somewhat, in that it seems to be portraying > > a "bottom-up" decision tree but I expect a "top-down" one. That is, > > in my mental model, the IdO itself is the only entity that can be > > expected to pass any of the normal ACME authorization challenges, and > > so ultimately it is responsible for obtaining the certificate. It > > delegates down to an NDC, and that NDC can in turn decide whether or > > not to perform further delegation. I don't see how an IdO (as ACME > > Delegation server) would be able to decide to proxy up to some other > > ACME Delegation server that can't actually obtain a certificate for > > the delegated name. > > I think what we wanted to say - Yaron please correct me - is that one > entity can mediate different delegation paths at the same time and that > for each of these paths it can play an IdO role, an NDC role, or a proxy > role. > > For example, suppose the following: > * A is an IdO holding the name "a.com" > * B is an IdO holding the name "b.com" > * B is also an NDC with A (e.g., it uses "a.com" to serve A's content) > * C is an NDC with B for both "a.com" and "b.com" > > Then: > * If C requests a cert for "a.com", B will act as a proxy forwarding the > request to A (the one that can complete the authorisation challenges > for "a.com"), and A will ask the ACME server > * If C requests a cert for "b.com", B (i.e., the one that can complete > the authorisation challenges for "b.com") will act as a IdO, and ask > the ACME server directly I think we are in agreement on the behavior of B in the respective cases, and thank you for writing them out clearly to anchor the discussion. I suspect that I'm just bothered by the word "decide" -- to me it implies a choice among several possibilities, but most of the time there is only one possibility that will actually work, and thus not a real choice. (What with failure not being an option, and all ;) If we instead used language along the lines of "might behave" for each case, I don't think it would seem problematic to me. > > Some guidance on what corpus to use when picking strings for new > > extensions to the schema (e.g., EKU types) might be helpful, though is > > hardly required. > > The existing corpus is a typographic mess, so trying to impose upfront > consistency may be an impossible task. I'd leave the fun of exercising > typographical taste to the expert :-) That is eminently plausible, and a quite understandable conclusion :) Thanks again, Ben
- [Acme] Benjamin Kaduk's Discuss on draft-ietf-acm… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Thomas Fossati
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Thomas Fossati
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk