IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Roman Danyliw <rdd@cert.org> Fri, 13 August 2021 20:04 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF1E3A24AB for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 13:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22VBjUOayxWX for <acme@ietfa.amsl.com>; Fri, 13 Aug 2021 13:04:09 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0127.outbound.protection.office365.us [23.103.209.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1E93A24AD for <acme@ietf.org>; Fri, 13 Aug 2021 13:04:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=pTK9k07vrF52oHid+LrOWIDJb0ihFWwJOJqNRS07+JpGQGYSyo5RC6FDdog354cr9g4SaHZFkP+SfcJQHK7VDpTSW8/uQQFGvVIc/zQULhUY6ETq1qAK8mSo2HC4fJab5rjItUlRi7fjm1gk0lG7M37kphVAAy9RjIunvHWhh/zQ7qmK3M2U47+DMI8ohEKVqLt/sHj6ECq/bJ+fijKGHHAsFIT18nm0Cec9an32QudygiqdmCnFJI0f6/5yfitDmajyncGoVTTfi9Kn/MUh8Kgpqzq60UPjxS898QqAZ8I8QOesuFNGH9iGxZqM9ELSKb/80/EjH90VfKhMLCxIMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0WvoCqtyshIBxAnCA1SrXLGFAML3iCun2EVYQXxP/8o=; b=tUIo1B/yNndksiqE6GeSMiQRwDSQOP4wiHAYYs9EA4vkdE9fiMyDVdXK9fY1P7iEnzT5SDazYuEu9ZlGf6MF1XVjeFHJpkvhAY4Tp9k9bm38jEXnnvJuebpP7It4W60x75TjMYmM0Jpd0eYOnVBxKEg6r5xAxw2Qm8wjiyQ/mNUZnshQCC4d0ScCfj2PiU+JNd6wn+RUcu5Dugktw2p0yiYgvOcwjCPmyxELeDzKt7gAnxUJw68B9EA9Ykoyf3GnyGPREI0SLi7gWcqN+eIeD/FkqFYvadRlX95NHcLkeruXhGw+3ukbcxQkMgfHcsMIKwLx8srJG2a8nFPGN7OmAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0WvoCqtyshIBxAnCA1SrXLGFAML3iCun2EVYQXxP/8o=; b=faTz55axMnbvpszOcz6a40BzDzIbuJjLoz9+E5QxJxFGszwzXiHDYbQj0Yez0fF8P729wIcovhlRZf0Z7xyR/rWYJVSYh2E9PGx96jgbfRdZ0VqKsUva26K0JqqKwaRQyll+CN+Pgbt9MuHfaCYRC3B2EhveWwel3jPeY4qGCY8=
Received: from PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:125::32) by PH2P110MB0876.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:124::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Fri, 13 Aug 2021 20:04:05 +0000
Received: from PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM ([fe80::3594:efa4:bdc1:fd35]) by PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM ([fe80::3594:efa4:bdc1:fd35%4]) with mapi id 15.20.4415.018; Fri, 13 Aug 2021 20:04:05 +0000
From: Roman Danyliw <rdd@cert.org>
To: Brian Sipos <BSipos@rkf-eng.com>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: AQHXgywiHJXaHUJs5USqsUtyrE1MwatajavA
Date: Fri, 13 Aug 2021 20:04:05 +0000
Message-ID: <PH2P110MB0936035312E5FE600262D9DDDCFA9@PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM>
References: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com>
In-Reply-To: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: rkf-eng.com; dkim=none (message not signed) header.d=none;rkf-eng.com; dmarc=none action=none header.from=cert.org;
x-originating-ip: [128.237.16.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d285bef-09a8-4143-7991-08d95e958119
x-ms-traffictypediagnostic: PH2P110MB0876:
x-microsoft-antispam-prvs: <PH2P110MB08763AD0F7086E029F47DC0DDCFA9@PH2P110MB0876.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hR6DhHB+g1a+HE7vGDun0eyt4+jh9468E26SUTj4j+Nnwf86ZzhnXmhiiUVgERE1MLj8WE8HDffWIipFFs05DaGGjrD9tbXHW7U+YCIStJBNtI5xC6iIZlTZZ1YdR93bKZrt9eyPq4ItXRECn69s8ATKIz+v59i0jCC/vvoZ9oR8KVm4uoL4FUww90Xz63nlIt/NIWBzd3pK0zPfIWJAM/FwT5abdbnullF4/TJLCNowzq1MVwl1wUUiXby/ndPARBB3VcuWG1izuTOk1XW+7S5Hub2iVoeMWNjGMZ8LUoi+zLa6nUa1PaZRqCiCwqKcU0E+AhUKa66tX3VhhdOq2ZZpyY5R3/WbPNkLdh1JdfSa8JJKKOqsoRbVOLSr2vJWqOFxjCJSa68y4rsUPGfae+S51ewxJLism9TJbgxhTpBIIiV2fS/qX/P+jrGCflLPSX0CNWrG+094ATxh1y3NU8/K3YWVIVAu9249cJQvHIlC6sHVhAoJLXy4rXWPRZ+1aG8806SosbAQf0zKjyvxCwy+TcCOtX19hSSsfSLAvGGnxdNrg/ScrMbVA5MY0ME47EWpYt/sUHt/2etIAma9uEkTf8fyDUNZv28Ks2F7P65xgWSAUcYQLy4bk56x7TYgBG/SVzTz7iFv13zJIhmmx012vB4H7tNqQ5mWABpFCix7L7MZqr9dVTPYXOlZE1Eod5nriYKly260uz8f46u1Kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(366004)(2906002)(122000001)(8936002)(71200400001)(4326008)(6916009)(55016002)(38070700005)(38100700002)(26005)(966005)(9686003)(508600001)(186003)(76116006)(86362001)(66476007)(7696005)(64756008)(66446008)(66574015)(66556008)(8676002)(33656002)(6506007)(53546011)(83380400001)(5660300002)(52536014)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: H3itemQGBg3zOjAKI0Gau3gAQCn65x18LIIWOEL26xwV8KgVmp7hZ+VCWgQeob0DF4PnL+98xsOGAU6ypsqBHbfZyBu55sTpB9uZWMO2x5lDuTjKHtn3sVBpBZUSrIW+CXuTvsjKwhJSVE4l/jWeyEkItkdvO6hSKbQROue345OAIqsIU6NlJBRpdqIFsVSIRMCekuNabtmgtHOPT+TXZj/iy8+TDJ+NZ4UkGnOGVxbMzX7HU4QliD1t2A13XOa6HZn9y9Gpnsr30emf5ZZ52b3TaVuhiJxcd5lyGJHydAMa0TPleQ26LQF7pURKqlLqYBF/QGtbe+n3u1gZcRFJbo/gyPA95o0B5n687Ccsovhl/PXrK0SoKbP0hUBB+8DpblHYfksNjMTqHhEVf+ZbNeZywI+jGgxhgSK+Fg+gzcH/QkQehF2sDDB0lx2i+jd2RTaQ/VwV8qTO6fSdY3TAANjI0ffVSI7l/5TDPpRze7+i7N4h9nc+MW3i7WGevTt1B5J6zZ4h3xBPRIb1ShYZiSrrY3RYWVn6fDvqF1Pwz3e+Ak78Yo3THdJeZmsplY7ZS8+NbptmvjT/6f6AP8ivUthZQb8drg7pQ/DuOcSCWxaCs+ydN/i38ljpLZM0k0rDFdhh8rEng/QAvgTLqeEDOhtR53KvmL/mDy9pJDBKedugyUQmxQz3K+VXxadTauPrwbvgvBD0mvWJpvrpelmhFQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH2P110MB0936.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d285bef-09a8-4143-7991-08d95e958119
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2021 20:04:05.8124 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH2P110MB0876
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/hVr7UrJg87NvUskyyhxR86cvyiM>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2021 20:04:16 -0000

Hi Brian!

> -----Original Message-----
> From: Brian Sipos <BSipos@rkf-eng.com>
> Sent: Tuesday, July 27, 2021 5:13 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: acme@ietf.org
> Subject: RE: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
> 
> Roman,
> Thank you for this thorough review. I want to address the more
> procedural/structural points first; the ones which have implications outside of
> just this document.
> 
> > On the process side, this arrangement is rather unusual.  No quarrels with the
> substance of the update which will improve extensibility.  However, this
> particular document has experimental status and the document being updated
> (draft-ietf-dtn-bpbis) is proposed standard (PS).  Having a lower maturity
> document updating one of higher status is my concern -- "experiments fail".
> Was
> this issue considered?  Discussed with the DTN WG?  I'll note that draft-ietf-
> dtn-bpbis has not yet been published (although it is in the late state of the
> RFCEd queue).  Could the changes just be added there directly?
> 
> BS: I did bring this up in the DTN WG earlier and the BPbis authors were fine
> with the update itself, which didn't require BPbis document changes, but I
> understand the concern about the different document status levels. I have
> brought this new concern up in the DTN WG with options of either a late
> AUTH48
> edit or a separate small Proposed Standard document from the DTN WG. The
> change
> really is not specific to this ACME document but related only to this being the
> first new administrative record type for BPv7.

Thanks for bringing the issue to DTN.  We'll wait to see the next steps.

> > **I need a little help on DTN addressing.  The text notes that that the intent
> is to issue certificates with DTN Node IDs as a URI in subjectAltName.
> > ...
> > Given the constraint of (c) and the flexibility afforded with the definition
> of a node ID in (a)+(b), will DTN Node IDs always satisfy the requirement from
> (c) to be FQDN?  Is language needed to ensure that (likely in a few places in
> the document)?
> 
> BS: This is a good catch regarding conformance to RFC 5280, and unfortunately
> represents a subtle logical conflict with this and another document [1].
> Although Section 4.2.1.6 of RFC 5280 states this requirement about the URI
> authority part it makes no other use of this authority restriction, and although
> RFC 6125 does define a URI-ID which has matching logic based on the authority
> part the certificate profile shared by DTN TCPCLv4 [1] and this document
> explictly avoid using URI-ID in favor of the matching logic defined in [1] for
> NODE-ID.
> So while a "dtn" scheme URI contains an authority part which I believe meets
> the
> intent of the RFC 5280 restriction (a unique and unambiguous name/address) it
> does not meet the letter-of-the-law in that document. The dtn scheme is
> already
> in use and has been for many years; although it resembles a URN in semantics
> it
> does use a URL syntax which may be more of an historical accident than a
> design
> decision (as the "ipn" scheme does not use the URL authority syntax).
> Do you think that explicitly calling this out in this document and in [1] are an
> acceptable way to avoid this logical issue? Meaning any CSR or certificate
> handler for DTN must be aware to ignore that specific RFC 5280 requriement.

I see this is more complicated than I realized.  Thanks for explaining it.

I think the current options might be:

(1) Roughly what you said above + Make it clear that this document is NOT using the RFC5280 profile and simply reusing the data structures (but not the validation logic).  Related to this, and excuse my ignorance about DTN, would it be possible to constrain these non-RFC5280-conforming certificates from appear on the internet with some normative phrasing.  Technically, RFC5280 is the _Internet_ PKIX profile.  This document goes to great pains to separate the internet portion of the ACME protocol exchange and the validation happening over DTN (which might be considered a "limited domain" as framed by RFC8799).

(2) Revise RFC5280.  I'm loath to pursue this path unless we really need to.

Regards,
Roman

> I think all of your other comments are sensible and I will respond to them
> separately.
> Thank you,
> Brian S.
> 
> [1]
> https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26#section-4.4.2

v2.23.0 | Report a Bug | By Email