[Acme] On the relationship between delegation and STAR
Thomas Fossati <Thomas.Fossati@arm.com> Mon, 20 April 2020 13:26 UTC
Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F41F53A0D12 for <acme@ietfa.amsl.com>; Mon, 20 Apr 2020 06:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.82
X-Spam-Level:
X-Spam-Status: No, score=-0.82 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SgCP++jJ; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SgCP++jJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XT_13Xa4L8vH for <acme@ietfa.amsl.com>; Mon, 20 Apr 2020 06:26:12 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2079.outbound.protection.outlook.com [40.107.20.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB0D3A0CFD for <acme@ietf.org>; Mon, 20 Apr 2020 06:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vi5iSuVEXiU8LuKRCkVlfK/nU+5v8zWHB7RIDKWQDGI=; b=SgCP++jJVHZA+NSnDxAdTY+0pkFmlyw0iFFSd+ztUlvFTyniVtAIaTOip/pv96kJ94oXneoZklnWZJEqpb++GGDp/bSQoxj9puR/3JKsYQvPCAs8PuJ9V389E0f8aGgEBZLTigCYi3bJtdqCZ80SoO0fuml+5yaXo/J1jpTkoBk=
Received: from DB6PR1001CA0006.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:b7::16) by DB6PR0801MB1894.eurprd08.prod.outlook.com (2603:10a6:4:72::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Mon, 20 Apr 2020 13:26:09 +0000
Received: from DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:b7:cafe::cc) by DB6PR1001CA0006.outlook.office365.com (2603:10a6:4:b7::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.25 via Frontend Transport; Mon, 20 Apr 2020 13:26:09 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT053.mail.protection.outlook.com (10.152.21.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.18 via Frontend Transport; Mon, 20 Apr 2020 13:26:09 +0000
Received: ("Tessian outbound 3a3e6dcbad0e:v53"); Mon, 20 Apr 2020 13:26:09 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 9a61a02673b9d78d
X-CR-MTA-TID: 64aa7808
Received: from ec44a5de1b11.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 7A44676A-4615-43F6-ACAE-AD468DF615BD.1; Mon, 20 Apr 2020 13:26:04 +0000
Received: from EUR01-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ec44a5de1b11.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 20 Apr 2020 13:26:04 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cN1XztOBW3nO7QCXWjiZMQUU0cI+tQbyv4yV1/q6ViPvMInnlR/ClptCCvSbHVNj+5b0vw0LmI81SZucHksD0Vf6j3i8IKtg/hLJjJ3W62opbS885QQPDKol/uhrEStfTNAgk9qlevGU5qvcwZ8vfaT3I/EPhVPjjDFmu0dDD27cEc0OZzODSI1onpKwcyDvzESm328nWCUIQcOetSh4RQhc5gBn1vkM1LmvjtL4kyxaJl8WCN13PTQUHW7+jKckE0gHmQctfi+lfpDQtoryvY8P6xM3SVbnGu/FK4UmRUUP/VgbOIiHW6zwaz1up8T+UrKNVlLM3+uOPAaVFfe9Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vi5iSuVEXiU8LuKRCkVlfK/nU+5v8zWHB7RIDKWQDGI=; b=hk6H1Wdn+0wSnJAdT2b8K9lpXXyhum5Wgr0szX30Ql39kp6DIYuFF2gUJcWwTJj8LFdp/0Pdmxc8OCNzbLrWMkVjLp/zhn3CKxfnWmJu7Xh/Ubvhs6xyxwzDOhdUvGKbdFCszbQ9fRHKXcACh0xKXAXsH/6LU4PrCegfcwc0nzwYJpBbsEzOEf2b7XY8UBxVuLrcEx0vO04HkX3loqaWulPndwEf9SylW4iJ1sbBqcNrBIUPJwXd/LXb1PRQirUCTffi53vYMzePML/nz8vJwB3Qd1CmQHhNroNZU7Cm5pvz+HyTkmd/aAmqggQyAepOI+K0tw0VGoBEYH4FPAiYFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vi5iSuVEXiU8LuKRCkVlfK/nU+5v8zWHB7RIDKWQDGI=; b=SgCP++jJVHZA+NSnDxAdTY+0pkFmlyw0iFFSd+ztUlvFTyniVtAIaTOip/pv96kJ94oXneoZklnWZJEqpb++GGDp/bSQoxj9puR/3JKsYQvPCAs8PuJ9V389E0f8aGgEBZLTigCYi3bJtdqCZ80SoO0fuml+5yaXo/J1jpTkoBk=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (2603:10a6:20b:73::23) by AM6PR08MB3063.eurprd08.prod.outlook.com (2603:10a6:209:46::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Mon, 20 Apr 2020 13:26:03 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::b08c:a849:e63d:6150]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::b08c:a849:e63d:6150%7]) with mapi id 15.20.2921.027; Mon, 20 Apr 2020 13:26:03 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "acme@ietf.org" <acme@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: On the relationship between delegation and STAR
Thread-Index: AQHWFxc929TSRvjr4kSyyO3g+MwYHA==
Date: Mon, 20 Apr 2020 13:26:03 +0000
Message-ID: <66C82F9B-4ED3-420F-ACB5-7A44D8728573@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 985ccfbb-9ffb-4290-2099-08d7e52e6395
x-ms-traffictypediagnostic: AM6PR08MB3063:|AM6PR08MB3063:|DB6PR0801MB1894:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB6PR0801MB18943E539F6FAB3E14E90D399CD40@DB6PR0801MB1894.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 03793408BA
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4231.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(39860400002)(376002)(346002)(366004)(136003)(8676002)(36756003)(316002)(4326008)(6486002)(2906002)(5660300002)(186003)(6512007)(6506007)(86362001)(81156014)(8936002)(2616005)(76116006)(66946007)(91956017)(6916009)(478600001)(26005)(33656002)(66556008)(66476007)(66446008)(64756008)(71200400001); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: n3G0SFf3Y4sNKx3AJKQMBabQQmtKbgNsNDmjEcuXUtd6nkM4k4589Va9QEmqaQC6SHb6ERXAtzoYGIa1bc0YywozzyYjXsVxWTr5nRPQmCQ3fuUt4Sbo/OfNLx1D/y3Q/PKj53mrHDbiM2ohUiUQARDG8yZrlwRczDQoeugiPDCCsTXwey+iRhjTpeAGNWPRPwzPhUrJdnSXt/Elf97b8ye283pCH+Fb9gzxZxdbVfyZf+w7SMD6QOOKA0v1MNdJjh3KD15Bv9sQT4r6NV5A0enWR59JVWLN9u1I4vvAyNEYeTXhqNhck1DsTrpNiUqORwcuwRbj8XxExdu+pGU+ie08VhEQGR04pKekZHdpQaYboU6CWFcLwXnZhcT17SL16SfCzE55DKP452LgpTKxI9wwSfz0s5gdSbJNXrLJAx99GFvvBCgC5chJtsnVFmIE
x-ms-exchange-antispam-messagedata: Hq6ygGNNolX37CkTrstfE7LTYRBa8blfTtRPKKdz9H46ZlXU1V832AGJu0xaNPiFN64oa5dpKsuN3EXRE2RKTdieRdsHUWVBhaYecK53vGTayvaRPgeKTyQsC2rkhcl30vxOBlnjlEfqYbsPZQ73kg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <370BC743FC40134C81A49381A8C8CFF2@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3063
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(39860400002)(376002)(346002)(136003)(46966005)(36756003)(8676002)(316002)(4326008)(6486002)(6512007)(81166007)(5660300002)(186003)(2906002)(6506007)(47076004)(356005)(81156014)(8936002)(86362001)(478600001)(6916009)(70586007)(26005)(33656002)(70206006)(336012)(82740400003)(2616005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: e146adef-6f7c-4a0d-c80e-08d7e52e5fc0
X-Forefront-PRVS: 03793408BA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 6nGyvGJuFDgAqTHqYTjhR+UfM2/S//bY7Niqptv/l1Ncgs7TCuy4HA9vIsFccGTJUwBSdy4DmI9F4doAlrJDq5P/HY503uFrghkpH2LgDYeWWiLQgdUfeFAUhGWw3O6hGIDOgve/viz3fB7etuszkPqdftvUXoDhL4+FZJgWP2hMtpAzcN/HqFyVgkbICfDSb9JBJzTdyxmZRJpWsoutK5zYSFq0n4/xf1E+Knsx4mo235xDbNkpQ9OPZ2/rwKWJ1w+vHoVasA+zfcha1/gm38wVyYWzG6xpoLDqqLt4FOzlpDvkotK66yL5p3JnzyM0bpDeWgH4+lo68S+f2R1Qh1ERJTWLVJFlZcfJAuwpcruOx991UMQgt5EtQirgyvW+SAhwWXs8TiUe5lmzJ27qFlUQLQD4ZocPgYFCrbz/AUv/g8zd3PVmWR3a1w0dlFy6acxeVBheUCRgL2oi9u/XppnSkqApCJusu1oAMiCsNMGYRT86CkoYhGU922jLNOUS5V8T7D0T9ut/BCKGAqKSpw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2020 13:26:09.8118 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 985ccfbb-9ffb-4290-2099-08d7e52e6395
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1894
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/kQcxfuKeAfQXKi5BzZ73kPljCdg>
Subject: [Acme] On the relationship between delegation and STAR
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 13:26:19 -0000
Hi, all, While working on the STAR delegation protocol we realised that the "STAR" in "ACME STAR Delegation" is not a strict precondition to build a delegation mechanism, and that we could quite easily relax the assumption and have a more general ACME-based delegation that can work with both STAR and traditional certs. In order to do that, from a protocol mechanics standpoint, we'd just need to add one "allow-certificate-get" attribute to the set of top-level Order attributes, and one to the Directory's meta, with same exact semantics as those currently defined in the "auto-renewal" namespace. From an interface perspective, the only difference between non-STAR and STAR delegation is that the former would allow the delegate to revoke the cert using the cert's private key, whereas STAR certs don't have access to the revocation interface -- that was originally conceived to give tighter control to the delegator. However, in hindsight it doesn't seem like this would imply an increase in attack surface, while the gain we'd get from the generalisation of the mechanism is quite noticeable, we reckon. Obviously we want to validate this scope change with the group before proceeding. Cheers! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Acme] On the relationship between delegation and… Thomas Fossati
- Re: [Acme] On the relationship between delegation… Thomas Fossati