Re: [Acme] [Anima] ACME integrations with BRSKI and the cmcRA EKU
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 05 March 2021 22:07 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FB33A0FE5; Fri, 5 Mar 2021 14:07:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7-4xgn4AYLh; Fri, 5 Mar 2021 14:07:47 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2714E3A0FDA; Fri, 5 Mar 2021 14:07:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 12302389E3; Fri, 5 Mar 2021 17:12:30 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id XplCvxXmSwQs; Fri, 5 Mar 2021 17:12:29 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 96B5F389E2; Fri, 5 Mar 2021 17:12:29 -0500 (EST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 5F31418B; Fri, 5 Mar 2021 17:07:43 -0500 (EST)
To: acme@ietf.org
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <5633.1585770340@localhost> <AM5P190MB027524F2D1530746DD48C4DDFDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <13227.1586052088@localhost> <AM5P190MB0275BA7298686DBADD31F0A3FDC20@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <14837.1586479192@localhost> <AM5P190MB027501C1759C042E54C40137FDD40@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CY4PR11MB1685181D4456431F05071D05DBE90@CY4PR11MB1685.namprd11.prod.outlook.com> <23785.1605650162@localhost> <CY4PR11MB1685A60B58D9CB1269978B5ADBE10@CY4PR11MB1685.namprd11.prod.outlook.com> <26304.1607113986@localhost> <AM8P190MB097940886FE07FDA40227781FDCE0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM> <CAGgd1OfGwPTHwzGpYH+55tN_x0ZUram2seCgsRe=6tCBfL9YBQ@mail.gmail.com>
Cc: anima@ietf.org
From: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <f8d47411-c1f9-7459-be10-e596c237bc27@sandelman.ca>
Date: Fri, 05 Mar 2021 17:07:43 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <CAGgd1OfGwPTHwzGpYH+55tN_x0ZUram2seCgsRe=6tCBfL9YBQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/m5TeM1KJWS7wYvIteIs9cPjwGMI>
Subject: Re: [Acme] [Anima] ACME integrations with BRSKI and the cmcRA EKU
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 22:07:49 -0000
On 2020-12-21 5:54 a.m., Deb Cooley wrote: > I don't post often, so go easy. And I've not read up on the current > state of BRSKI or MASA. This response is based only on the original post. The BRSKI Registrar is expected, like all RFC7030 Registrars, to have the cmcRA bit set. The conclusion is that we can't do this with an ACME deployed certificate. *BRSKI* is however, happy with a private PKI, and over in draft-ietf-anima-constrained-voucher, we concluded that had better explicitely say that it's okay to have CA=True, and cmcRA set. I.e. a self-signed key is fine, and it's okay if such a thing nominates itself as an RA. (It is to be discouraged, and we intend to write that, but it is acceptable) It is unfortunate that a Registrar that will be speaking ACME on it's "northbound" interface, can't itself use an ACME acquired certificate. Now, how can we get the draft-ietf-acme-integrations document unstuck?
- [Acme] ACME integrations with BRSKI and cmcRA bit Michael Richardson
- Re: [Acme] ACME integrations with BRSKI and cmcRA… Esko Dijk
- [Acme] ACME integrations with BRSKI and the cmcRA… Michael Richardson
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Esko Dijk
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Deb Cooley
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Michael Richardson