Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Roman Danyliw <rdd@cert.org> Mon, 08 March 2021 12:50 UTC
Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3331B3A0E68 for <acme@ietfa.amsl.com>; Mon, 8 Mar 2021 04:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUyDg0-z-IJQ for <acme@ietfa.amsl.com>; Mon, 8 Mar 2021 04:50:01 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33E683A0E63 for <acme@ietf.org>; Mon, 8 Mar 2021 04:50:00 -0800 (PST)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 128CnxHr024272; Mon, 8 Mar 2021 07:49:59 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 128CnxHr024272
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1615207799; bh=Nvoq1f/1hk647tFE+gdGRy0YIh17QT4duQCtzPMQcvw=; h=From:To:Subject:Date:References:In-Reply-To:From; b=AGIy5/zplPkaYRkU0fGk6hn+WBh0BsM0W+BI919NUxjqNU4Op7GCn5ZIPCTeWfNPU fPuEvzhRdJiDjQCpSyaRrjoekMlhJMxdbZ+nKpl1ZQmyknCnmKVuAwbKxAeZbGQiNC 9NnMwQaW63zfrZG+Nvan4DW3xO8Npg1Zf/UkwvZg=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 128CnvLa009616; Mon, 8 Mar 2021 07:49:57 -0500
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 8 Mar 2021 07:49:57 -0500
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.013; Mon, 8 Mar 2021 07:49:57 -0500
From: Roman Danyliw <rdd@cert.org>
To: Roman Danyliw <rdd@cert.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Thread-Index: Adb7Rh0lkRNAgi4VQP6kSm1bN0WrcAA9E/IAA2wWkiAAPWdigAAKIwYgAkN8AJA=
Date: Mon, 08 Mar 2021 12:49:56 +0000
Message-ID: <5a3891a7fbad4d51addbbf9f6ba68727@cert.org>
References: <5b94cd8f4c4944838936589cea70bd62@cert.org> <B85D7793-E228-4B95-B8DF-FD46F71F4F1C@intuit.com> <404f7522d37b41ecabb854bee42dc333@cert.org> <9D628EB5-401E-4FCD-8BBC-3FB967FB4102@gmail.com> <b4307f5c6d3e495785ae1051f3927207@cert.org>
In-Reply-To: <b4307f5c6d3e495785ae1051f3927207@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.75]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mZNpqnGI7vH19iNQC2UxUJvIdAI>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 12:50:04 -0000
Hi! Thanks for adding the new CDDL schema and clean-up to the JSON schema. This resolves all of my feedback from AD review. I will advance the document to IETF LC. One question I have in the -06 to -07 changes is why the use of IP addresses was dropped for subjectAltName in the CSR template (the addition of URI makes sense). Thanks, Roman > -----Original Message----- > From: Acme <acme-bounces@ietf.org> On Behalf Of Roman Danyliw > Sent: Wednesday, February 24, 2021 9:20 AM > To: Yaron Sheffer <yaronf.ietf@gmail.com>; IETF ACME <acme@ietf.org> > Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04 > > Hi Yaron and Thomas! > > > -----Original Message----- > > From: Yaron Sheffer <yaronf.ietf@gmail.com> > > Sent: Wednesday, February 24, 2021 9:08 AM > > To: Roman Danyliw <rdd@cert.org>; IETF ACME <acme@ietf.org> > > Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04 > > > > Hi Roman, > > > > (1) In fact the existing language is more accurate. The CSR template > > is sent to the NDC in order to constrain what the NDC puts in the CSR. > > So the text that describes the mapping *from* the CSR template *to* > > the CSR is correct. Also, SPKI is freshly generated by the NDC, guided > > by the constraint on which key types it may use. So maybe: > > > > The subject field and its subfields are mapped into the subject field > > of the CSR, as per [RFC5280], Sec. 4.1.2.6. Other extension fields of > > the CSR template are mapped into the CSR according to the table in > > Section 5.6. The Subject Public Key Info field of the CSR is generated > > by the NDC according to the constraints defined by the "keyTypes" object of > the template. > > > > (2) It turns out that my coauthor Thomas is a native CDDL speaker. So > > we will include a CDDL schema in addition to the JSON Schema. I concur > > that developers are much more likely to use the latter. > > Great. Thanks for adding this unexpected element. > > Roman > > > Thanks, > > Yaron > > > > On 2/23/21, 18:31, "Roman Danyliw" <rdd@cert.org> wrote: > > > > Hi Yaron! > > > > Thanks for all of the work that went into -05. It addresses all > > of my concerns but the following: > > > > (1) Section 3.1. The updated language is helpful, but I recommend > > a bit more precision to cover all of the fields. > > > > OLD > > The subject field and its subfields are mapped into the subject > > field of the CSR, as per [RFC5280], Sec. 4.1.2.6. Other extension > > fields of the CSR template are mapped into the CSR according to the table in > Section 5.6. > > > > NEW > > The "Subject" field and its subfields per Section 4.1.2.6 of > > [RFC5280] are mapped into the "subject" field of the CSR template. The > > "Subject Public Key Info" field and its subfields per Section 4.1.2.7 > > of [RFC5280] are mapped into the "keyTypes" field of the CSR template. > > Other extension fields are mapped as subfields of the "extensions" > > field in the CSR template according to the table in Section 5.6. > > > > (2) The more thorny issue is how to handle a normative dependence > > on the JSON schema. Short of it being in the document, whatever is > > the formal language used to define the CSR template needs an > > appropriate normative reference describing it. Currently, > > [json-schema-07] in Appendix B would need to be normative (not > > informative). I confirmed my concern with the ART ADs, and there is > > agreement that neither draft-handrews-json-schema-validation or > > http://json-schema.org will be an adequate normative references (i.e., [json- > schema-07]). > > > > IMO, JSON still seems like the right architectural pattern here. > > I also don't see an issue with the Schema that was specified. > > > > A possible compromise (vetted with the ART ADs) is to follow the > > pattern of > > RFC8727 which also tried to use JSON Schema but couldn't find a usable > > normative reference -- full disclosure, I was a co-author. This RFC > > normatively specified the "schema" via CDDL but also informatively > > provided the same schema via [json-schema-07]. Practically, > > implementers ignore the CDDL and use the more assessible JSON. I > > appreciate this approach is additional work and pulls in another "technology" > that isn't a natural fit in the ACME ecosystem. > > > > Do you see any alternatives? > > > > Regards, > > Roman > > > > > -----Original Message----- > > > From: Yaron Sheffer <yaronf.ietf@gmail.com> > > > Sent: Friday, February 5, 2021 5:45 PM > > > To: Roman Danyliw <rdd@cert.org>; IETF ACME <acme@ietf.org> > > > Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04 > > > > > > Hi Roman, > > > > > > Thank you for the detailed review. We will go through your > > comments and will > > > rev the document accordingly, but in the meantime, let me > > respond specifically > > > to the issue of the CSR template syntax. > > > > > > The CSR template is potentially a long/complicated JSON document > > (example: > > > [1]), and we felt that rather than including an informal > > definition which is easy > > > to get wrong or a long sequence of examples, our audience would > > be better > > > served by a formal definition. > > > > > > To the best of my knowledge, by far the most common way to > > specify a JSON > > > document format is with JSON Schema documents. Granted this spec > > is still a > > > moving target, but it's already widely implemented. Also, there > > are discussions > > > between the leaders of the JSON Schema effort and people on the > > HTTP- API > > > working group, with the goal of standardizing it there. > > > > > > JSON Schema draft-7 is defined by > > draft-handrews-json-schema-validation- > > 01 > > > (and a few companion document), and not (as we incorrectly noted) by > the > > > latest version of that draft. Clearly it's not ideal to refer to > > a specific, expired > > > version of an I-D. The situation is mitigated to a certain > > degree by the schema > > > document [2] mentioning explicitly the supported version: > > > > > > "$schema": "http://json-schema.org/draft-07/schema#" > > > > > > I hope this clarifies things. Regarding your two related comments: > > > > > > - Yes, we should have specified the mapping of fields into > > X.509, and will do > > > that when we address your comments. > > > - The notion of "snippet" is actually well defined when we say, > > "a JSON Schema > > > snippet that defines a type". Formally this is a valid JSON > > object with a "type" > > > attribute, per draft-handrews-json-schema-validation-01 Sec. 6.1.1. > > > > > > Thanks, > > > Yaron > > > > > > > > > [1] https://raw.githubusercontent.com/yaronf/I-D/master/STAR- > > > Delegation/CSR-template/example-template.json > > > [2] https://raw.githubusercontent.com/yaronf/I-D/master/STAR- > > > Delegation/CSR-template/template-schema.json > > > > > > > > > On 2/5/21, 00:50, "Roman Danyliw" <rdd@cert.org> wrote: > > > > > > Hi! > > > > > > I did an AD review of draft-ietf-acme-star-delegation-04. Thanks for > this > > > work to apply the STAR profile (rfc8739). Below are my > > comments. There are > > > a number of editorial clarifications proposed below. The item > > that likely needs > > > some discussion is the syntax of the CSR template. > > > > > > ** Idnit: > > > ** Obsolete normative reference: RFC 6844 (Obsoleted by RFC 8659) > > > > > > == Outdated reference: A later version (-04) exists of > > > draft-ietf-cdni-interfaces-https-delegation-03 > > > > > > -- Unexpected draft version: The latest known version of > > > draft-ietf-stir-cert-delegation is -02, but you're referring to -03. > > > > > > ** Section 1. Editorial. Missing preposition. > > > OLD > > > This document describes a profile of the ACME protocol [RFC8555] > that > > > allows the NDC to request the IdO, acting as a profiled ACME server, > > > a certificate for a delegated identity > > > NEW > > > This document describes a profile of the ACME protocol [RFC8555] > that > > > allows the NDC to request from the IdO, acting as a profiled ACME > > server, > > > a certificate for a delegated identity > > > > > > ** Section 2.2. Editorial. Recommend symmetry in naming of the > orders > > and > > > being explicit on the order in question. > > > -- second from last bullet. s/reflected in the NDC order/reflected in > > Order 1 > > > (i.e., the NDC Order)/ > > > -- last bullet. s/moves its state to "valid"/moves the Order 1 state to > > "valid"/ > > > > > > ** Section 2.2. Should the buffering requirement for the CSR be > > normative - > > > s/The IdO must buffer/The IdO MUST buffer/ > > > > > > ** Section 2.2. Per "[No identify validation]", what is meant by that? > > > > > > ** Section 2.3.1. Editorial. s/The IdO can delegate multiple names > > through > > > each NDC/The IdO can delegate multiple names to a NDC/ > > > > > > ** Section 2.3.1. Are there any constraints to what the delegation > URLs > > > could point to? > > > > > > ** Section 2.3.1. Per "The value of this attribute is the URL pointing to > > the > > > delegation configuration object that is to be used for this certificate > > request", > > > what is the error handling if the delegation attribute doesn't point to a > URL > > > found in the delegations URL list? > > > > > > ** Section 2.3.2. It might be worth pointing out the obvious when > > clarifying > > > the properties of the Order objects such as: > > > -- That the value field will be the delegated name > > > > > > -- The expected symmetry in field values between NDC-generated > order > > > object and the one made by the IdO > > > > > > ** Section 2.3.2. Per "When the validation of the identifiers has been > > > successfully completed ...", it would be useful to clarify who is doing the > > > validation and when. Figure 1 suggests that there is only a > > validation process > > > between IdO client and CA server. However, wouldn't the IdO server be > > > checking the identifiers submitted by the NDC client too (prior > > to passing them > > > to the CA server too? > > > > > > ** Section 2.3.2 and 2.3.3. I didn't understand the titles used to > > organize of > > > content -- "Order Object on the NDC-IdO side" vs. "IdO-CA side". > > They didn't > > > follow the clear convention introduced by Figure 1 of NDC > > client, IdO client, IdO > > > server and CA server. Additionally, Section 2.3.2 discusses behavior > which > > > seems to be IdO client-to-CA Server (which doesn't seem like > > "NDC IdO side"). > > > Additionally, Section 2.3.3. seems to be describing the requirements that > > > correspond to construction of the order sent to the CA which is > > also covered at > > > the end of Section 2.3.2. > > > > > > ** Section 2.4. Per "The authors believe that this is a very minor > security > > > risk", it would be worth explicitly explaining that position > > (and not framed as > > > the belief of the authors) > > > > > > ** Section 2.5. This section introduces a new architectural element, > > ACME > > > Delegation server, but doesn't define it. Simply referencing the use cases > in > > > Section 4.1.2 isn't enough as this section doesn't even use those words > > > ("Delegation server"). > > > > > > ** Section 2.5. Per "The "Location" header must be rewritten", it > would > > be > > > useful to describe the new target. > > > > > > ** Section 3.1. There are some challenges with the template syntax. > > > -- Where is the normative format for the syntax? Section 3.1 points to > > > Appendix B which lists JSON schema whose format is specified > > "draft 7 of JSON > > > Schema, which may not be the latest version of the corresponding > Internet > > > Draft [I-D.handrews-json-schema] at the time of publication". > > As far as I can > > > tell "draft 7 of JSON Schema" seems to resolve to https://json- > > > schema.org/specification-links.html which points back to > > draft-handrews- > > json- > > > schema. This draft appears to be an expired, individual draft codifying. > > This > > > ambiguity and lack of stable reference is problematic. > > > > > > -- Accepting the Json schema as is, there is no annotation on the fields. > > The > > > field names very much look like X.509 fields but the text > > provides no guidance > > > on how they should be interpreted to create a CSR beyond > > explaining "**", "*" > > > and what is mandatory. I would have expected a field mapping > > but the text > > > explicitly says "The mapping between X.509 CSR fields and the > > template will be > > > defined in a future revision of this document.". > > > > > > ** Section 3.1. > > > The NDC MUST NOT include in the CSR any fields that are not specified > > > in the template, and in particular MUST NOT add any extensions > unless > > > those were previously negotiated out of band with the IdO. > > > > > > These two normative clauses seem to conflict. The first clause says > that > > the > > > CSR can only have fields listed in the template (and nothing > > else). How would > > > one include extensions not in the template based on out of band > > negotiation? > > > It seems like it is either in the template or not. > > > > > > ** Section 4. Is this entire section normative protocol guidance? Or > just > > > informatively describing use cases? If it is informative, please say so. > > > > > > ** Section 4.1.* Please expand UA = User Agent and CP = Content > > Provider > > > prior to their introduction in the figures > > > > > > ** Section 4.1.2.1. Please expand SAN. > > > > > > ** Section 4.1.2.1. There is a TBD text here, "TBD bootstrap, see > > > https://github.com/yaronf/I-D/issues/47" > > > > > > ** Section 4.1.2.1 Step 2 of Figure 6. Editorial. Don't use colloquial > > > language "CDNI things" - s/CDNI things/CDNU meta-data/ > > > > > > ** Section 5.*. Add "registry" to the name of the registry in question. > > For > > > example, in Section 5.1.: s/ACME Directory Metadata Fields/ACME > > Directory > > > Metadata Registry/ > > > > > > ** Section 5.4. If there isn't a registry, why are they in the IANA > section? > > > Should we create a registry? > > > > > > ** Section 5.5. Editorial. To make the bulleted list explaining the fields > > > symmetric with the registry columns: > > > NEW: > > > An extension name > > > > > > An extension type (the syntax, as a JSON Schema snippet) > > > > > > The mapping to an X.509 certificate extension. > > > > > > ** Section 5.5. Per the definition of the "type" column: > > > > > > -- Formally, what is a JSON Schema snippet? In particular, the three > pre- > > > loaded values reference seem to reference "Appendix B" which > > doesn't seem > > > like a "snippet" (it containing a fully valid and well-formed XML file). > > > > > > -- The registration policy is "expert review" so in theory a document is > > not > > > needed. Is the thinking that the registry row could contain a bare JSON > > > snippet? > > > > > > ** Section 5.5. What does "(only for the supported name formats)" > > mean in > > > the "Mapping to X.509" of subjectAltName > > > > > > ** Section 6.2. Editorial. s/cert/certificate/ > > > > > > ** Section 6.2. Per the enumeration of the "two separate parts" of the > > > delegation process, isn't there also: > > > -- serving the certificate back to the NDC > > > -- a process for handling revocation of the delegation and the > certificate > > > itself > > > > > > Both of these seem to be discussed in Section 6.3 in some form. > > > > > > ** Figure 1 and 8. In the spirit of consistency, consider if the CA should > > be > > > named the "CA Server" (per figure 1) or "ACME server" (per figure 8). > > > > > > ** Section 6.4. s/Following is the proposed solution where/The > > following is a > > > possible mitigation when/ > > > > > > Regards, > > > Roman > > > > > > > > > > > > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] AD Review: draft-ietf-acme-star-delegation… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Yaron Sheffer
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Thomas Fossati
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Salz, Rich
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Yaron Sheffer
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Thomas Fossati
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw