Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
Rob Stradling <rob@sectigo.com> Tue, 27 February 2024 11:05 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D253C14F614 for <acme@ietfa.amsl.com>; Tue, 27 Feb 2024 03:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sectigo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhFgGUvYT81U for <acme@ietfa.amsl.com>; Tue, 27 Feb 2024 03:05:40 -0800 (PST)
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02on2104.outbound.protection.outlook.com [40.107.212.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77EA6C14F5E2 for <acme@ietf.org>; Tue, 27 Feb 2024 03:05:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jKlaxn1ppCY+1h9eRZ7LS7oDj6MLfwDFmsPwSmhg/ajUMXX07mOqxxf2/saLshBlcVjJry0l+c08ODZSZDXnpVClj9uK2HGfYiKeMziRurinmTHw5Qemqk6khy+9kwyp1gKkN9xVdG6yivd9IpSBY0uCKenmsBeyyxyu19dV7jwfxOc2Byt5z7PLmw2c+HQzbYs8lshq5WNy4rP75ZuZELEcTJl52/xro7E3HbxLGss33KigjmOSNbYCizBwfq9SPvAJF2TysnKoy9tEGJAjwM89NxmZQZQKtAwpxnmEzVAzgJCNJxigpfnGLvfT6N2wrKsTp3wUQ50P7V8tmqDTWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HOGo3sNViqvxjh8QtFHIvIyAombc7dMbEolMfXsniCI=; b=Y71JGCPxNwfKhJisYgR3G9UwQHhv5nO26spIjjVnbIeCIv8Q2/taa+JEeN1/TIf07QH8Rfun9cat6Rzf8+JBhC5HgrWMTUuzotd6DoxCDP1knKZYMHHX6TcbFKAarSWEHqi0z6fy5DWTxBvY9uIyU6WXUIAmBVRI0oGwH2xyrBfYPCHYrI7cWkSESw0ku8BPd0KrNV0SUMMj3zz66ZTyPnOQzgDbmvAflXQG7FBcC12UF8G6VDGUmSrqed45bCvRKlgup1qLoZ0UkF+PCb78m2lVKVV7WeJoJwlGlfbbKVWUB643Z3dxB6Rr5xStcIdrDIPpyIfdmp/znatOjHeNLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sectigo.com; dmarc=pass action=none header.from=sectigo.com; dkim=pass header.d=sectigo.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sectigo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HOGo3sNViqvxjh8QtFHIvIyAombc7dMbEolMfXsniCI=; b=g+9n07h9EYlLhjvwkGo/a+2c1pNdTVO0oLC49o8aN6LtqG4LYZ1f2C052sZblbC/kl+f+hDPubPtpieizrc8MrcK7uTswtHQhi3jNIWySKZ1TudFGYbyZeiVToFXGYqL0aArK5q5Aj5LJXycrUTZLYu+c0X9Oa1LDRbuxBRihzQ=
Received: from MW4PR17MB4729.namprd17.prod.outlook.com (2603:10b6:303:106::18) by PH7PR17MB6180.namprd17.prod.outlook.com (2603:10b6:510:213::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Tue, 27 Feb 2024 11:05:35 +0000
Received: from MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::3b3b:3fa4:5ce4:7015]) by MW4PR17MB4729.namprd17.prod.outlook.com ([fe80::3b3b:3fa4:5ce4:7015%7]) with mapi id 15.20.7316.037; Tue, 27 Feb 2024 11:05:30 +0000
From: Rob Stradling <rob@sectigo.com>
To: Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org>, Carl Wallace <carl@redhoundsoftware.com>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
Thread-Index: AQHaWtH+wvaaESKQUU2eLVu8feFKmrEcqxUAgAEZmYCAAEzq1A==
Date: Tue, 27 Feb 2024 11:05:29 +0000
Message-ID: <MW4PR17MB4729071AE21E323305858391AA592@MW4PR17MB4729.namprd17.prod.outlook.com>
References: <170742607913.20668.4615074555122263660@ietfa.amsl.com> <D16919B8-E602-4DA0-AF0A-D02EC327F019@redhoundsoftware.com> <CAEmnEreT3MGMr7rEMDJf4D6dMyRt+AU0ySyPtby8b_t9ZheX7g@mail.gmail.com>
In-Reply-To: <CAEmnEreT3MGMr7rEMDJf4D6dMyRt+AU0ySyPtby8b_t9ZheX7g@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sectigo.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR17MB4729:EE_|PH7PR17MB6180:EE_
x-ms-office365-filtering-correlation-id: 96daca00-a796-4a48-d1e5-08dc378402a8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SKe9bwV6aYFgK1YdqZsREaccTba3brZ0Ay7X7I5ogz91FurXBd4MXeICz3h/Fd9PktbesZmtet+8YyhEJg31NqNAn6uLTt9TT9o4O34MPEM3gdmF4UKoviesPU5F+uQ+ymQFDT8y9Uhf/Ff02xDeFcHUvAZw39GBFvse6ZEwkzoIGIb3ISzCF80V7WupPmRa6VCjlkLqz7owdBTErOVVr3XecXBOnFVjWoQ5AX9DmcyZYkbvA1DFHgyd3wTspeeFPClSRxwsnEozwWZ1vXC925/Bx9KxYXlkOfGkSpgZfs2pe7/WA+4yFhhz6M4c2024JfP/CrutwAq1++IUc7j+KJvX1CYeui5bbl9KM16gucOmki53iaanDZ/KDz9Lh+/3fDgXcqCT5D8RyQF8kfIFnzrvaMGvcXLwy4nilAIFnFDppq3acz1FWmB83KuoK4sL+OVYoQAbOaU31EKgyE98F20G97+DjalPNvIIcBiZYJrtK8M7cU46OEAzKrx4EXRoopIOKv9uwozbdrmsqbmt0zXjVr2PlVys0rZDQQJ5FTPM63Ww/JqPrDres8uT9cFail1jCZ9PwT3oFTH7XJaBmFLFEeI2Up1GLEfTy7+q5mV07ZpyaawprTCYC/NshVB80Lu4l2sCeSujVnMioywiRcOKmCBTSc2Pi/Os6GeJmWapUVPZrF/gAiwVNXgLkmwKM3AvRA8rjvZ9d0VnPFGp5g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR17MB4729.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(230273577357003)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nP2BlapB0BoPTdhn+FxuIBPre+8DUIVCpyDzpyPzw6N/CrSRCNu1s5vhuKNnUEsR4budjDEyFO0NSnKs3M5Rj74RX172Uqb2K7++lvt0M/5U4vCshNqxWJbMsnBI6fcmMNlaIpFwXSiVuVef5v188kgBAbHLp82Oz52EnBtlMQtRxlNXZ2AFLihQe0/5zzNG9bEgqL6jydPnTVJz2Tk2dMl2Jy0N/TdkXIiIoQ7XBasWm92hZ/vZs5QX5gFi8dKz7+YYTHvhPMWuTpHIE8Sec4FVWc4CPLfdIcYiW54GrH0bp1GBdEOlnzUNOqf9TejtRV8ZybV4lUdPPa4THOGXth7+jT/C5NArQjE0C58z9jVO1YyZjpSQHaEkkxBYTWYM7WWSroPw1v8bYFXb1ZihjwUh4fRTRC9DLIlUsl2+DgElVAN/DyUwAocKfEUFP5OQsBrC6VrZcyNhtSgYaThT6OUV/niogDnYi/RuW2qTri2IHuuuP4wZsbsH88b/7iZUmJ/nOPttBsWxrk7ibV6AnH+WLrOy3ExIT6o8IDiko+eUjpvWdsA+UEZaEvOhXx/rscD3vHXfK9Nlxiiqd24elzGiyXdQ43BI2DEoEzvA2LgW2ICV1Ju0kRTdI+3Uhiqv3S7xracaGxrk338xkA+6BkZiEmDrEtGzAp6M6t84+2ZexktYDb0ynMbVGklZIHepW5+w4rnwWMRbtQJjt/0JNkicMzUxeeHOlbog4341ZdaGs4XEAXOSMpB9/mP0zm4g1vMg64kGyOLyi0PrjEV1BR5JPOS3WVlcY+elarJnuQpq9yMpyUvSEz4CsXZ01ow8wR0gYj7nYV2SMGU5z1Maxk/muoLk0TV8Hi9TZQ0C2fsWhs2nuOnhTgUEcoaxXm3mHlySHhilBOfBJoqH/tFF/Ep1KkQzVc/ZYarXj5pCfcAF5lbREZLQQ1hBfb30ktglrhA3R16ex4qhlIBJOE8W8WhNGuRf/Sv1dzDUGvz3yzmUE1Ut857vGjLLClNQ7RNwrhbGxltCuGX0McJ0Ckp5BeO6dN1C34JF7TpHY0mKxTLuHQj6ezw/tQJFett0qCbwmdyRAzURh4WN8QtBxgSuVLxZx9kMP5VjM8cg7Drc5ZNdVja4eSJNLTjp7GoEfYPgMg21b5k2lV3Ly6178jBbqLZYTDDBP/My7ZtSuRv4rVaA968cypc3Ix7bTQwkqIcs7YIz+zkf4mVxpEhAsirfjlV2BxPhLB5+yX5i+puQY0aEUZm+bNuUHoSL+D03CMv6OK1taLXj3rU1HYBlTn8epKBq5BTFHoDlzPE/oqga6rsvvWP2tBlx6lb/zEbEkBtgwYMy0lIIIm+/vJwu6jfN6+dI59k77TPYqfi8yo5JF9Vqnf8/K9RzeD7ktlLbEId3QxsKVBGyQ6YX9D9QFhcfTYTH3AtHH3bbrUJqYSln2raRmwW+9PWwoBtk2qSP4XP0bN3HRFUun+Kh3093snUu9aXJ6SQjnChmwZBZlpFn9BJ7cvmyjBUDHJxsaylkqecdrHoO5fRq45Z0FvlXVf0AFR91lmXskw571m94HJ65968=
Content-Type: multipart/alternative; boundary="_000_MW4PR17MB4729071AE21E323305858391AA592MW4PR17MB4729namp_"
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR17MB4729.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 96daca00-a796-4a48-d1e5-08dc378402a8
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2024 11:05:29.9330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9XCmNFWB9Z5Rju+j+Rm2/HFEgGrtKq7gQ5niTwZ7T2GgEJ/eNvGbfIY6OHe1QjLH/XrFvOVvIex/RjbQlG4t4A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR17MB6180
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/nI0IPNIfENGouzE8Aahze9DvFL8>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 11:05:44 -0000
Carl wrote: > If this mechanism only applies to certs that conform to a profile that requires presence of key identifier in the AKID extension, state that up front. I think this is a reasonable request. Aaron wrote: > RFC 5280 requires both that the AKID extension be present and that the keyIdentifier field be present within it I think it's worth pointing this out too. > Do other members of this list think that using some form of the Issuer Name bytes would be better than using the keyIdentifier? Only if "some form of the Issuer Name bytes" turns out to be the CertID structure used by OCSP and earlier ARI drafts! Reusing an appropriate existing mechanism can have benefits, but if we're now talking about defining a new mechanism then I'll point out that Name matching can be a bit of a footgun... From https://datatracker.ietf.org/doc/html/rfc5280#section-8: Inconsistent application of name comparison rules can result in acceptance of invalid X.509 certification paths or rejection of valid ones. The X.500 series of specifications defines rules for comparing distinguished names that require comparison of strings without regard to case, character set, multi-character white space substring, or leading and trailing white space. This specification relaxes these requirements, requiring support for binary comparison at a minimum. CAs MUST encode the distinguished name in the subject field of a CA certificate identically to the distinguished name in the issuer field in certificates issued by that CA. If CAs use different encodings, implementations might fail to recognize name chains for paths that include this certificate. As a consequence, valid paths could be rejected. ________________________________ From: Acme <acme-bounces@ietf.org> on behalf of Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org> Sent: 27 February 2024 05:23 To: Carl Wallace <carl@redhoundsoftware.com> Cc: acme@ietf.org <acme@ietf.org> Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Mon, Feb 26, 2024 at 4:36 AM Carl Wallace <carl@redhoundsoftware.com<mailto:carl@redhoundsoftware.com>> wrote: Two comments on the third paragraph of section 4.1: - The addition of section identifiers for the references makes the sentences harder to read. Maybe wrapping the section identifiers and reference in parentheses. Thanks, this feedback is appreciated. I've gone back and forth a lot on how best to do these references, and tried a bunch of different things, and this was my favorite phrasing so far. Unfortunately putting them in parentheses causes the resulting sentence to not read in plain English, unless I'm misunderstanding your suggestion? - The preparation of the URI uses the keyIdentifier field of AuthorityKeyIdentifier. That field is optional. What should occur if it is absent (or if AKID is absent)? Given 5280 requires uniqueness for issuer name and serial and the issuer field is not optional, would the issuer field make for a better target than AKID? If this mechanism only applies to certs that conform to a profile that requires presence of key identifier in the AKID extension, state that up front. This is a very interesting point. RFC 5280 requires both that the AKID extension be present and that the keyIdentifier field be present within it (Section 4.2.1.1<https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1>: "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction."). So it's not obvious to me that the issuer name + serial uniqueness is any more required than the existence of the keyIdentifier field. Do other members of this list think that using some form of the Issuer Name bytes would be better than using the keyIdentifier? Thanks again, Aaron
- [Acme] I-D Action: draft-ietf-acme-ari-03.txt internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Rob Stradling
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable