IETF Logo Mail Archive

Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt

Thomas Fossati <Thomas.Fossati@arm.com> Thu, 29 August 2019 09:39 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6587C1200A4 for <acme@ietfa.amsl.com>; Thu, 29 Aug 2019 02:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=zWbAdDC8; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=qH5T++cj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4zBQySGUnSj for <acme@ietfa.amsl.com>; Thu, 29 Aug 2019 02:38:59 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30085.outbound.protection.outlook.com [40.107.3.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E03E112002F for <acme@ietf.org>; Thu, 29 Aug 2019 02:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=34D1Qt0XGWlavjUju4PuWO7rcJ/zks+YAiNbJgbQkpA=; b=zWbAdDC8LZSvK1afDJn8YU/jDvg6HmaoOANUKQFeCu5pTVWyAErHx6cklhoY5/hcCtiokuKc3dSxSwA0MEuX5QpIDAkZUrk9XO3pzpjHCjBq/jAJJctp9vUomd+RaDPH0Lmw3Z+KmdyGBGkkVV13HfdALoNVZkSPjObLaikQmOM=
Received: from VI1PR0801CA0067.eurprd08.prod.outlook.com (2603:10a6:800:7d::11) by VE1PR08MB4958.eurprd08.prod.outlook.com (2603:10a6:803:110::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Thu, 29 Aug 2019 09:38:55 +0000
Received: from DB5EUR03FT051.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::206) by VI1PR0801CA0067.outlook.office365.com (2603:10a6:800:7d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.18 via Frontend Transport; Thu, 29 Aug 2019 09:38:55 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=temperror action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT051.mail.protection.outlook.com (10.152.21.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.16 via Frontend Transport; Thu, 29 Aug 2019 09:38:53 +0000
Received: ("Tessian outbound eec90fc31dfb:v27"); Thu, 29 Aug 2019 09:38:49 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 41e06f0056d2534b
X-CR-MTA-TID: 64aa7808
Received: from fe9724ed0140.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.14.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 05BD6DBE-3BFF-46B0-BB18-4DC93B24E7BF.1; Thu, 29 Aug 2019 09:38:44 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2052.outbound.protection.outlook.com [104.47.14.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fe9724ed0140.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 29 Aug 2019 09:38:44 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Iy0pxYeCqG32UeqcSLPOckVSzG+0l0wX8EB8xFhORGU/3eS0o/ixBQUYUaRMHsCS7R6wEX/UcrDcHjU/Iha+WkvZEwhkyxcD4pr6qWv8fxS93j/Knqy0sV8+tmIir0VAGm9GLA5Rvmc0Sk6wtU5PlLE75ZiiF/ai1vg0Ra47czH8My5LMqcA4xwhOJ7YyjsHWAeloZQ8L5rtqNb+lmqXi4X71/VwnTg1lDSDD+dTJBDpg+GBY4wPBhn9CvgBOYvYQIe3Dw9LBI4M6TBe/xU4tXr4XUAu3cWfhPJDi+Len4ugMwts6ic7f7kyUqYzUfCvRkcfkLaYZZuhndEzb3m/9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T+xEAYt7sNNhBSNXN5461zXvNfdzLJ1SZiZkOg1XfXY=; b=YAVh04REOi15x5MmvqBIdZl9yMe1T1319wEZhvIeQ65WfDERf1zHO7UIyl2kB8PlhuGQWEEXVCJeZulN7vJsJQ10eMJ0EIUiVd1UjBqbOyRX1dZ3AOj44dENXE3bhS8O0BIiapdMlJlwyZvrClqxdOCgSP3bW7+vIViolwSwIElV82wWxk/XI2ya8hd+xNktbCRKA1rpHjqGzaUlQHFA5rgdQz97L2LRmJVQq7Abi9CE+MNnXztoE4ILJhVEJGIYiLmxxzr3Ff8ZySy3YaTcP8cXM8zgDqwZRNkHpftOXAI1PQhAATkDDBHcB0m4evrgXF2DS4q7Lh+pcW0SuubNmQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T+xEAYt7sNNhBSNXN5461zXvNfdzLJ1SZiZkOg1XfXY=; b=qH5T++cjJl92iTS5ZJU4FDoOmur0TD0Vp52l8OYlFN9Hyup+nAZJkzFDYLMGj6f6Mpn0pehIY0OrxX8lQji+aj7TvGanrLazt2JvCYBNtFXrcVI+MHPcwZJyjXKTzLq9+mYqX14BYcKN1wEbY/0lh6yVIYSRMEoz1L+9IJ9MWx4=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4597.eurprd08.prod.outlook.com (20.178.91.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Thu, 29 Aug 2019 09:38:42 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2%5]) with mapi id 15.20.2220.013; Thu, 29 Aug 2019 09:38:42 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
CC: "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
Thread-Index: AQHVXKCtKhrmKO+phEKG0JWK6d47AKcPMGsAgALCLIA=
Date: Thu, 29 Aug 2019 09:38:42 +0000
Message-ID: <3FE5BE45-EB69-429E-A4DB-7B7838DC0AFE@arm.com>
References: <156688663499.2633.13348873823926960427.idtracker@ietfa.amsl.com> <0d62ec19-399c-94e7-a44a-098ccf99bc7e@gmail.com> <CAErg=HFekDDOu0SPe171NJuXpCDUkiyV7_9bQMDz1GquXPoUiA@mail.gmail.com>
In-Reply-To: <CAErg=HFekDDOu0SPe171NJuXpCDUkiyV7_9bQMDz1GquXPoUiA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: dc683f07-ffe0-4053-0f8f-08d72c64b4b3
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM6PR08MB4597;
X-MS-TrafficTypeDiagnostic: AM6PR08MB4597:|VE1PR08MB4958:
X-MS-Exchange-PUrlCount: 1
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VE1PR08MB49584F2C9319ED48CE6436289CA20@VE1PR08MB4958.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:8273;OLM:8273;
x-forefront-prvs: 0144B30E41
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(346002)(39860400002)(376002)(366004)(199004)(189003)(51444003)(476003)(2616005)(53936002)(446003)(11346002)(6246003)(6306002)(14454004)(6512007)(305945005)(486006)(5660300002)(4326008)(99286004)(66476007)(64756008)(76116006)(66556008)(76176011)(66946007)(91956017)(71200400001)(6116002)(33656002)(15650500001)(66446008)(71190400001)(86362001)(6506007)(53546011)(66066001)(3846002)(186003)(25786009)(26005)(102836004)(8676002)(81156014)(81166006)(256004)(5024004)(229853002)(2906002)(36756003)(54906003)(316002)(110136005)(8936002)(58126008)(6436002)(966005)(6486002)(478600001)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4597; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: 4cPHNZgo8t9Ein53YMJ39fKAh6ywW366GqFbd31SbHjo5Qjg7Uvdvpv32UmsNv3n4mEkZNWdyVa0NpKCtxjeJ/tpEGwAm4bd2w7dpJjllbFf/nhTKw3u6QIriztPZqEv3FK/BZ528EFN9thn4Ys8j6vVwMVqAjdUoLBWPZAvaJM9xkdOyv4hVFwCTxBCdx/pWgVYaBQ+l/ob82MlYVg+ARz8uad7PqH+qBGqahCakAQP/6cBxaE3a8djRlMLpesID5ER1GehTEulrPTIPLXtEb9JvAzt4Yj6040RCo5bCEEm7RWK4fd+Jj/n5cfbobPflG/REcibV7NpuV375ESzY5/BwOXbEqy5Pnx64GjG6Es8GkpMydD9YhiHPmOOxPHKB7RHRclJ+zASUrkYxYsQJubwaNnEGOewSJicQSOMEmI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <481D8B29B1BBC1429D373EADACE90BA7@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4597
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT051.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(376002)(346002)(39860400002)(2980300002)(189003)(199004)(51444003)(40434004)(26005)(356004)(5024004)(102836004)(14444005)(478600001)(53546011)(6506007)(2486003)(23676004)(186003)(15650500001)(50466002)(58126008)(66066001)(76176011)(86362001)(229853002)(26826003)(99286004)(81166006)(81156014)(110136005)(305945005)(8936002)(8676002)(70586007)(6486002)(25786009)(966005)(47776003)(2616005)(476003)(22756006)(14454004)(126002)(63370400001)(63350400001)(36756003)(436003)(486006)(6306002)(336012)(7736002)(5660300002)(316002)(6116002)(70206006)(2906002)(76130400001)(3846002)(4326008)(33656002)(446003)(11346002)(54906003)(6246003)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:VE1PR08MB4958; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: dc693d1d-2c0d-4a4d-5c6e-08d72c64ade2
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(710020)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:VE1PR08MB4958;
X-Forefront-PRVS: 0144B30E41
X-Microsoft-Antispam-Message-Info: YUSH2Z/YdFNDi+jFQI6xjCvWKf7p0AX0qJTWPQw94WdDqhLsF2v2++Nw42fa8yLg2WJ/pFe8Xd8jTs5hLmN7gTf0Io/yYQLd3JZ7p8odQCFFokxsmMpqY2kON9AcPCx0UCg3YSDRndLcn8639EmKBXQy7duLCUqu3IFXUScjWNemfPq6FlZesmQsjaxbg7TpysVUurtFATg99VMafLA+KdGGapn235yoF8xJrgQ21hvvwBoVrkgYGppH4GqX/r8ybMPhJ2A6ItZcG7BrbYfOTghTlnND0RMYJXC0Bd56f0p8dCN6kBpgOOkaIP93wdlDMIGDPl+AfV1DeU7ySMytlP/UdGr85IlMpbzGfiT1f4wP5b2sr2mf+RDTizG5soBkFhk/xlzoDbiGUEfML2JcufrRpETxpKMgo4eKZHQE9V8=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2019 09:38:53.5649 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dc683f07-ffe0-4053-0f8f-08d72c64b4b3
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4958
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/oMGwUtv-np-Xu6tTVsO-7qgkOzE>
Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 09:39:02 -0000

Hi Ryan,

Thanks very much for the comments.  I'm going to address some of your
points and let Yaron comment on the rest.

On Tue, Aug 27, 2019 at 2:28 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> I was a bit surprised to not see any references to the Delegated
> Credentials for TLS (
> https://tools.ietf.org/html/draft-ietf-tls-subcerts ) specification.
> Is my understanding correct that these are functionally addressing the
> same problem?

Yes, it is.

> Introduction: The introduction introduces the concept of NDC, but then
> transitions to use the acronym CDN. Perhaps it would be useful to
> explicitly specify if you meant a Content Delivery Network (CDN) to be
> a Name Delegation Consumer (NDC), or if perhaps that was just a typo.

There is no typo.  A CDN is just one type of NDC.  We'll make sure
there's no ambiguity here.

> Also in the introduction, it states "Understandably, most IdOs balk at
> sharing their long-term private keys", but this is difficult to
> quantify. It would imply that most sites do not use CDNs, when I
> suspect the reality is actually inverted - more sites use CDNs or
> hosting provider than those that don't. Perhaps this should be updated
> to say "some IdOs", or perhaps quantify as "IdOs may balk", both of
> which indicate possibilities without indicating magnitude.

Makes sense, we'll fix.

> 4.1.2 Chained Delegation The use of the terms uCDN and dCDN are... a
> bit surprising. Could you indicate a bit what those letters are meant
> to specify? My worry is that the u will be seen as similar to the
> Greek letter mu - aka the prefix typically used to indicate micro

This is the CDNI use case, so we reuse CDNI terminology: 'u' is for
"upstream", 'd' is "downstream".  In the CDNI model the upstream CDN is
a "normal" CDN that maybe lacks the geographical footprint to
efficiently cover a portion of its end-users population and makes
agreements (transparently to the content provider) with a "downstream"
(regional, network operator run) CDN to extend its delivery footprint.

> That said, I admit, I'm a bit confused about the protocol design
> attempting to accommodate this. The motivation appears to be because
> "IdO may not even know about dCDN", but then immediately following, it
> notes that such proxying as proposed by the protocol is "governed by
> policy and contracts between the parties". It seems that if the intent
> is to leave it to policy, such accommodation may not be necessary.
> Alternative, if the intent is to explicitly support this, it may be
> desirable to allow the IdO to express its policy to the uCDN as to
> expectations related to the dCDN, rather than relying upon an
> out-of-band mechanism.

I think the policy that we can express is solely between adjacent
parties (this is the CDNI interface model).

> 6.1 Restricting CDNs to the Delegation Mechanism There are RFC 2119
> MUSTs attached here, when it seems these functionally should be
> SHOULDs. That is, I think it's fair to highlight the consideration of
> concerns between the IdO and the CDN, but I don't think it's
> reasonable to normatively specify the policy consideration mechanism.
> For example, as specified, those requirements would not be sufficient
> to guarantee that a conforming CA uses this mechanism, as a number of
> CAs "comply with ACME" (second bullet), but also offer additional
> validation methods/issuance flows which also use the "dns-01" method.
>
> As CAA is intentionally flexible to allow for CA-specific policy
> identifiers to be expressed between the IdO and the CA, I think it's
> best to change these to SHOULD, and to recognize that CAs may devise
> other means of technically expressing this conformance, and that's
> between the IdO and the CA. CAA provides the necessary component (to
> allow them to restrict to CAs that respect CAA, to allow CA-specific
> policy), but I think that's the extent to which policy-specific
> requirements can be made.

I think Yaron is better placed than me to comment on these two.

Cheers!

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email