Re: [Acme] Draft notes from 27/3/19
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 27 March 2019 11:38 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 081B5120562 for <acme@ietfa.amsl.com>; Wed, 27 Mar 2019 04:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBcfN3gw102K for <acme@ietfa.amsl.com>; Wed, 27 Mar 2019 04:38:18 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A6A120459 for <acme@ietf.org>; Wed, 27 Mar 2019 04:38:17 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id t17so1494405wrw.13 for <acme@ietf.org>; Wed, 27 Mar 2019 04:38:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=pCJb/Vh+wUvhb9ZgyIWqQkHRwA+iUiKgz7x3VkxGEaM=; b=gpVdkYZfSviBDQALNAjHdIOt+KTlq0U3kuWgKNdUtQfXHCcS62ZrRTgr7NZYTwDr1d IbFNIh9dc8fC6ihLuvuYprANaaWBYONrTnuVMplFPrVqbYid/rj0GIpFqCqrTTP3JNNr cQYAaiSLlT3Y8EJmQMwDUxj72VvF7GbV9L4/Z1N2zeEB8H1oFmM+219laGPcNpkzo2ol dBX6s3gwMqLXaEkJLSok2kRuvFN31N/mCIGPT7Y/LHlTx7gBg4zpNc8CU405/t21Q/uV h3l4rTTRvwzVcXxQK7M2HZKJSYbmMQaan0xLLvLBMc+3F7qYK+lcwuONqOUypnbkBDmQ XbCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=pCJb/Vh+wUvhb9ZgyIWqQkHRwA+iUiKgz7x3VkxGEaM=; b=KGM/T6NQ6HlQQVyqsw3ByQIBEmbioOR0qOB9g6WFN6SU5hzPXaH1hjxAKIXnDcAJxK td0xUCIrB42oDGiPlDtc3sMsJjyugvl8Loy7cLMsF0TDbAiLYUfYvd5abI7WAQAsqejS dgdFLxLfRYpV87vjURAe0Eg/GcFV9OuzTpVowb42cUWv8offuMPW4RXp4VBsa0gIcWWT 0ap/bmq57F9lmLXzObjxnd0TgMVJoyFQDvSTrMv3Lf+YX6aivwQ3fvbVSqEMj17Tb6lr /n8MdyUj5K9jdptSZ3R+lMGZJghdhZJ65bzgMLfaKvbUHGC2fkKs5+LFCM3N6T1+GeZN wtfg==
X-Gm-Message-State: APjAAAWFYXEJLt617Js70xtDsr1cqXo/p3lEx8ZQBbrQeg9854T1gMkX O1XgFpmz4fp3pFr9ZM7YhcAvGa6s+eU=
X-Google-Smtp-Source: APXvYqzffAWTfaLj69lxMoJ/eap4lnVklw27oyl56lbeS9gabnoDcd3wJJq0sSMlLTDl3+5u0kN6Pg==
X-Received: by 2002:adf:f011:: with SMTP id j17mr20994248wro.330.1553686695853; Wed, 27 Mar 2019 04:38:15 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:a8e4:f5d6:8ea1:fcff? ([2001:67c:1232:144:a8e4:f5d6:8ea1:fcff]) by smtp.gmail.com with ESMTPSA id v14sm28276579wrr.20.2019.03.27.04.38.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 04:38:15 -0700 (PDT)
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>, Robin Wilton <wilton@isoc.org>, "acme@ietf.org" <acme@ietf.org>
References: <3C20CDF7-F188-4D68-94F0-838041304EDB@akamai.com>
Message-ID: <0694ee00-eb27-1c67-d767-5d834d3fd99a@gmail.com>
Date: Wed, 27 Mar 2019 12:38:14 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <3C20CDF7-F188-4D68-94F0-838041304EDB@akamai.com>
Content-Type: multipart/alternative; boundary="------------412E87A5DABEC08107069A7C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/q7J4TJNYv1Lo5UlDZVEEktVRs-M>
Subject: Re: [Acme] Draft notes from 27/3/19
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 11:38:32 -0000
So a few minor naming corrections for the STAR session: Roman is our incoming AD, the person from Telefonica is Diego Lopez, and Carl is really Cullen. On 27/03/2019 12:27, Salz, Rich wrote: > > Thank you Robin! > > Please post corrections here, the chairs will integrate and post to > the datatracker. > > *From: *"wilton@isoc.org" <wilton@isoc.org> > *Date: *Wednesday, March 27, 2019 at 12:27 PM > *To: *"acme@ietf.org" <acme@ietf.org> > *Subject: *[Acme] Draft notes from 27/3/19 > > ACME WG notes, 27/3/19 > > Milestone: RFC8555 is out! > > Rescorla: acme-ip-05 : security considerations section need to be > updated following my most recent comments on it. > > STAR (Short-term Automatically Renewed Certs) - Yaron Sheffer > Proposed moving to publish; authors don’t feel a new WGLC is needed. > => Chairs asked WG to read the current version, as an informal > alternative to a new WGLC. > > Rescorla: My view is that the changes made are sufficient. Ask the > incoming AD for his view. > Rowan (incoming AD): ack > > Telefonica: there is one implementation, available on Github and in > use by Telefonica. > > Rescorla: Is STAR being used in certificate issuance protocols? > Carl Jennings: isn’t this the point for the chairs to ask if anyone > plans to implement? > Michael Richardson: ?Anima won’t exactly implement, but does recommend > it and express a need. > > > 3rd-party device attestation for ACME - Rifaat > > Richard Barnes: URL in the ACME JWT specifies the intended destination > of the request, on the CA’s ACME server. Is that the intended > modification here? > => Response inconclusive; RB will re-read the specs. > > Carsten Bormann: Does authorization become attestation by being > packaged as a certificate? What makes this an “attestation”? > > Rifaat: the JWT specifies that this device is correctly associated > with this certificate. > > Michael Richardson: ACME challenges essentially “attest to the > existence of the device”. > > Watson Ladd: what kinds of certificate are these? > Rifaat: typically, an identifier for the device (MAC address), and a > service URI. > > Chair: too early to hum for adoption. Draft needs updating to remove > any ambiguity around terms of art such as “attestation”. > > > ACME Client Certificates - Kathleen Moriarty > > 1 - Device certificates: > Yoran Sheffer - this is interesting but not a good fit for cloud > deployments, where entities might not need their own “name”, but might > still need a certificate. > > Thomas Peterson - IP/DNS not appropriate in all cases. > > Paul - would be nice if this could work with IPSEC Cert Protocol > > Richard Barnes - if client certs are already identifying themselves by > one of the methods identified in the draft, no added work is needed. > No core difference between client certs and server certs except in the > EKU (which could be ignored under certain certs). > > KM - Draft was posted to the mailing list. > > 2 - End user certs > Should ACME handle these? KM not aware of a use case. Can they be left > to other organisations? > > Alexei Melnikov: S-MIME certs are a subset of these. > > Rescorla: don’t think we need a new “meta-framework” to handle end > user certs. > > Thomas Peterson - I think we should, to simplify enterprise handling > of browser certs. > > Code-signing Certificates > > Max - we do a lot of this, e.g. for cable modem certs. The processes > are really strict; the certs are more than EV certs, and we wouldn’t > feel comfortable automating this. > > Watson Ladd: don’t use SMS/email as pre-authorization methods for > this. They are too open to compromise, even with 2FA. > > Jon: STIR has specified an authorisation token that could be applied > in this case - at least as *part* of an automation process. > > Karthikeyan: we published analysis of ACME last year; Read vs Write > authentication channels are markedly different in security. > > Richard Barnes: consider removing superfluous material from the draft > as part of the focussing exercise. > > Authority Tokens - Jon > > > > > > >
- [Acme] Draft notes from 27/3/19 Robin Wilton
- Re: [Acme] Draft notes from 27/3/19 Salz, Rich
- Re: [Acme] Draft notes from 27/3/19 Yaron Sheffer
- Re: [Acme] Draft notes from 27/3/19 Salz, Rich