Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Roman Danyliw <rdd@cert.org> Wed, 24 February 2021 14:20 UTC
Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11523A1640 for <acme@ietfa.amsl.com>; Wed, 24 Feb 2021 06:20:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQovF9WnUkkR for <acme@ietfa.amsl.com>; Wed, 24 Feb 2021 06:20:11 -0800 (PST)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D61DA3A163E for <acme@ietf.org>; Wed, 24 Feb 2021 06:20:10 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 11OEK87K023538; Wed, 24 Feb 2021 09:20:08 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 11OEK87K023538
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1614176408; bh=a40Q5r1OYkRH0h37JYlR4YH5Z7Z96S2kJqphodo6Af0=; h=From:To:Subject:Date:References:In-Reply-To:From; b=BPvr3hG7Rw5/hILxRwJ71pfblBWtsltJB/fQu3jbDMDUtYtR0QczyHqBzDuLAk4cP /QlV73/rO2n7c2F9/JSFbmdMBI4uag9V57UbUMeu1hkuM1DyJiJByv+GuSYYtd6XVE HhFlZkQlP34QtdNBxr5FuV0FM2c9F1UTdyW1Kfcg=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 11OEK5do021426; Wed, 24 Feb 2021 09:20:05 -0500
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 24 Feb 2021 09:20:05 -0500
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Wed, 24 Feb 2021 09:20:05 -0500
From: Roman Danyliw <rdd@cert.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Thread-Index: Adb7Rh0lkRNAgi4VQP6kSm1bN0WrcAA9E/IAA2wWkiAAPWdigAAKIwYg
Date: Wed, 24 Feb 2021 14:20:03 +0000
Message-ID: <b4307f5c6d3e495785ae1051f3927207@cert.org>
References: <5b94cd8f4c4944838936589cea70bd62@cert.org> <B85D7793-E228-4B95-B8DF-FD46F71F4F1C@intuit.com> <404f7522d37b41ecabb854bee42dc333@cert.org> <9D628EB5-401E-4FCD-8BBC-3FB967FB4102@gmail.com>
In-Reply-To: <9D628EB5-401E-4FCD-8BBC-3FB967FB4102@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.228]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/rR5HjJRRUFHItCfE9LN_epQFeD8>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 14:20:14 -0000
Hi Yaron and Thomas! > -----Original Message----- > From: Yaron Sheffer <yaronf.ietf@gmail.com> > Sent: Wednesday, February 24, 2021 9:08 AM > To: Roman Danyliw <rdd@cert.org>; IETF ACME <acme@ietf.org> > Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04 > > Hi Roman, > > (1) In fact the existing language is more accurate. The CSR template is sent to > the NDC in order to constrain what the NDC puts in the CSR. So the text that > describes the mapping *from* the CSR template *to* the CSR is correct. Also, > SPKI is freshly generated by the NDC, guided by the constraint on which key > types it may use. So maybe: > > The subject field and its subfields are mapped into the subject field of the CSR, > as per [RFC5280], Sec. 4.1.2.6. Other extension fields of the CSR template are > mapped into the CSR according to the table in Section 5.6. The Subject Public > Key Info field of the CSR is generated by the NDC according to the constraints > defined by the "keyTypes" object of the template. > > (2) It turns out that my coauthor Thomas is a native CDDL speaker. So we will > include a CDDL schema in addition to the JSON Schema. I concur that > developers are much more likely to use the latter. Great. Thanks for adding this unexpected element. Roman > Thanks, > Yaron > > On 2/23/21, 18:31, "Roman Danyliw" <rdd@cert.org> wrote: > > Hi Yaron! > > Thanks for all of the work that went into -05. It addresses all of my concerns > but the following: > > (1) Section 3.1. The updated language is helpful, but I recommend a bit more > precision to cover all of the fields. > > OLD > The subject field and its subfields are mapped into the subject field of the > CSR, as per [RFC5280], Sec. 4.1.2.6. Other extension fields of the CSR template > are mapped into the CSR according to the table in Section 5.6. > > NEW > The "Subject" field and its subfields per Section 4.1.2.6 of [RFC5280] are > mapped into the "subject" field of the CSR template. The "Subject Public Key > Info" field and its subfields per Section 4.1.2.7 of [RFC5280] are mapped into > the "keyTypes" field of the CSR template. Other extension fields are mapped as > subfields of the "extensions" field in the CSR template according to the table in > Section 5.6. > > (2) The more thorny issue is how to handle a normative dependence on the > JSON schema. Short of it being in the document, whatever is the formal > language used to define the CSR template needs an appropriate normative > reference describing it. Currently, [json-schema-07] in Appendix B would need > to be normative (not informative). I confirmed my concern with the ART ADs, > and there is agreement that neither draft-handrews-json-schema-validation or > http://json-schema.org will be an adequate normative references (i.e., [json- > schema-07]). > > IMO, JSON still seems like the right architectural pattern here. I also don't > see an issue with the Schema that was specified. > > A possible compromise (vetted with the ART ADs) is to follow the pattern of > RFC8727 which also tried to use JSON Schema but couldn't find a usable > normative reference -- full disclosure, I was a co-author. This RFC normatively > specified the "schema" via CDDL but also informatively provided the same > schema via [json-schema-07]. Practically, implementers ignore the CDDL and > use the more assessible JSON. I appreciate this approach is additional work and > pulls in another "technology" that isn't a natural fit in the ACME ecosystem. > > Do you see any alternatives? > > Regards, > Roman > > > -----Original Message----- > > From: Yaron Sheffer <yaronf.ietf@gmail.com> > > Sent: Friday, February 5, 2021 5:45 PM > > To: Roman Danyliw <rdd@cert.org>; IETF ACME <acme@ietf.org> > > Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04 > > > > Hi Roman, > > > > Thank you for the detailed review. We will go through your comments and > will > > rev the document accordingly, but in the meantime, let me respond > specifically > > to the issue of the CSR template syntax. > > > > The CSR template is potentially a long/complicated JSON document > (example: > > [1]), and we felt that rather than including an informal definition which is > easy > > to get wrong or a long sequence of examples, our audience would be > better > > served by a formal definition. > > > > To the best of my knowledge, by far the most common way to specify a > JSON > > document format is with JSON Schema documents. Granted this spec is still > a > > moving target, but it's already widely implemented. Also, there are > discussions > > between the leaders of the JSON Schema effort and people on the HTTP- > API > > working group, with the goal of standardizing it there. > > > > JSON Schema draft-7 is defined by draft-handrews-json-schema-validation- > 01 > > (and a few companion document), and not (as we incorrectly noted) by the > > latest version of that draft. Clearly it's not ideal to refer to a specific, > expired > > version of an I-D. The situation is mitigated to a certain degree by the > schema > > document [2] mentioning explicitly the supported version: > > > > "$schema": "http://json-schema.org/draft-07/schema#" > > > > I hope this clarifies things. Regarding your two related comments: > > > > - Yes, we should have specified the mapping of fields into X.509, and will > do > > that when we address your comments. > > - The notion of "snippet" is actually well defined when we say, "a JSON > Schema > > snippet that defines a type". Formally this is a valid JSON object with a > "type" > > attribute, per draft-handrews-json-schema-validation-01 Sec. 6.1.1. > > > > Thanks, > > Yaron > > > > > > [1] https://raw.githubusercontent.com/yaronf/I-D/master/STAR- > > Delegation/CSR-template/example-template.json > > [2] https://raw.githubusercontent.com/yaronf/I-D/master/STAR- > > Delegation/CSR-template/template-schema.json > > > > > > On 2/5/21, 00:50, "Roman Danyliw" <rdd@cert.org> wrote: > > > > Hi! > > > > I did an AD review of draft-ietf-acme-star-delegation-04. Thanks for this > > work to apply the STAR profile (rfc8739). Below are my comments. There > are > > a number of editorial clarifications proposed below. The item that likely > needs > > some discussion is the syntax of the CSR template. > > > > ** Idnit: > > ** Obsolete normative reference: RFC 6844 (Obsoleted by RFC 8659) > > > > == Outdated reference: A later version (-04) exists of > > draft-ietf-cdni-interfaces-https-delegation-03 > > > > -- Unexpected draft version: The latest known version of > > draft-ietf-stir-cert-delegation is -02, but you're referring to -03. > > > > ** Section 1. Editorial. Missing preposition. > > OLD > > This document describes a profile of the ACME protocol [RFC8555] that > > allows the NDC to request the IdO, acting as a profiled ACME server, > > a certificate for a delegated identity > > NEW > > This document describes a profile of the ACME protocol [RFC8555] that > > allows the NDC to request from the IdO, acting as a profiled ACME > server, > > a certificate for a delegated identity > > > > ** Section 2.2. Editorial. Recommend symmetry in naming of the orders > and > > being explicit on the order in question. > > -- second from last bullet. s/reflected in the NDC order/reflected in > Order 1 > > (i.e., the NDC Order)/ > > -- last bullet. s/moves its state to "valid"/moves the Order 1 state to > "valid"/ > > > > ** Section 2.2. Should the buffering requirement for the CSR be > normative - > > s/The IdO must buffer/The IdO MUST buffer/ > > > > ** Section 2.2. Per "[No identify validation]", what is meant by that? > > > > ** Section 2.3.1. Editorial. s/The IdO can delegate multiple names > through > > each NDC/The IdO can delegate multiple names to a NDC/ > > > > ** Section 2.3.1. Are there any constraints to what the delegation URLs > > could point to? > > > > ** Section 2.3.1. Per "The value of this attribute is the URL pointing to > the > > delegation configuration object that is to be used for this certificate > request", > > what is the error handling if the delegation attribute doesn't point to a URL > > found in the delegations URL list? > > > > ** Section 2.3.2. It might be worth pointing out the obvious when > clarifying > > the properties of the Order objects such as: > > -- That the value field will be the delegated name > > > > -- The expected symmetry in field values between NDC-generated order > > object and the one made by the IdO > > > > ** Section 2.3.2. Per "When the validation of the identifiers has been > > successfully completed ...", it would be useful to clarify who is doing the > > validation and when. Figure 1 suggests that there is only a validation > process > > between IdO client and CA server. However, wouldn't the IdO server be > > checking the identifiers submitted by the NDC client too (prior to passing > them > > to the CA server too? > > > > ** Section 2.3.2 and 2.3.3. I didn't understand the titles used to > organize of > > content -- "Order Object on the NDC-IdO side" vs. "IdO-CA side". They > didn't > > follow the clear convention introduced by Figure 1 of NDC client, IdO client, > IdO > > server and CA server. Additionally, Section 2.3.2 discusses behavior which > > seems to be IdO client-to-CA Server (which doesn't seem like "NDC IdO > side"). > > Additionally, Section 2.3.3. seems to be describing the requirements that > > correspond to construction of the order sent to the CA which is also > covered at > > the end of Section 2.3.2. > > > > ** Section 2.4. Per "The authors believe that this is a very minor security > > risk", it would be worth explicitly explaining that position (and not framed > as > > the belief of the authors) > > > > ** Section 2.5. This section introduces a new architectural element, > ACME > > Delegation server, but doesn't define it. Simply referencing the use cases in > > Section 4.1.2 isn't enough as this section doesn't even use those words > > ("Delegation server"). > > > > ** Section 2.5. Per "The "Location" header must be rewritten", it would > be > > useful to describe the new target. > > > > ** Section 3.1. There are some challenges with the template syntax. > > -- Where is the normative format for the syntax? Section 3.1 points to > > Appendix B which lists JSON schema whose format is specified "draft 7 of > JSON > > Schema, which may not be the latest version of the corresponding Internet > > Draft [I-D.handrews-json-schema] at the time of publication". As far as I > can > > tell "draft 7 of JSON Schema" seems to resolve to https://json- > > schema.org/specification-links.html which points back to draft-handrews- > json- > > schema. This draft appears to be an expired, individual draft codifying. > This > > ambiguity and lack of stable reference is problematic. > > > > -- Accepting the Json schema as is, there is no annotation on the fields. > The > > field names very much look like X.509 fields but the text provides no > guidance > > on how they should be interpreted to create a CSR beyond explaining "**", > "*" > > and what is mandatory. I would have expected a field mapping but the > text > > explicitly says "The mapping between X.509 CSR fields and the template > will be > > defined in a future revision of this document.". > > > > ** Section 3.1. > > The NDC MUST NOT include in the CSR any fields that are not specified > > in the template, and in particular MUST NOT add any extensions unless > > those were previously negotiated out of band with the IdO. > > > > These two normative clauses seem to conflict. The first clause says that > the > > CSR can only have fields listed in the template (and nothing else). How > would > > one include extensions not in the template based on out of band > negotiation? > > It seems like it is either in the template or not. > > > > ** Section 4. Is this entire section normative protocol guidance? Or just > > informatively describing use cases? If it is informative, please say so. > > > > ** Section 4.1.* Please expand UA = User Agent and CP = Content > Provider > > prior to their introduction in the figures > > > > ** Section 4.1.2.1. Please expand SAN. > > > > ** Section 4.1.2.1. There is a TBD text here, "TBD bootstrap, see > > https://github.com/yaronf/I-D/issues/47" > > > > ** Section 4.1.2.1 Step 2 of Figure 6. Editorial. Don't use colloquial > > language "CDNI things" - s/CDNI things/CDNU meta-data/ > > > > ** Section 5.*. Add "registry" to the name of the registry in question. > For > > example, in Section 5.1.: s/ACME Directory Metadata Fields/ACME > Directory > > Metadata Registry/ > > > > ** Section 5.4. If there isn't a registry, why are they in the IANA section? > > Should we create a registry? > > > > ** Section 5.5. Editorial. To make the bulleted list explaining the fields > > symmetric with the registry columns: > > NEW: > > An extension name > > > > An extension type (the syntax, as a JSON Schema snippet) > > > > The mapping to an X.509 certificate extension. > > > > ** Section 5.5. Per the definition of the "type" column: > > > > -- Formally, what is a JSON Schema snippet? In particular, the three pre- > > loaded values reference seem to reference "Appendix B" which doesn't > seem > > like a "snippet" (it containing a fully valid and well-formed XML file). > > > > -- The registration policy is "expert review" so in theory a document is > not > > needed. Is the thinking that the registry row could contain a bare JSON > > snippet? > > > > ** Section 5.5. What does "(only for the supported name formats)" > mean in > > the "Mapping to X.509" of subjectAltName > > > > ** Section 6.2. Editorial. s/cert/certificate/ > > > > ** Section 6.2. Per the enumeration of the "two separate parts" of the > > delegation process, isn't there also: > > -- serving the certificate back to the NDC > > -- a process for handling revocation of the delegation and the certificate > > itself > > > > Both of these seem to be discussed in Section 6.3 in some form. > > > > ** Figure 1 and 8. In the spirit of consistency, consider if the CA should > be > > named the "CA Server" (per figure 1) or "ACME server" (per figure 8). > > > > ** Section 6.4. s/Following is the proposed solution where/The > following is a > > possible mitigation when/ > > > > Regards, > > Roman > > > > > > > >
- [Acme] AD Review: draft-ietf-acme-star-delegation… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Yaron Sheffer
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Thomas Fossati
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Salz, Rich
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Yaron Sheffer
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Thomas Fossati
- Re: [Acme] AD Review: draft-ietf-acme-star-delega… Roman Danyliw