IETF Logo Mail Archive

Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt

Richard Barnes <rlb@ipv.sx> Wed, 23 January 2019 20:07 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A388130ECD for <acme@ietfa.amsl.com>; Wed, 23 Jan 2019 12:07:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNeXYFP4tSvu for <acme@ietfa.amsl.com>; Wed, 23 Jan 2019 12:07:47 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0028C130E8A for <acme@ietf.org>; Wed, 23 Jan 2019 12:07:46 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id 32so3058808ota.12 for <acme@ietf.org>; Wed, 23 Jan 2019 12:07:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uDDy3QsKXwYBSiZOSsuTM8OxJHileG7AidRBbNzjvwM=; b=ZDLXqkp9DZ3RlPpXfKNI+gZl/8dr+dH/97F7+aQelDGKYdtyfuMEbfopANgRirlD/g ZaQC9nGrdvZGgtN4LmTcjRBkeFc+WGpqB0k0SYW7hkn94fG+Lnhv50Z3sF8ZZmc7VQcj qIkyZFnibT8ziMpe9Xr45eHfjayUMJq6fQnj6sTVmbQz/urToIeC9hSFLlO0tBQlcJ58 YtQfLiPPmdKJ4BYKWDSXJwpt3XoyczQ5qz5G04cO7jgvurvZaFX1SaqpY+z1XWVr4Jlb BaTFyxS1zmyd65Twi3cU/RsGrzjNI5tHdyzigFtCGx5KyT1P1m53O/1ef6ZZsjF/1aGS +tcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uDDy3QsKXwYBSiZOSsuTM8OxJHileG7AidRBbNzjvwM=; b=Kha5Jpw7KPC8+S+ZkeF+mN1asbw1MsVzydiKX0sb5hsiybSF7uDAEE4Aarg+SCpOtZ KSW0iF9HE6XPK32AfwAdyuq6S/83m2meBC3g46wKQEMk9Kezaxhrv9i7sOm+rJRh56xV tP6M+1dFy4Cgo1UpByKUjQ4eVmDVllqXOOOTAGumAWBtsKOkC6fylQlC0QsSTUTuIxgn UxjGNWrj7pCKMG65jvEHNDBZMsE+IM2i8t2lFnYm/0SRtV/UaBw7ziahrLDMimUMnCB7 MAt/Q5mCpIU6R2GUM3K2TNaQEC+c8LjLPLsoORVwKiZl5xK4eWbkY7vA0v0ak8RKJNdb t70g==
X-Gm-Message-State: AJcUukfl7N27P5hXgo3bPsEbFcNND5ZnGW81whAR1YqGaZZViPR2rgom uOrJHu5XDs+QtoiFXHdtANhpMvFccNrZY2pQODnZfqjboVI=
X-Google-Smtp-Source: ALg8bN58o10eZrUK3lyVfyEoRyompCrUySzazY/ZfyJ1dZm6bk51+VerK+F9ILhRXpnIcZNNut9LVFQfPPrL2cbPb6E=
X-Received: by 2002:a9d:3f34:: with SMTP id m49mr2259739otc.23.1548274065908; Wed, 23 Jan 2019 12:07:45 -0800 (PST)
MIME-Version: 1.0
References: <154767050457.29430.8305250740505088239.idtracker@ietfa.amsl.com> <CAGL6epJ6cVBSp_VWPbV9+kG7VGBp_mPPf_Q836cbf5bi8OY=hQ@mail.gmail.com> <CAL02cgQXYxqvi5q4iW8uhRkbsYG1UObQkb094ba1wFvw4dcy8Q@mail.gmail.com> <CAGL6epJX+dSb9fK7E8fagwROesL7DF_3KJhF0nB=TTqdcpi-cA@mail.gmail.com>
In-Reply-To: <CAGL6epJX+dSb9fK7E8fagwROesL7DF_3KJhF0nB=TTqdcpi-cA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 23 Jan 2019 15:07:33 -0500
Message-ID: <CAL02cgRx7SOYSmzCo8cLdz08U2Y=_KtjSe3Zha3GhFjQsYgW5Q@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b6cf52058025a5fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/s2oCkBkftBEGndVAPncjfEqPreQ>
Subject: Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 20:07:51 -0000

Inline.

On Sun, Jan 20, 2019 at 3:04 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> I looked at the TNAuthList draft, and as far as I understand, the
> framework seems
> a bit different from this proposal:
>
> 1. A Token Authority is authoritative for multiple identifier spaces (e.g.
>    TNAuthList with telephone numbers and service providers), while a
> Device
>    Authority is responsible for one identifier space, i.e. the devices
>    manufactured by a specific vendor.
>

Just because the framework can address the case where a single authority
can speak for multiple identifier spaces doesn't mean it can't also address
the single identifier space case.



> 2. A certificate issued to an entity controlled by a Token Authority is
> specific
>    to that entity independent of any domain, while a certificate issued to
>    a device controlled by a Device Authority is specific to the device
> *and* the
>    Client domain (based on a Client account with ACME).
>

What do you mean by "domain" here?


>
>
> Also, I noticed that the TNAuthList proposal does support redirection, as
> an
> optional feature. In the Device Authority case this is not critical and
> could be
> left as optional too, which will simplify the flow even further, as it
> would
> allow us to drop Steps 3 & 4 from the flow described in section 2.4, which
> would
> look as follows without the redirection:
>
> Client                         Device Authority
>  ACME CA
> (customer.com)                  (as.vendor.com)                      (
> acme.com)
>   |                                    |
>   |
>   | [01] POST /new-order [kid=customer.com, url=vendor.com,
> identifier={mac}|
>
> |------------------------------------------------------------------------>|
>   |                                    |
>   |
>   |                    [02] 201
>  |
>   |                         [authorizations=vendor.com/acme/authz/1234,
>    |
>   |                         finalize=customer.com/acme/order/asdf/finalize]
> |
>
> |<------------------------------------------------------------------------|
>   |                                    |
>   |
>   | [03] Use OAuth to obtain a device JWT
>  |
>   |<==================================>|
>   |
>   |                                    |
>   |
>   | [04] POST /vendor.com/acme/authz/1234 [JWT]
>    |
>
> |------------------------------------------------------------------------>|
>   |                                    |
>   |
>   |                                    |            [05] 200
> [status=valid] |
>
> |<------------------------------------------------------------------------|
>   |                                    |
>   |
>   | [06] POST /customer.com/acme/order/asdf/finalize [CSR]
>   |
>
> |------------------------------------------------------------------------>|
>   |                                    |
>   |
>   |                    [07] 200 [certificate=customer.com/acme/cert/asdf]
>  |
>
> |<------------------------------------------------------------------------|
>   |                                    |
>   |
>   | [8] GET /customer.com/acme/cert/asdf
>   |
>
> |------------------------------------------------------------------------>|
>   |                                    |
>   |
>   |                                    |              [8] 200
> [certificate] |
>
> |<------------------------------------------------------------------------|
>   |                                    |
>   |
>
>
> Unless I missed something, because of the above and to keep this mechanism
> as
> simple as possible, I would like to keep this proposal independent of the
> Token
> Authority framework at this stage.
>

I'm confused.  Issuing with authority tokens entails exactly the flow
you've laid out.  It's just that the interaction between the client and the
token authority is undefined in that doc, so you can fill it in with your
step 03.

--Richard


>
> Thoughts?
>
> Regards,
>  Rifaat
>
>
> On Thu, Jan 17, 2019 at 1:51 AM Richard Barnes <rlb@ipv.sx> wrote:
>
>> It seems like the core of this draft is identifier delegation.  Namely,
>> the CA recognizes the DA as an authority for a certain identifier space
>> (e.g., the first few octets of a MAC address), and the JWT delegates
>> permission to issue certificates for some identifier in that space to the
>> Client.
>>
>> Given that, it seems to me like this could fit under the rubric of the
>> "authority token" challenge.  If you were to do what this draft wants to do
>> with that framework, the Client would have two separate interactions -- an
>> OAuth interaction with the DA to get a token, then an ACME interaction with
>> the CA to issue the certificate.  The only specification needed would be to
>> specify the identifier and token type, as has been done for TNAuthList [2].
>>
>> The only thing that would then be missing with regard to this draft is
>> that the CA wouldn't provide the redirect to the DA.  Whether that makes
>> sense depends on the use case, but I suspect that in most cases it does
>> not.  The design in the draft presumes there's a single DA per identifier,
>> and that the CA keeps a mapping table from possible identifiers to DAs.
>> That seems unlikely for most identifier spaces and most CAs with reasonably
>> broad coverage.  So losing this property of the draft doesn't seem like a
>> big issue.
>>
>> So net/net, I think this draft should be restructured along the lines of
>> [2], to just define a token type and maybe an identifier type.
>>
>> --Richard
>>
>> [1] https://tools.ietf.org/html/draft-ietf-acme-authority-token
>> [2]
>> https://tools.ietf.org/wg/acme/draft-ietf-acme-authority-token-tnauthlist/
>>
>> On Wed, Jan 16, 2019 at 12:33 PM Rifaat Shekh-Yusef <
>> rifaat.ietf@gmail.com> wrote:
>>
>>> All,
>>>
>>> I have just submitted new updated version to address the issues raised
>>> by Ilari and Ryan.
>>> I would appreciate any more reviews and comments.
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>> ---------- Forwarded message ---------
>>> From: <internet-drafts@ietf.org>
>>> Date: Wed, Jan 16, 2019 at 3:28 PM
>>> Subject: New Version Notification for
>>> draft-yusef-acme-3rd-party-device-attestation-01.txt
>>> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>>>
>>>
>>>
>>> A new version of I-D,
>>> draft-yusef-acme-3rd-party-device-attestation-01.txt
>>> has been successfully submitted by Rifaat Shekh-Yusef and posted to the
>>> IETF repository.
>>>
>>> Name:           draft-yusef-acme-3rd-party-device-attestation
>>> Revision:       01
>>> Title:          Third-Party Device Attestation for ACME
>>> Document date:  2019-01-16
>>> Group:          Individual Submission
>>> Pages:          9
>>> URL:
>>> https://www.ietf.org/internet-drafts/draft-yusef-acme-3rd-party-device-attestation-01.txt
>>> Status:
>>> https://datatracker.ietf.org/doc/draft-yusef-acme-3rd-party-device-attestation/
>>> Htmlized:
>>> https://tools.ietf.org/html/draft-yusef-acme-3rd-party-device-attestation-01
>>> Htmlized:
>>> https://datatracker.ietf.org/doc/html/draft-yusef-acme-3rd-party-device-attestation
>>> Diff:
>>> https://www.ietf.org/rfcdiff?url2=draft-yusef-acme-3rd-party-device-attestation-01
>>>
>>> Abstract:
>>>    This document defines a Third-Party Device Attestation for ACME
>>>    mechanism to allow the ACME CA to delegate some of its authentication
>>>    and authorization functions to a separate trusted entity, to automate
>>>    the issuance of certificates to devices.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> The IETF Secretariat
>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>

v2.23.0 | Report a Bug | By Email