IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04

Brian Sipos <BSipos@rkf-eng.com> Tue, 27 July 2021 21:12 UTC

Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C983A0784 for <acme@ietfa.amsl.com>; Tue, 27 Jul 2021 14:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOioRp0LAJvo for <acme@ietfa.amsl.com>; Tue, 27 Jul 2021 14:12:45 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2041.outbound.protection.outlook.com [40.107.243.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F198C3A077E for <acme@ietf.org>; Tue, 27 Jul 2021 14:12:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZDDbF1JIUr/Qo/kGmneA/b/PBqTEbW5z2YC275ohR7/5GsGZwRUCUBQeraFk1yeYiY2x0JKTSqDKnVbyX8c3Jig7GIiVtG7GBhvHKJwj6vzTFCV+s7cMkkjdKuMITi96+6BJiNKBsqPoj8G1Nf7nr2iDFZa2g17DMBSGFMICJOYthe+HldrBn/G5qjzP9NgX1j8LQPBcqRhb7pBeKs8f/cWiyiKbMJsBfAWZqr9QxwF4K3OXtnUQmAn/RL4igu8Eg8FSyHMs5a3dstkdmCUEhR5+D1QDGK3t4q6v0ndae8uxE+ulcXSSUo18cElAuKXgDwavLHOgdFbdUHXYKrNYCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t0Mr8VSmaFMuoLiTAueFuAieuqEVd9XpsYjjYhUK3tQ=; b=FsUllopo0MhV7PFYwdo1SZ6T0/s8wkbY3mcFKM3KgQRv6xx6R/fiqe/jxk58BnJtJ8jjG3xaxKYkDX0+FVF9ZFv/PvTiFCr2n4LTYZJbqvZyrOr1bWw4SKAvcNIoWDPMcZNRg98GFLUdzAOE29/fGkSDnhtaJzjrlfGF1EWgXEUWrVTH6u7T+CW7MpugfAJWMqDkvSaWdl15uXciqkmCin1LpxfhOPOhnjG2KY9qxwLQvvrhNIOdsKDQAqKdi4/CJNaGBxIbThm1wKuh+GJ8gmuwuR/KdISNlqPGget9yhCA5RaKrm5eeoU5xC4jASefaZn75CZ6qmrwq2CHpuhsEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t0Mr8VSmaFMuoLiTAueFuAieuqEVd9XpsYjjYhUK3tQ=; b=ccJrs1Els326AuOe0EStGtQAbzOATY7B3rX+O6gVIw+A4PmqtG5D/LJRRD2BoRnYZbUB75fppgvazQICH2BBWS+wKxlMbHA8Yc2l1r2cQFi71eUir2c9rO1wZ1ruSiD+nnQVt+h0/1RzJBL8ZTXpRYswkslDH7fkhcyHCJr5vlk=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB3776.namprd13.prod.outlook.com (2603:10b6:208:1e7::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.7; Tue, 27 Jul 2021 21:12:41 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::f845:66e:abee:d10c]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::f845:66e:abee:d10c%6]) with mapi id 15.20.4373.018; Tue, 27 Jul 2021 21:12:41 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "rdd@cert.org" <rdd@cert.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: AQHXgywiHJXaHUJs5USqsUtyrE1MwQ==
Date: Tue, 27 Jul 2021 21:12:41 +0000
Message-ID: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Evolution 3.40.1 (3.40.1-1.module_f34+11997+0ba8848e)
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=rkf-eng.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 770504eb-2d14-48f7-35a1-08d95143454f
x-ms-traffictypediagnostic: MN2PR13MB3776:
x-microsoft-antispam-prvs: <MN2PR13MB37760EE917343C926D9668509FE99@MN2PR13MB3776.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SWiHjN+7j0/RoBuo0+Wvjcb0+koFE7NIV4orLw/s43UQXAW725wrKqi3svIi0JpuV7WWk/tK/oNznDAMbnCajTdl2fWGlw1owZxQt2PZT4fl++2PoCS3oreNUxokwzGXPJMRBs9ytphVXzFrlaWLK3dnv/V44DhUhnw1hHxl9tDJfLIi5ANODBsog0twEI39c4I8OBtPGA9GasgeJUkNhcD5WQd5VJHbp3WQlFWzG1NXCfn2R+XbtuN6NyOFzgsfZ/VzwgAY5PoaltYHVvu+B+azJg7wwEQC9+a0sHX/yrrx2T3fNeL54l960/rYld2alm07pZ1/nK5Aeq6Ku2dTOHOgYDJ3K4rwd1ZELRNxouPsWHSbuH4rFYI5sUNW7VtXjpM+Kc9MC/Bl/6v/4+wPHlXGa2A7l+5dHw0rRa1zlBdQQzTNDk6QwSFWLh0zW9+ZogGKTd0GoMiIkfH6WAp1G9cvahhY2ZOoX1bO6xPYT8z5AWThy2YQFqkKS5pG47YJdU8bAlyN/8x3yjUnKmUtPjxljXSSllGRlwHzv9cnEi5zHl4EJU/bZw8mm1bM6PR5dRUStu6DZwA7U8y3GtIp0tQgGmBoFtE9SXNfmRVI+Jwxj+xKwAkpw0s92ai5sl1fnbPBx+GfUTrUXDxgtIiox7Qwd8AHk7eRV4PrjCWaBAn+6oSWoPVzrNpBrWiz0PjoOgSfVK4uxj8jEItr79Kqp57Tv5Ye5swSD/Q+tUYFl69CvrxEe7AHn+sfvFAk1/PC3flcM/kmc4IFy/HLhAJlbw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(366004)(136003)(39830400003)(83380400001)(8676002)(316002)(6916009)(5660300002)(6512007)(8936002)(122000001)(4326008)(99936003)(38100700002)(36756003)(6506007)(26005)(2906002)(186003)(478600001)(66556008)(66616009)(66946007)(66446008)(86362001)(71200400001)(66476007)(64756008)(2616005)(6486002)(76116006)(38070700005)(966005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hwHziD2Hc7gLpyf+Pi7xUmJLTwRacjCUQD6fvqIezpCuw8eTaF3hoZEK04aEwfWE+DPT0GD280EiLvn2vU2u0v8TYbsffs8SzI5HmTGW6CT8DH/FHa3zV1haYEX3tDifVa8kF07KLwnYALlJ/McnBaalEl7ZSZYGOTIIRqci0lT/vm92zwQK4h9CHKHzT7TpCRGnByq7I3XmZzBjjI0AkfjPP30cpJztI+fGv7GQc4pN11/fozQrzI1dvsWZeHgFaAouPk0tUlMyQkpn6/fJR/Ns6J0qAvXA/VikMDdMOwdb7pD27Z6qfVXboPiW3avGzwpq+hFcRYLFB7kmXMAI/O/skqUt+PmRobbWgyRnPsh3kHpu4yZpE8D1WGpdeuEcchQi2yNFxxXL5dOMEblqv7WfCBpsFXkyO0UBmR3ctgLWBOHkiCzjmCv59ipJO/3h4ivsyQALFRkg53M5a/ayM7rg/7+XJ1rd3tlu5r99sli2CBqBNYnZSpPKrS3q7liyefgVg7EmNKmc+0E31vOpozrVcrQzPOoUANTmacoCsR5+25PyFx0ILUjwkprxEpGuyGfUJFc9/P77OdjNv+KENpOyPNIBQjN7eqR3LZqYAl5p4vbKWuJ5p8JpZzr3cpK5z395GoLmKTAvVe8gchVOnccq0+uUg/JQZa3vX2f+4rAlEa7Cu9BcLR3mtiW17yjhfOUiRitz90btdKTR9i+ZTP6Vz2zU38cFvdKx/5MW0eOblUN1OjsOWNPtz1JbZaIDdv+bYGi9te+sVVcWOFScP4RStSZ0w620/5TqiFIgoKQHRv8VGCipN9+eOSdYVZE4yLjY4kg9e1jv/C4TMKK0mFmZ7MpWRmznqh1/KeGdcSVhw8A6nvufhaxmMy5Mf/IBDqaluzX90beFtalOMlGKLX3HJUL0Xgk+K7ujpnzeFYSVK3jlbJsHeFtEMLvEjtjaDoaxaLmwlYolvEA40i2GMMQjNxdJRm7E7jVdD/Gi1cXv8Yv8mb0fCOhrwAMP/cfocp61leyPGprQ5+FXJ7NV30zl0eVPOfCz0evwC9cum9n4vv7Jk0tTc2BR1AO+IPB6Au9TnYgs7unQDcB+lFfvFmizxWvjcpLJ4W7pwZKHVCoghxXsb785I7T5Pnk8zt2nT4abvZT15W022z8BAcSpaiwPox7MH527fKc7UfsYrD++MynMB/1v98uJrgud/j50tYyVC6n9Aw6FWu6ju0z7mNPiPlqi5bYwDtnVcavaLvhNQVsAj6xCodaw+8hR1Q6/E4v5xT74B+V0jdwa5xe+q5dWE95RqVMc4j3Pu1PBWcSTvKatpzo00jIXl1my4aPC
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-lKfFElS4Bklzr+dnRZDk"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 770504eb-2d14-48f7-35a1-08d95143454f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2021 21:12:41.5494 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eU5yYaFrYodfWZFZWaA3/oNxtYiMjL2L+FBBxExykl4kch6enR6hKo/IP7AllSbvngERB1XXZzcJYLk6daoGtw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3776
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/sgWP_o3Yy9MNV_kIh8H1z-kG3nI>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 21:12:51 -0000

Roman,
Thank you for this thorough review. I want to address the more
procedural/structural points first; the ones which have implications outside of
just this document.

> On the process side, this arrangement is rather unusual.  No quarrels with the
substance of the update which will improve extensibility.  However, this
particular document has experimental status and the document being updated
(draft-ietf-dtn-bpbis) is proposed standard (PS).  Having a lower maturity
document updating one of higher status is my concern -- "experiments fail".  Was
this issue considered?  Discussed with the DTN WG?  I'll note that draft-ietf-
dtn-bpbis has not yet been published (although it is in the late state of the
RFCEd queue).  Could the changes just be added there directly?

BS: I did bring this up in the DTN WG earlier and the BPbis authors were fine
with the update itself, which didn't require BPbis document changes, but I
understand the concern about the different document status levels. I have
brought this new concern up in the DTN WG with options of either a late AUTH48
edit or a separate small Proposed Standard document from the DTN WG. The change
really is not specific to this ACME document but related only to this being the
first new administrative record type for BPv7.

> **I need a little help on DTN addressing.  The text notes that that the intent
is to issue certificates with DTN Node IDs as a URI in subjectAltName.
> ...
> Given the constraint of (c) and the flexibility afforded with the definition
of a node ID in (a)+(b), will DTN Node IDs always satisfy the requirement from
(c) to be FQDN?  Is language needed to ensure that (likely in a few places in
the document)?

BS: This is a good catch regarding conformance to RFC 5280, and unfortunately
represents a subtle logical conflict with this and another document [1].
Although Section 4.2.1.6 of RFC 5280 states this requirement about the URI
authority part it makes no other use of this authority restriction, and although
RFC 6125 does define a URI-ID which has matching logic based on the authority
part the certificate profile shared by DTN TCPCLv4 [1] and this document
explictly avoid using URI-ID in favor of the matching logic defined in [1] for
NODE-ID.
So while a "dtn" scheme URI contains an authority part which I believe meets the
intent of the RFC 5280 restriction (a unique and unambiguous name/address) it
does not meet the letter-of-the-law in that document. The dtn scheme is already
in use and has been for many years; although it resembles a URN in semantics it
does use a URL syntax which may be more of an historical accident than a design
decision (as the "ipn" scheme does not use the URL authority syntax).
Do you think that explicitly calling this out in this document and in [1] are an
acceptable way to avoid this logical issue? Meaning any CSR or certificate
handler for DTN must be aware to ignore that specific RFC 5280 requriement.

I think all of your other comments are sensible and I will respond to them
separately.
Thank you,
Brian S.

[1]
https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26#section-4.4.2

v2.23.0 | Report a Bug | By Email