IETF Logo Mail Archive

Re: [Acme] "Slide 21" follow-up (textual encoding question) PART 2

Sean Leonard <dev+ietf@seantek.com> Mon, 03 April 2017 09:00 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0391E128954 for <acme@ietfa.amsl.com>; Mon, 3 Apr 2017 02:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKoch1QhcF_m for <acme@ietfa.amsl.com>; Mon, 3 Apr 2017 02:00:45 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A52861295E3 for <acme@ietf.org>; Mon, 3 Apr 2017 02:00:45 -0700 (PDT)
Received: from [192.168.123.7] (unknown [76.90.60.238]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 9B54322E25C; Mon, 3 Apr 2017 05:00:26 -0400 (EDT)
To: Richard Barnes <rlb@ipv.sx>
References: <AF77F7D3-B520-4124-88FA-5E62466FFCFA@seantek.com> <CAL02cgSVZs7zFtJY_Ey4eLoeU2AJjyPzyfbZ-iWF8B4xSj_R9g@mail.gmail.com>
Cc: ACME WG <acme@ietf.org>
From: Sean Leonard <dev+ietf@seantek.com>
Message-ID: <083b73a4-a199-dc57-e078-bf1bf9c10bd2@seantek.com>
Date: Mon, 03 Apr 2017 02:00:20 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgSVZs7zFtJY_Ey4eLoeU2AJjyPzyfbZ-iWF8B4xSj_R9g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0EC051EDA6FE534E6BA80FFE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wphRk8QsL5Ig69OUsAYJh0gGPPs>
Subject: Re: [Acme] "Slide 21" follow-up (textual encoding question) PART 2
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 09:00:48 -0000

On 4/2/2017 1:06 PM, Richard Barnes wrote:
>
>
> On Fri, Mar 31, 2017 at 5:23 PM, Sean Leonard <dev+ietf@seantek.com 
> <mailto:dev+ietf@seantek.com>> wrote:
>
>     Hi ACME:
>
>     SECOND PART.
>     [...]
>
> That said, the idea of "inlining" the certificate / chain doesn't seem 
> completely awful.  On the one hand, it would save an HTTP round-trip 
> in the common case, and we don't have anything else in the protocol 
> that relies on a certificate being referenced indepenedently from the 
> order that created it.  On the other hand, it seems like there could 
> be some utility in the future to being able to refer to the 
> certificate per se, vs. the order that created it. I could go either way.

That's the idea (in PART 1, anyway).

The issue of whether a certificate should be referred to by reference 
(URI) or by value (supplied as the certificate itself) is discussed in 
draft-seantek-certspec-11. In this case, I do not see any additional 
value in /requiring/ a separate URI to access the certificate octets. 
Put another way: if you want a separate URI instead of the certificate, 
because you don't want to store the certificate, then you will have to 
store the separate URI somewhere. And, if you are storing the separate 
URI, you have a place to store the certificate in the first place.

Perhaps there is business value in a CA standing up a sensible 
(well-known) URI scheme, such as:

https://www.cawebsite.com/.well-known/getcert?host=FOO.BAR.COM&{other 
parameters}

...but that is outside of the scope of the (current) protocol for this 
working group. Compare with draft-bhjl-x509-srv-03. I could see it being 
added to the ACME server as a "feature", but that is up to you all.

>
> If we do inline the certificate into the order, ISTM the natural thing 
> to do would be to just present it in base64url-encoded form:
>
> {
>   // existing order fields
>   "certificate": "[[ base64url data ]]",
>   "chain": ["[[ base64url data ]]", ...]
> }
>
> Then it would just be a syntactic transformation to whatever an HTTP 
> server accepts.

Something like that could be okay. Although I suppose some "aesthetics" 
are involved, the choice for JSON format is not exactly bikeshedding. If 
it's in JSON then some part of it ought to be an array. The main point 
(raised in PART 1) is that inlining makes things faster and sidesteps 
all of the problems raised by MIME types and text blobs in PART 2.

I note that a base64url-encoded version of the DER octets of a 
certificate are already included in this protocol, in Certificate 
Revocation Section 7.6.

Sean

v2.23.0 | Report a Bug | By Email