Re: [Acme] AD Review: draft-ietf-acme-star-04
Daniel McCarney <cpu@letsencrypt.org> Thu, 17 January 2019 14:28 UTC
Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2190012896A for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 06:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.553
X-Spam-Level:
X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qUOxAT6oU1vw for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 06:28:43 -0800 (PST)
Received: from mail-it1-x133.google.com (mail-it1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E38E612894E for <acme@ietf.org>; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
Received: by mail-it1-x133.google.com with SMTP id g76so1610459itg.2 for <acme@ietf.org>; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=N436e2qo7bPTBna7InUjCrpYcYYoCGVjZiypm2hy5bc=; b=Bk2N+l4ppIAjFESeeEcxSiFmi4K85kimT952xrtijforlx8ipQNkrrhB5kM6pxFGNY biD5s8IX3e6J3ad2aND/phwPoHux9tMbAX1q07akJi9HCEOEJ+OgWxUAmAFR+xMDTNik V+2pxyQ7hiRur1DN0T0vVhTk8O/2viCZ+97Tc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=N436e2qo7bPTBna7InUjCrpYcYYoCGVjZiypm2hy5bc=; b=l0ew1abn2RwHzsc4L6uphNnNYLPApKnzFGZa8pS3TfYyc8mYW9pEpbFXupdA46jHvq +h796k9P3voPb33ibwb+RP9bl6jI+fhnIg7giCg+Mt8D4kt3T2UDCxm7TduwNv20qRPz +chhAmbnZRAktg0PFZ2KKXcmsHio3av8j4WE9C3YbtTSwD4rFyMgDSYLU2KKq672z2iD oF7eY5mm8cN7i1NARwgHbr/3KNniPpoWdiMysdeNj2UfGNk3mG6i7GIhJJGsCWufDQbm HbFBj8uxIoaRSMCOjrkHq2ClGXhUHoK31Nn+ntNKaFbmBMSl1HtNxv+H6XHKAjUIbUEJ cYeg==
X-Gm-Message-State: AJcUukeKG3kooWhuuPAN1cIkzTra/VmG/OY1bqoXQ69ruEZYQss23l7s bFP6xRNATm7ez+Xr4/xyoy0ApYEF9U9pZVotvCqQyg==
X-Google-Smtp-Source: ALg8bN7lDwKF9Een0D4+/wzQf4UUeSESOc6foE3ngWIhhyH71FOy16TZdqYjToMGAJHKquEtYQN7QWjtIRbO9fRNYac=
X-Received: by 2002:a02:7a58:: with SMTP id z24mr8400277jad.22.1547735322054; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMSXR_bQTf10mgBwvrjD=XZHughKvoE=kX7K6zDrY_qxw@mail.gmail.com> <7FCC99B8-C9FF-4F56-93D5-15AF3F519151@telefonica.com>
In-Reply-To: <7FCC99B8-C9FF-4F56-93D5-15AF3F519151@telefonica.com>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Thu, 17 Jan 2019 09:28:31 -0500
Message-ID: <CAKnbcLjdckaJsBMBfpbs-sS55746hB0OZ=0Gcf90UW71myQ6QA@mail.gmail.com>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000141729057fa8360b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wrmUxC6vqFy9aBCuFK7ylaJdoNY>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 14:28:46 -0000
Hi Diego, > There is a Boulder-based full implementation Does Telefonica plan to maintain the copy of Boulder you forked into this repo as a stand-alone project separate from github.com/letsencrypt/boulder? On Wed, Jan 16, 2019 at 6:21 PM Diego R. Lopez <diego.r.lopez@telefonica.com> wrote: > Hi, > > > > There is a Boulder-based full implementation (including the delegation > mechanisms in draft-ietf-acme-star-delegation) available in Github: > > > > https://github.com/mami-project/lurk > > > > (the repository is called “lurk” and not “star” because pure historical > reasons) > > > > It has been used in several demos and pilots of STAR, within Telefonica > and elsewhere. > > > > Be goode, > > > > -- > > "Esta vez no fallaremos, Doctor Infierno" > > > > Dr Diego R. Lopez > > Telefonica I+D > > https://www.linkedin.com/in/dr2lopez/ > > > > e-mail: diego.r.lopez@telefonica.com > > Tel: +34 913 129 041 > > Mobile: +34 682 051 091 > > ---------------------------------- > > > > On 24/12/2018, 21:18, "Eric Rescorla" <ekr@rtfm.com> wrote: > > > > Rich version of this review at: > https://mozphab-ietf.devsvcdev.mozaws.net/D4723 > > > After reviewing this document, I'd like to reconsider the proposed > status of this document. Based on Section 5, it doesn't appear that > there are any production implementations of this document. Are there > any existing or planned production implementations from live CAs or > clients? If not, this seems like a better fit for Experimental. > > > IMPORTANT > S 3.4. > > present and set to true, the client requests the server to allow > > unauthenticated GET to the star-certificate associated with this > > Order. > > > > If the server accepts the request, it MUST reflect the key in the > > Order. > > it seems like some security considerations are needed here to prevent > enumeration. > > > S 4.1. > > of clock-related breakage reports which account for clients that are > > more than 24 hours behind - happen to be within 6-7 days. > > > > In order to avoid these spurious warnings about a not (yet) valid > > server certificate, it is RECOMMENDED that site owners pre-date > their > > Web facing certificates by 5 to 7 days. The exact number depends on > > I don't understand how this works. The client is able to provide the > notbefore date, which gives a pre-date for the first certificate, but > S 2.2 just says that the re-issue is "before the previous one > expires". So suppose it is currently 2018-07-15" and I ask for a > certificate with "recurrent-start-date=2018-07-10" and "recurrent- > certificate-validity=5", I thus get back a cert with validity > "2018-07-10 -- 2018-07-20", i.e., pre-dated by 5 days. The next > certificate needs to be issued on or before "2018-07-20", but the text > doesn't say when it's notbefore has to be, so it could have validity > "2018-07-19 -- 2018-07-25". It seems like this document needs to > specify an explicit way to pre-date, but it doesn't. > > > COMMENTS > S 1. > > new short-term certificate is needed - e.g., every 2-3 days. If > done > > this way, the process would involve frequent interactions between > the > > registration function of the ACME Certification Authority (CA) and > > the identity provider infrastructure (e.g.: DNS, web servers), > > therefore making the issuance of short-term certificates exceedingly > > dependent on the reliability of both. > > I don't see why this is the case. Once you have authorized once, the > CA can just return that no authorizations are required. > > > S 3.1.1. > > o recurrent-certificate-validity (required, integer): the maximum > > validity period of each STAR certificate, an integer that denotes > > a number of seconds. This is a nominal value which does not > > include any extra validity time which is due to pre-dating. The > > client can use this value as a hint to configure its polling > > timer. > > This text is confusing. The client produces the order, so how is it > using it as a hint. > > > S 3.1.2. > > > > Issuing a cancellation for an order that is not in "valid" state has > > undefined semantics. A client MUST NOT send such a request, and a > > server MUST return an error response with status code 400 (Bad > > Request) and type > > "urn:ietf:params:acme:error:recurrentCancellationInvalid". > > This doesn't sound like undefined semantics. It's just illegal. > > ------------------------------ > > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, > puede contener información privilegiada o confidencial y es para uso > exclusivo de la persona o entidad de destino. Si no es usted. el > destinatario indicado, queda notificado de que la lectura, utilización, > divulgación y/o copia sin autorización puede estar prohibida en virtud de > la legislación vigente. Si ha recibido este mensaje por error, le rogamos > que nos lo comunique inmediatamente por esta misma vía y proceda a su > destrucción. > > The information contained in this transmission is privileged and > confidential information intended only for the use of the individual or > entity named above. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this transmission in error, do not read it. Please immediately reply to the > sender that you have received this communication in error and then delete > it. > > Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, > pode conter informação privilegiada ou confidencial e é para uso exclusivo > da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário > indicado, fica notificado de que a leitura, utilização, divulgação e/ou > cópia sem autorização pode estar proibida em virtude da legislação vigente. > Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique > imediatamente por esta mesma via e proceda a sua destruição > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] AD Review: draft-ietf-acme-star-04 Eric Rescorla
- Re: [Acme] AD Review: draft-ietf-acme-star-04 Diego R. Lopez
- Re: [Acme] AD Review: draft-ietf-acme-star-04 Daniel McCarney
- Re: [Acme] AD Review: draft-ietf-acme-star-04 Diego R. Lopez