IETF Logo Mail Archive

Re: [Acme] AD Review: draft-ietf-acme-star-04

Daniel McCarney <cpu@letsencrypt.org> Thu, 17 January 2019 14:28 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2190012896A for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 06:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.553
X-Spam-Level:
X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qUOxAT6oU1vw for <acme@ietfa.amsl.com>; Thu, 17 Jan 2019 06:28:43 -0800 (PST)
Received: from mail-it1-x133.google.com (mail-it1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E38E612894E for <acme@ietf.org>; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
Received: by mail-it1-x133.google.com with SMTP id g76so1610459itg.2 for <acme@ietf.org>; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=N436e2qo7bPTBna7InUjCrpYcYYoCGVjZiypm2hy5bc=; b=Bk2N+l4ppIAjFESeeEcxSiFmi4K85kimT952xrtijforlx8ipQNkrrhB5kM6pxFGNY biD5s8IX3e6J3ad2aND/phwPoHux9tMbAX1q07akJi9HCEOEJ+OgWxUAmAFR+xMDTNik V+2pxyQ7hiRur1DN0T0vVhTk8O/2viCZ+97Tc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=N436e2qo7bPTBna7InUjCrpYcYYoCGVjZiypm2hy5bc=; b=l0ew1abn2RwHzsc4L6uphNnNYLPApKnzFGZa8pS3TfYyc8mYW9pEpbFXupdA46jHvq +h796k9P3voPb33ibwb+RP9bl6jI+fhnIg7giCg+Mt8D4kt3T2UDCxm7TduwNv20qRPz +chhAmbnZRAktg0PFZ2KKXcmsHio3av8j4WE9C3YbtTSwD4rFyMgDSYLU2KKq672z2iD oF7eY5mm8cN7i1NARwgHbr/3KNniPpoWdiMysdeNj2UfGNk3mG6i7GIhJJGsCWufDQbm HbFBj8uxIoaRSMCOjrkHq2ClGXhUHoK31Nn+ntNKaFbmBMSl1HtNxv+H6XHKAjUIbUEJ cYeg==
X-Gm-Message-State: AJcUukeKG3kooWhuuPAN1cIkzTra/VmG/OY1bqoXQ69ruEZYQss23l7s bFP6xRNATm7ez+Xr4/xyoy0ApYEF9U9pZVotvCqQyg==
X-Google-Smtp-Source: ALg8bN7lDwKF9Een0D4+/wzQf4UUeSESOc6foE3ngWIhhyH71FOy16TZdqYjToMGAJHKquEtYQN7QWjtIRbO9fRNYac=
X-Received: by 2002:a02:7a58:: with SMTP id z24mr8400277jad.22.1547735322054; Thu, 17 Jan 2019 06:28:42 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMSXR_bQTf10mgBwvrjD=XZHughKvoE=kX7K6zDrY_qxw@mail.gmail.com> <7FCC99B8-C9FF-4F56-93D5-15AF3F519151@telefonica.com>
In-Reply-To: <7FCC99B8-C9FF-4F56-93D5-15AF3F519151@telefonica.com>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Thu, 17 Jan 2019 09:28:31 -0500
Message-ID: <CAKnbcLjdckaJsBMBfpbs-sS55746hB0OZ=0Gcf90UW71myQ6QA@mail.gmail.com>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000141729057fa8360b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wrmUxC6vqFy9aBCuFK7ylaJdoNY>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 14:28:46 -0000

Hi Diego,


> There is a Boulder-based full implementation


Does Telefonica plan to maintain the copy of Boulder you forked into this
repo as a stand-alone project separate from github.com/letsencrypt/boulder?

On Wed, Jan 16, 2019 at 6:21 PM Diego R. Lopez <diego.r.lopez@telefonica.com>
wrote:

> Hi,
>
>
>
> There is a Boulder-based full implementation (including the delegation
> mechanisms in draft-ietf-acme-star-delegation) available in Github:
>
>
>
> https://github.com/mami-project/lurk
>
>
>
> (the repository is called “lurk” and not “star” because pure historical
> reasons)
>
>
>
> It has been used in several demos and pilots of STAR, within Telefonica
> and elsewhere.
>
>
>
> Be goode,
>
>
>
> --
>
> "Esta vez no fallaremos, Doctor Infierno"
>
>
>
> Dr Diego R. Lopez
>
> Telefonica I+D
>
> https://www.linkedin.com/in/dr2lopez/
>
>
>
> e-mail: diego.r.lopez@telefonica.com
>
> Tel:         +34 913 129 041
>
> Mobile:  +34 682 051 091
>
> ----------------------------------
>
>
>
> On 24/12/2018, 21:18, "Eric Rescorla" <ekr@rtfm.com> wrote:
>
>
>
> Rich version of this review at:
> https://mozphab-ietf.devsvcdev.mozaws.net/D4723
>
>
> After reviewing this document, I'd like to reconsider the proposed
> status of this document. Based on Section 5, it doesn't appear that
> there are any production implementations of this document. Are there
> any existing or planned production implementations from live CAs or
> clients?  If not, this seems like a better fit for Experimental.
>
>
> IMPORTANT
> S 3.4.
> >         present and set to true, the client requests the server to allow
> >         unauthenticated GET to the star-certificate associated with this
> >         Order.
> >
> >      If the server accepts the request, it MUST reflect the key in the
> >      Order.
>
> it seems like some security considerations are needed here to prevent
> enumeration.
>
>
> S 4.1.
> >      of clock-related breakage reports which account for clients that are
> >      more than 24 hours behind - happen to be within 6-7 days.
> >
> >      In order to avoid these spurious warnings about a not (yet) valid
> >      server certificate, it is RECOMMENDED that site owners pre-date
> their
> >      Web facing certificates by 5 to 7 days.  The exact number depends on
>
> I don't understand how this works. The client is able to provide the
> notbefore date, which gives a pre-date for the first certificate, but
> S 2.2 just says that the re-issue is "before the previous one
> expires". So suppose it is currently 2018-07-15" and I ask for a
> certificate with "recurrent-start-date=2018-07-10" and "recurrent-
> certificate-validity=5", I thus get back a cert with validity
> "2018-07-10 -- 2018-07-20", i.e., pre-dated by 5 days. The next
> certificate needs to be issued on or before "2018-07-20", but the text
> doesn't say when it's notbefore has to be, so it could have validity
> "2018-07-19 -- 2018-07-25". It seems like this document needs to
> specify an explicit way to pre-date, but it doesn't.
>
>
> COMMENTS
> S 1.
> >      new short-term certificate is needed - e.g., every 2-3 days.  If
> done
> >      this way, the process would involve frequent interactions between
> the
> >      registration function of the ACME Certification Authority (CA) and
> >      the identity provider infrastructure (e.g.: DNS, web servers),
> >      therefore making the issuance of short-term certificates exceedingly
> >      dependent on the reliability of both.
>
> I don't see why this is the case. Once you have authorized once, the
> CA can just return that no authorizations are required.
>
>
> S 3.1.1.
> >      o  recurrent-certificate-validity (required, integer): the maximum
> >         validity period of each STAR certificate, an integer that denotes
> >         a number of seconds.  This is a nominal value which does not
> >         include any extra validity time which is due to pre-dating.  The
> >         client can use this value as a hint to configure its polling
> >         timer.
>
> This text is confusing. The client produces the order, so how is it
> using it as a hint.
>
>
> S 3.1.2.
> >
> >      Issuing a cancellation for an order that is not in "valid" state has
> >      undefined semantics.  A client MUST NOT send such a request, and a
> >      server MUST return an error response with status code 400 (Bad
> >      Request) and type
> >      "urn:ietf:params:acme:error:recurrentCancellationInvalid".
>
> This doesn't sound like undefined semantics. It's just illegal.
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email