Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt
Deb Cooley <debcooley1@gmail.com> Thu, 10 June 2021 09:44 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220AE3A3BFD for <acme@ietfa.amsl.com>; Thu, 10 Jun 2021 02:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1h-BgBmOUcYl for <acme@ietfa.amsl.com>; Thu, 10 Jun 2021 02:44:06 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CCE23A3BF9 for <acme@ietf.org>; Thu, 10 Jun 2021 02:44:06 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id v22so1487011oic.2 for <acme@ietf.org>; Thu, 10 Jun 2021 02:44:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I5PNt9sTGIE23Af3yFbl4Jg5PK5ZnLe4ria2FBzN8vY=; b=YMr9u1tIjC7hyVe8jB5f8FxH1fr8WMCP1mTBHhxFPo//mWFThnn+zRt0uCv9nwnqBR P1PJVyvQm4MG5s9rSQG49phpHFZInNeCrxCFhOj4aE3+ahCu2sFmx0BzPVCKNOYEaaD4 XaurBesqzgoeupRGZcOu/K1Qv9/M/geYLbtqzXhUaqEC8qxRW6RxkjLXP8ydx245tv1F Kn6LeGqXAydaQ1wqggDf4inIqt6cgA2MXT+vJBoAwgPX7ji07233XoBF3mE5zggtvEYC m+Cwe+HYdOX1VHgiRwIAPasCRKFUGJWo9gNAiLZDWjtxolZGtireYe/SLixNO7WbVnWx 5ExQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I5PNt9sTGIE23Af3yFbl4Jg5PK5ZnLe4ria2FBzN8vY=; b=ipt4ItIuwisUyYEzwLhaNJinW5gKTdF0tNxzJkinCbfm5BuEuCYFgK3EX+XqEU3NW6 +8yS7R2MlXLxPDFEYa9EsZklZg7e+t5WkvhhyCJZWQWEJZ6/DKgKnrIEslIJvtfE0uX4 8iNf4nc4jO2ND1Yu8ff+WaE2H6XA6FOIMj5s5qCWHQ9nceeeKKlBmNsC7bjUaOiEYHlU vMETmU8RkSsWzktr2gXJOoFs4yzASdrV4oVDAEYGD+xmSWD65gr+r4tAEcrXxOplqe6s FLPmPkE1zUfEHPOU0N0PMaK+Dm4vpypqtl9ge+l6xuNyuC/HJcI/vG28hT90xJTKeDo/ s2Aw==
X-Gm-Message-State: AOAM533xG7dx59E/Sdd2euxQN3R+s2FIItEldGx808bi3f0a+UpznSQ/ 2Lda+n4oCxdAJTb/t8DSDKBLdtl/Md5MjvXFdQ==
X-Google-Smtp-Source: ABdhPJx5dJdvm2774Co4X83PmCgztVzb8pGBcxnzagmmZ7JqbaLl1gxY11c3GsoE5lYL0yn87pUVQjPA4j6AQdW2Qgs=
X-Received: by 2002:aca:3f41:: with SMTP id m62mr7430785oia.37.1623318244516; Thu, 10 Jun 2021 02:44:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1Od3apxOznaSdBqg-y+Ut=amR3jPrzBdOXfzPV=AHq6Rww@mail.gmail.com> <MW3PR11MB4746D8B59EBD417CBAB690F5DB379@MW3PR11MB4746.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB4746D8B59EBD417CBAB690F5DB379@MW3PR11MB4746.namprd11.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 10 Jun 2021 05:43:53 -0400
Message-ID: <CAGgd1Of=0=bxNB3yWoYHPRdx_OFuwGZ5CbSMWarGCXJPqzonsw@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, acme@ietf.org
Cc: "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="000000000000528d1605c4663bcd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wvqsoQkWJxKj4sSlBiPYQrMCJ3g>
Subject: Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 09:44:11 -0000
I've just picked the parts that I want to respond to, hopefully this isn't confusing: snip....... Section 3, 4 and 5 call flow: both cases show the ACME CA returning a PEM, while the EST RA returns a PKCS#7 to the device. Is this intentional? Are you expecting the EST Server to convert the certificate from PEM to PKCS 7, and is the PKCS7 a .p7b or .p7c. [note: these are trivial conversions, but they are also very confusing to most people] [ofriel] That’s a fair point. We could reference https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2 and state that EST server may request ACME certs using "application/pkcs7-mime" and that would avoid a transcoding operation when the EST downloads the cert from ACME. snip...... Deb: you can't just use PEM everywhere? RFC8555 pretty much says that PEM is the default anyway? snip....... Again architecture: If the EST Server sits in front of a large organization, then domain validation is more interesting, and the Get /csrattrs may or may not be able to recommend a SAN, right? I can see that policy oids could be provided, if that is a thing in these systems. [we use policy oids in US DOD, but that is possibly uncommon elsewhere.] [ofriel] That is also a fair point, for complex deployments its not clear what policy the EST server may want to apply before assigning a SAN. The text in section 3 currently states: “EST servers could use this mechanism to tell the client what fields to include in the CSR Subject and Subject Alternative Name fields” We could beef up that statement and explicitly state that the policy by which the EST determines the SAN to specify is explicitly out of scope. And also note that policy OIDs could be provided. snip..... Deb: don't go too crazy here. You are pretty soft on the language 'could use' isn't exactly requiring it, but merely allowing it. Deb Cooley, NSA On Tue, Jun 8, 2021 at 12:06 PM Owen Friel (ofriel) <ofriel@cisco.com> wrote: > Yes Deb, it did get lost in the shuffle. > > > > See inline. > > > > > > *From:* Acme <acme-bounces@ietf.org> *On Behalf Of *Deb Cooley > *Sent:* 19 March 2021 18:46 > *To:* acme@ietf.org > *Cc:* Cooley, Dorothy E <decoole@nsa.gov> > *Subject:* [Acme] comments on: draft-ietf-acme-integrations-03.txt > > > > I thought this draft was pretty easy to follow, and I just have a few > minor comments. Note: I am probably reviewing this from the point of view > of an integrator (maybe?) definitely not as a device developer, and not as > a CA developer. > > Section 1, sentence after bullets and Section 4, paragraph 1: Section 1 > used “enrolment” while Section 4 used “enrollment”. Pick one. Use it > everywhere. > > [ofriel] Sure, will fixup. > > Section 3, 4 and 5 call flow: both cases show the ACME CA returning a > PEM, while the EST RA returns a PKCS#7 to the device. Is this > intentional? Are you expecting the EST Server to convert the certificate > from PEM to PKCS 7, and is the PKCS7 a .p7b or .p7c. [note: these are > trivial conversions, but they are also very confusing to most people] > > [ofriel] That’s a fair point. We could reference > https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2 and state > that EST server may request ACME certs using "application/pkcs7-mime" and > that would avoid a transcoding operation when the EST downloads the cert > from ACME. > > From an architecture point of view, do you expect the EST Server to be run > by the requesting organization? Or by the CA owner – or is this not even > possible? [from a ‘domain control’ point of view] > > [ofriel] We think this should be run by the organization that owns the > domain, and then the EST RA can request certs from the ACME CA which could > be run by a different org. > > Again architecture: If the EST Server sits in front of a large > organization, then domain validation is more interesting, and the Get > /csrattrs may or may not be able to recommend a SAN, right? I can see that > policy oids could be provided, if that is a thing in these systems. [we > use policy oids in US DOD, but that is possibly uncommon elsewhere.] > > [ofriel] That is also a fair point, for complex deployments its not clear > what policy the EST server may want to apply before assigning a SAN. The > text in section 3 currently states: > > “EST servers could use this mechanism to tell the client what fields to > include in the CSR Subject and Subject Alternative Name fields” > > We could beef up that statement and explicitly state that the policy by > which the EST determines the SAN to specify is explicitly out of scope. And > also note that policy OIDs could be provided. > > > > Section 8.1, para 3: What does ‘The cache should be keyed by the complete > contents of the CSR’ mean? The word ‘keyed’, I think, is the problem. > Maybe ‘indexed’? Unless the cache is encrypted? > > [ofriel] Yes “indexed” is better and less confusing. > > > > Deb Cooley, NSA >
- [Acme] comments on: draft-ietf-acme-integrations-… Deb Cooley
- Re: [Acme] comments on: draft-ietf-acme-integrati… Deb Cooley
- Re: [Acme] comments on: draft-ietf-acme-integrati… Owen Friel (ofriel)
- Re: [Acme] comments on: draft-ietf-acme-integrati… Michael Richardson
- Re: [Acme] comments on: draft-ietf-acme-integrati… Deb Cooley
- Re: [Acme] comments on: draft-ietf-acme-integrati… Deb Cooley
- Re: [Acme] comments on: draft-ietf-acme-integrati… Michael Richardson
- Re: [Acme] comments on: draft-ietf-acme-integrati… Owen Friel (ofriel)
- Re: [Acme] comments on: draft-ietf-acme-integrati… Sean Turner
- Re: [Acme] comments on: draft-ietf-acme-integrati… Deb Cooley