Re: [Acme] On the relationship between delegation and STAR
Thomas Fossati <Thomas.Fossati@arm.com> Tue, 28 April 2020 21:29 UTC
Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE82A3A0911 for <acme@ietfa.amsl.com>; Tue, 28 Apr 2020 14:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=k9lc8Mad; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=k9lc8Mad
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zO6kUDArzxfZ for <acme@ietfa.amsl.com>; Tue, 28 Apr 2020 14:29:30 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00049.outbound.protection.outlook.com [40.107.0.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D20E3A090D for <acme@ietf.org>; Tue, 28 Apr 2020 14:29:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDqP604fwwKFvQwrK2rAP9Lrwon3C1UxAiNG7hRclTo=; b=k9lc8MadMUFqRoV+TcJlsoIWCwBhd7JOEEFtyAAcqSZoelCbCCgbIfUk387oRJVa2qNKj5vpUFjqCsSK8WV00Teult1/nuaFVbFP3PJirJVRBQkLZsZ0QfJJXUsjdD+cZ2gzyEaJPZNl67fHDP7yV2A+n9OaXZudgMh4pX7dIlY=
Received: from MR2P264CA0017.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:1::29) by AM0PR08MB5107.eurprd08.prod.outlook.com (2603:10a6:208:155::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Tue, 28 Apr 2020 21:29:26 +0000
Received: from VE1EUR03FT035.eop-EUR03.prod.protection.outlook.com (2603:10a6:500:1:cafe::f) by MR2P264CA0017.outlook.office365.com (2603:10a6:500:1::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Tue, 28 Apr 2020 21:29:26 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT035.mail.protection.outlook.com (10.152.18.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Tue, 28 Apr 2020 21:29:26 +0000
Received: ("Tessian outbound 5abcb386707e:v54"); Tue, 28 Apr 2020 21:29:26 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 3ab71a32bf813ad9
X-CR-MTA-TID: 64aa7808
Received: from 140131c17607.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 88560411-9293-4602-9199-D6526B4CF9DB.1; Tue, 28 Apr 2020 21:29:20 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 140131c17607.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 28 Apr 2020 21:29:20 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=icSEgRTafQKIzNowJ8Xpalc2gsOunil3c9nvSeqMBhpEXP5sBy2P3bRtTYvYPo1ryYpTyP6qYMNDkeVEzunqoCkC+6f1GHBNkCXriRD+ubWkeeOrxVG2YcypWdDxgMDCewaGsFd6abWdAU7q5WpPpmbR0PqCgsSpj/iX2oO4dCH5ERio75cdrvExlyp5+QoMoUAlqswJL1b24+MezdDed94KoqY+NH1/8esOJMBSBQY+h/XLkn7gvWntZiVaMNeFhXodujHtYwS3JB10orrYt9hbyFtzv+GiTvoTs7V760Ddfr//uhxYeNouANjpbGA5vtsj4osx6iZXisI1xb/0bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDqP604fwwKFvQwrK2rAP9Lrwon3C1UxAiNG7hRclTo=; b=LTpdTC1IhqSi4fXKeV9VKbSIp1Hh+NLjVmV+u/QMhP7qsKmMr3zXg+qNQ1wL8qHf2ThYc+uSKDnXp+usHeoVFNwzaCKivc+wR4amRHdkG3SsQEi0NaURXHz3CpHMhXnhiicQtXG6Val1IvjMhoM7ksUxQtGbOgpZuzrlGoYnOjoQp4SyBosGwpmuGQDJttp/IorJiU02qm8kLMg0rxN50m+m18Wt4jY/SN9diq0g/4gmtWkkBTP2BEgBFY/yPGNb5jSe7tI/cL65jZC3wFVNX2RpkjyOHHT8UmZwzouX+bdjj3o2omhn77PYRgGTW31+eTgg3rJS4i1WYoQIJcGTOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDqP604fwwKFvQwrK2rAP9Lrwon3C1UxAiNG7hRclTo=; b=k9lc8MadMUFqRoV+TcJlsoIWCwBhd7JOEEFtyAAcqSZoelCbCCgbIfUk387oRJVa2qNKj5vpUFjqCsSK8WV00Teult1/nuaFVbFP3PJirJVRBQkLZsZ0QfJJXUsjdD+cZ2gzyEaJPZNl67fHDP7yV2A+n9OaXZudgMh4pX7dIlY=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (2603:10a6:20b:73::23) by AM6PR08MB3925.eurprd08.prod.outlook.com (2603:10a6:20b:a0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Tue, 28 Apr 2020 21:29:18 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::5e0:a53a:d4d6:2e8d]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::5e0:a53a:d4d6:2e8d%6]) with mapi id 15.20.2937.023; Tue, 28 Apr 2020 21:29:18 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "acme@ietf.org" <acme@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: On the relationship between delegation and STAR
Thread-Index: AQHWFxc929TSRvjr4kSyyO3g+MwYHKiPKroA
Date: Tue, 28 Apr 2020 21:29:18 +0000
Message-ID: <577766A3-5A1C-408D-8944-5EEDF41D3944@arm.com>
References: <66C82F9B-4ED3-420F-ACB5-7A44D8728573@arm.com>
In-Reply-To: <66C82F9B-4ED3-420F-ACB5-7A44D8728573@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 4f5b1e5d-6be0-4d79-60df-08d7ebbb3a1a
x-ms-traffictypediagnostic: AM6PR08MB3925:|AM6PR08MB3925:|AM0PR08MB5107:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM0PR08MB5107D833CCAB51F4A070AA879CAC0@AM0PR08MB5107.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0387D64A71
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4231.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39860400002)(376002)(396003)(136003)(346002)(6512007)(478600001)(66446008)(26005)(64756008)(8936002)(66476007)(8676002)(186003)(76116006)(66946007)(86362001)(6486002)(66556008)(91956017)(2616005)(71200400001)(33656002)(5660300002)(6506007)(53546011)(36756003)(2906002)(316002)(6916009)(4326008); DIR:OUT; SFP:1101;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: U6q+s/K3AtEigpouZcQfrIY0/w6ttwTTVxtzke8CTL+ZI52HitMXDfgP9hHYt7EIE+YWaKXteb3XbRz3H4hM2uorUAcC/bEnyvSIiMttwLRwDQLYpkvTZ6wV90RvFELsoIzaoabub2BKdNZQT2O/20dwr2CB9qG93PxVgBVgwW4Ky1BmJrxJHYAa62k54kniw8lIniWpkyvVvaomt0GB99g2tVQ4rdX8QKCpbPavoNm4NweKx+9nI3mt2H2K+MSvYn3ZUyGlEWltEfSZAPERrvPRLkp9eVHn4PTuOXd7fTOOfqjf/D9YP//RqZXVVSWKK22Tu8Q73dRpVKooKS1PCpYBEe3oLGgvV5pa0bLPH14KkbWKPfUbbOqyc84/fWPxy/9vFqMrBy+P/5vjr6StTtpGspvgluCLUfpv8aQ/4QpFRqXh6royvuRavzWPffBg
x-ms-exchange-antispam-messagedata: G5QhmTMltvyS0c15M/R6p5I8MmTYz+z1CcFtcZpR4IykCVW6RmelaeiTbXUIHBunhSWwxIJIjjochlSb0W+cZwNAD3SPUqJLgP7519nmhp5lDRd9Xc+RCOcQEv/dQWEa3ww22UBoxyVNSG2VvbN/EKuEIzIVSLfzWB3mvTyFN2/5mXuC8NG3SRrZGIQEV6mgZak+4ukPlmtFQT8aKqmVGZNVBlezrjks1UsZcIyGvfcNlL/YPwgnwf3XRPFbcJy73fcZNRvL1VvfReLcMEmNFSOgrqij5LFuEeyxSrM4f2qBjt++hYHcTwUKbiEXcXC9SN/gGJQw/icu3uI4oHuEXhzX5w1zcI4FmLgooarKZBDDx88wm5HNdIwveOnHtQhmsLqI3kKKizJdkRvECjlVBFTsPtXo0ef6tS9aZdQKzn9FwtaxksaMAUea+JB8avZA+588u8nm0dGi0DnbZB04m/v1KJaeIrebF6EXCvXAtQvODaecmIV00qtEA8PDMA0vN+fcdfynKXQpV9S26q4AfIlLGGJWFsYR8+hHtRK0gbQ//w2YGxEz8DYuSu2flJNjPisF/Jjv3k5LgJZpwIwvKEGNab1EbAo/YyrP1n9Z5su/jdYPDfWTlbA+iqTgwWptaNBk3VYGd4cnxCQT7U5iFjFM24KKxZmEXzLCW4Zxn/1MqZIKg8jspIjoxwT/2BV0MN06hf8858cT1NkcUZmK1O9J8bjZKMGCNsx3o7FxTm87a84P89d8L6kx7J0N8gtrzyALnC6oSfUiep5s/9funr6t/Ap/IwmV0LCLgKB0m28=
Content-Type: text/plain; charset="utf-8"
Content-ID: <84FAB3308CBD2148A186290ECAB3380D@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3925
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT035.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(396003)(376002)(346002)(46966005)(2906002)(8676002)(336012)(86362001)(8936002)(316002)(53546011)(6486002)(26005)(33656002)(186003)(6506007)(5660300002)(70586007)(81166007)(82740400003)(36756003)(36906005)(478600001)(6512007)(4326008)(6916009)(70206006)(47076004)(356005)(82310400002)(2616005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 6567b557-0573-4e87-496a-08d7ebbb35a5
X-Forefront-PRVS: 0387D64A71
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: WwqyS9mgyJd+TFN4EIIyNRwiPrNbC90pi1tLl6X2WxXPqQpxyVFmzV0gSMy2GzPEPkyDmwWGYK4nlmhLDqdTniffMkzTqJ7NxKWNTzciXJB2RWeqFoV39ygUIFrBf3KJJWpjBs3a2MuUUv+C0eyG3pgQHOJspWvhssMkrOnl4YAzVjD6OBe0WmpEKPCI30AchxSn87EYcprHK3NWU7PRVkZTLtj/9h/XMnVeaTnX8+etwrTAXfpW+G2X97IWxpMqFUv6ujzsRofg/KioFyJIR0xsHpOwEQGu5WOI1edDr6q/bub4fxWaGFodrp6zYG8MQcaU1huUiXfNkA9jyJW6WE49JqH8FCFULK3ZlfSdBUekbhZU34L35LOmgZfmz+mf36QnNeOlgudoWnFyQDsvSu4ty1rgnBr4w75sCkD99/nNOGI42668quHDP10P+9HL0So58G7bA2UtBBAjPtveZEpFVTUPEHCi3JbfCPBGopHWSz7uvBpwY86dAjZFIuZLhQIrQw8DgDGcalAumhc0Uw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2020 21:29:26.1354 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f5b1e5d-6be0-4d79-60df-08d7ebbb3a1a
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5107
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/x8Ctp1fbmO9RGtZ45hGhPbeqAK0>
Subject: Re: [Acme] On the relationship between delegation and STAR
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 21:29:32 -0000
Hearing no dissent, we are going to move forward with the plan below. Thanks On 20/04/2020, 14:26, "Thomas Fossati" <Thomas.Fossati@arm.com> wrote: > Hi, all, > > While working on the STAR delegation protocol we realised that the > "STAR" in "ACME STAR Delegation" is not a strict precondition to build a > delegation mechanism, and that we could quite easily relax the > assumption and have a more general ACME-based delegation that can work > with both STAR and traditional certs. > > In order to do that, from a protocol mechanics standpoint, we'd just need > to add one "allow-certificate-get" attribute to the set of top-level > Order attributes, and one to the Directory's meta, with same exact > semantics as those currently defined in the "auto-renewal" namespace. > > From an interface perspective, the only difference between non-STAR and > STAR delegation is that the former would allow the delegate to revoke > the cert using the cert's private key, whereas STAR certs don't have > access to the revocation interface -- that was originally conceived to > give tighter control to the delegator. However, in hindsight it doesn't > seem like this would imply an increase in attack surface, while the > gain we'd get from the generalisation of the mechanism is quite > noticeable, we reckon. > > Obviously we want to validate this scope change with the group before > proceeding. > > Cheers! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Acme] On the relationship between delegation and… Thomas Fossati
- Re: [Acme] On the relationship between delegation… Thomas Fossati