IETF Logo Mail Archive

Re: [Acme] draft-ietf-acme-star

Thomas Fossati <Thomas.Fossati@arm.com> Wed, 11 September 2019 16:09 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B92E120A6A for <acme@ietfa.amsl.com>; Wed, 11 Sep 2019 09:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=cE58WZhA; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=IUHvYpBz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9D3YgrH6zZT for <acme@ietfa.amsl.com>; Wed, 11 Sep 2019 09:09:11 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00074.outbound.protection.outlook.com [40.107.0.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CC6D120A5B for <acme@ietf.org>; Wed, 11 Sep 2019 09:09:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=08U8DB7YieVV+q3+o4+rJm+9YZF7BKq5jas5op2X+SE=; b=cE58WZhABWPH8OA4bVIs2zWP+j/IP8YOZYe8K8LXr6L/Lsp+VZIqT5/a8IguM2DmO7Is6iyNLQ/CKyv3l+E/v5tEsM+60QATf68MxbVBvlaMLJnK07OAEMmHznP64WATZiIJ1nObR+xwLFCkMV7B8eppir942iZ9iwgjb6g55kA=
Received: from AM6PR08CA0045.eurprd08.prod.outlook.com (2603:10a6:20b:c0::33) by VI1PR0802MB2159.eurprd08.prod.outlook.com (2603:10a6:800:a3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14; Wed, 11 Sep 2019 16:09:04 +0000
Received: from DB5EUR03FT045.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::204) by AM6PR08CA0045.outlook.office365.com (2603:10a6:20b:c0::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.15 via Frontend Transport; Wed, 11 Sep 2019 16:09:04 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT045.mail.protection.outlook.com (10.152.21.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.14 via Frontend Transport; Wed, 11 Sep 2019 16:09:03 +0000
Received: ("Tessian outbound da01e98788c8:v30"); Wed, 11 Sep 2019 16:09:01 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 6a1ce51ece19e670
X-CR-MTA-TID: 64aa7808
Received: from 755a9a98d6ea.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.2.55]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id E5B5AC5D-5698-4F5A-9534-0592C17AD752.1; Wed, 11 Sep 2019 16:08:55 +0000
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp2055.outbound.protection.outlook.com [104.47.2.55]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 755a9a98d6ea.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 11 Sep 2019 16:08:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j4iTvSN8GhsWKEMSWx0ww3TmViPFfefsbmJvLPbfKk8351DrfiiRGezyLhZJ/NiQ9eMu7oOXW8KS0bmLynnpp5c2mlLBuhTek6KQ6OMg5Ph5MmOsJec/YJtN06ar5WBBEh1Tgii8TO/NRvnBtF/58HqHtyql9BWS03UIoiEdzbFTtuDXbVCnbK2VbLPVfnIDT2A4noEsU2SdaRc9ofM9irDpzC/TeAqRMQ3coFaHVDj5Jul1Qi+3s3tQpHBa6tjfXn8gNUQwIHXwS/M99G1yNLR7v8tGqb9UTD8kolp4pnOQFJg/QeTg2sWFlxTPg7JC50P4vz9s06X4NZ86sWj45Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wxtGt1UQBF55Yvow4FzHW9CiJXQG60dxag/362KsH3M=; b=mIRCrdYyCLNDxLfTvD71KqDemK8yvwiZsI236bwY6ZRrVvqup0czSkslwk+rVlJVPSxZRNU5eINZqZ7BLN6K+X6gqfP853lHzmr/BlmlFXL0FrRJ1T1+TOjpVx9q+fxnmux0qGbkq6+bumCcYxcmRLLbST3trwHU+xVX+yPnFXiQBD8wogxt752z930zHQMAsowdZ/fIyHfY+0SErRAu5a4YOXuz+Rq8BebpiAHuqW9wHyQInT/edVQpZoApC9ih6hOUgNfbbNFGS5oNXmE1Y0IJtfe/Ji35n5V1SGAmJsXLlOe7AQMSSlLXeI7GBGm4Or1j3XBXnE5zec21qBJ6yw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wxtGt1UQBF55Yvow4FzHW9CiJXQG60dxag/362KsH3M=; b=IUHvYpBzN9A37ajNMFEKjlpL2HdesOCLCKlzSdqmUr1h1QRDs5W4Xa7qg5GrV20hot68AVHv2Q+hb8BNw0XRC6AVZobXsHiULJlvGgojpvqe09EJlE71L1aVb0U4FpkEE10PO8lI2WiuiL/iMN6nyz1exswaynZa5s/hQ9dI8dQ=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB5128.eurprd08.prod.outlook.com (10.255.120.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.16; Wed, 11 Sep 2019 16:08:54 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::6020:78b2:b6a8:24a2%5]) with mapi id 15.20.2220.024; Wed, 11 Sep 2019 16:08:53 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "Salz, Rich" <rsalz@akamai.com>, Richard Barnes <rlb@ipv.sx>
CC: IETF ACME <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] draft-ietf-acme-star
Thread-Index: AQHVXbBEG0DHphQ3ZkGWV02/jAyxnacjIuWAgADhwYCAAAP2AIACwzCA
Date: Wed, 11 Sep 2019 16:08:53 +0000
Message-ID: <81C03A03-8189-4BB6-A4B1-131B25831ED7@arm.com>
References: <CAL02cgST77G9uR23x4Hf0L8_hqi6zSuJqB=dbunGYcDPEDpbDg@mail.gmail.com> <94D1B74E-8AD8-4623-8DFB-E9C132BBB940@arm.com> <CAL02cgTM+dTJ6enzpnb=dSCzbDMR+3Xadp4r4a3xuzzhxPgJag@mail.gmail.com> <1D779B7D-3661-49B6-BC75-A41B69F3768F@akamai.com>
In-Reply-To: <1D779B7D-3661-49B6-BC75-A41B69F3768F@akamai.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.53]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: b227a1dc-2567-4a05-0c9b-08d736d25d44
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM6PR08MB5128;
X-MS-TrafficTypeDiagnostic: AM6PR08MB5128:|AM6PR08MB5128:|VI1PR0802MB2159:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR0802MB215991455A829CB195E328899CB10@VI1PR0802MB2159.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0157DEB61B
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(376002)(39860400002)(136003)(366004)(189003)(199004)(110136005)(58126008)(54906003)(8676002)(81156014)(6436002)(66066001)(66556008)(6486002)(66446008)(486006)(14444005)(476003)(66476007)(86362001)(64756008)(33656002)(5660300002)(71190400001)(71200400001)(256004)(316002)(8936002)(66946007)(36756003)(14454004)(99286004)(76116006)(305945005)(91956017)(7736002)(76176011)(4326008)(25786009)(478600001)(81166006)(6116002)(3846002)(102836004)(6506007)(53546011)(26005)(186003)(446003)(11346002)(2616005)(229853002)(2906002)(53936002)(6246003)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB5128; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: XWBU6+PMrjZNI4IE7pprSxptdpSUKjpG/eQBuJW0V/jq2Q8RUlPPmsh63UK2Eg6/u4rb907zH3g71+Vt3hjBRdxWSO5lyYjswW+GMIl3G9xGedesYiyW1w/SvWNGteD111xKeHon91M11sSKKxzoBSn+06l+Tx/lcAFGCeHUn13+LqxF5k+5ATbfUur6drIktOczOR4akGbAUO6Hit9FnZWDXkVW1y6QDVyMcuaZdcFdX9sbmf3b5GkSv3TIeMmPYACbEOiRI4M24IR64wB1Xfq1fVyClyzoQmE5FjfecrA4f8Y+hM38H626M2ro5WG7ND8bziY5KAVYThVKCeTmFY5chEIRLkvZbfsigyealt9CFmYf8NnCHsRq6CTO1IbCWD7P008QXjFcpLTaR9jvCvWNnwv/o0Ic4NbnXs+9aDo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E9C3B11C2E63104D8197D14C947DD935@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB5128
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(376002)(346002)(136003)(189003)(199004)(40434004)(53546011)(3846002)(25786009)(14454004)(2616005)(86362001)(486006)(476003)(186003)(126002)(70586007)(70206006)(6246003)(99286004)(76176011)(36756003)(23676004)(2486003)(356004)(5024004)(14444005)(50466002)(5660300002)(76130400001)(26005)(229853002)(2906002)(6512007)(478600001)(66066001)(81156014)(81166006)(33656002)(102836004)(22756006)(8936002)(7736002)(8676002)(305945005)(11346002)(110136005)(54906003)(446003)(58126008)(436003)(63350400001)(6486002)(6116002)(26826003)(316002)(47776003)(4326008)(336012)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0802MB2159; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2649194c-5058-477d-81da-08d736d257b1
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(710020)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:VI1PR0802MB2159;
X-Forefront-PRVS: 0157DEB61B
X-Microsoft-Antispam-Message-Info: dWUBuzJXkhDqKwsUKhFIcj+Edqz2UZ2aE2eetPJeCWlQQr0IJngMz2/Kk/kUvAMKOId0rX/QnuGhZTSiofzv1nt/I1nKjI7T670slQmnwNxOqCoqEzgUJymGz2cFKS3/9RBSL2GV/M/Pg0+2+LPbkrFLKVm4nZ3Q+wslJUGkNdDWi1rgvqSC/PsyawFctRHUpd6yVBfOL5NMPlqAaJv3ys+JkECJNRkhEMLJM0hIuDHbVfOXB3L8dRr00Ikqq046Q0+l2eNRXfFbevQpjwGURARWsiUILBWj+cLzOXkYBWX79Ia8NUeYIQyY3s6/N/RaNnWcRMQqNAXBu15MLXV+Bomnp9kX+VEQ8pqi3WOEaWE4CMEnp7+7FSoOvq3b4oiSR81WxPjVf15Ncjxx8KOLVwCIckzLhHeHGO4rvMKLj9E=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2019 16:09:03.1426 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b227a1dc-2567-4a05-0c9b-08d736d25d44
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2159
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zfhD--L_fsm8eB7XJVBRGdgw4Ys>
Subject: Re: [Acme] draft-ietf-acme-star
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 16:09:15 -0000

Hi Rich, Richard,

(Merging both your emails into one reply.)

On 09/09/2019, 23:57, "Salz, Rich" <rsalz@akamai.com> wrote:
> I don't care about the STAR acronym not bring known by those who don't
> know :) but I think Richard's comments – most of which are, really,
> wordsmithing nits of message-field names – deserve more consideration.
> After all, the STAR documents didn't get much attention from the ACME
> members.

Sure, high quality feedback is always welcome.  Our worry was that
making such changes after the doc has been through IETF LC and a couple
of AD reviews means that very few people will get to double-check that
the protocol is still correct/consistent.  But, let's be bold as it's
probably worth taking the risk :-)

Now addressing Richard's comments:

> On 28/08/2019 at 15:52, Richard Barnes <rlb@ipv.sx> wrote:
>
> - The use of the "STAR" acronym is not helpful.  This is not an
> acronym that will be familiar to a reader, and less so an implementer
> who has not fully read and absorbed this spec.  Instead, you should
> say what you mean, e.g., for the "meta" fields:
>
> star-enabled -> auto-renewal-allowed
> star-min-cert-validity -> min-cert-validity
> star-max-renewal -> max-auto-renewals

OK, will do.

> - Likewise, "recurrent" is not a common word in English.  If you want
> to use a single word, "recurring" is more common, but referring to
> "auto-renewal" would be even better.

OK, will do.

> - It would be even cleaner to group all these "recurrent" fields into
> a sub-object, so that you wouldn't have to worry about them being
> present if "recurrent" wasn't set.  In other words, just signal the
> "recurrent" boolean by the presence of the object, and specify the
> parameters in the object.
>
> { "auto-renew": { "start": ..., "end": ..., "lifetime": ..., } }

OK, will do.

> - The idea of "predating" is toxic.  Pre-dating a certificate means
> making the notBefore date earlier than when you actually issued it,
> which is a huge problem for a real CA to do.  That's not what you mean
> here..  You just want there to be some overlap between certificates.
> Say that instead ("recurrent-certificate-predate" -> "overlap") and
> adjust Section 3.5 accordingly.

There are two aspects to consider:

1 The recommendation we added in section 4.1 to address the clock skew
  impact on HTTPS (cfr. the cited Google paper), which was discussed at
  length during the STAR side-meeting in Singapore.  This bit is
  controlled by the ACME client (via recurrent-certificate-predate) who
  might optionally ask the ACME CA to pre-date all the certs by a
  certain amount if it knows it's client population is clock-skewed
  (this is probably the "toxic" bit you are referring to?)

2 The pre-dating that the ACME server MUST do on cert rotation to
  prevent the client to fetch a not-yet-valid credential (i.e., the
  overlap you mention).

IIUC, you are suggesting to drop the former, i.e., removing the ability
for a client to request recurrent-certificate-predate, correct?  Or are
you suggesting to only remove the RECOMMENDED from section 4.1?

> - The Not-Before and Not-After headers should be removed.  On the one
> hand, it's not clear to me that it's any easier to parse these headers
> than it is to parse the certificate.  On the other hand, there are
> existing HTTP headers that express almost exactly the same semantics,
> e.g., Expires.

Expires is not completely unrelated (in fact, your observation had me
thinking that we should probably discuss the operational impact of HTTP
caches on STAR cert resources) but I'm not sure it really has compatible
semantics -- it's a signal for the caching / validation layer of the
HTTP protocol rather than an intrinsic property of the resource.  OTOH,
looking at already registered HTTP headers we couldn't find anything
suitable.  So I think the only choices we are left with are to either
remove the headers altogether or keep them as they currently are.

> - It's not clear that there's any reason to negotiate certificate-GET
> on a per-order basis.  Just have the CA allow it or not unilaterally
> and delete the "recurrent-certificate-get" field.

The client decides whether it wants to use the GET interface (e.g., if
STAR is part of a delegation workflow) or not (i.e., STAR is used for
plain auto renewal.)  It's not up to the server to decide which workflow
the client is interested in.

> - The "star-certificate" attribute is unnecessary.  Instead, you
> should just say that when auto-renewal is enabled, the "certificate"
> attribute points to the current certificate, and use "previous" link
> relations to expose earlier certs.

The idea behind the "star-certificate" attribute was to mark the fact
that the underlying resource is of a different kind.  More specifically,
it's not immutable as opposed to that in a non-STAR Order.  ACME Section
7.4.2 has:

   "A certificate resource represents a single, immutable certificate."

(BTW, I guess a "previous" link can - and should - be used
irrespectively of how the Order attribute is called.)

Cheers, thanks both for the input!



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email