Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt

Toerless Eckert <tte@cs.fau.de> Mon, 06 July 2020 23:14 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB813A0BE3 for <anima@ietfa.amsl.com>; Mon, 6 Jul 2020 16:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM5lXAfZUi4J for <anima@ietfa.amsl.com>; Mon, 6 Jul 2020 16:14:01 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EE143A0BDF for <anima@ietf.org>; Mon, 6 Jul 2020 16:14:01 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id DC64E548011; Tue, 7 Jul 2020 01:13:55 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id D3AB9440043; Tue, 7 Jul 2020 01:13:55 +0200 (CEST)
Date: Tue, 7 Jul 2020 01:13:55 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <20200706231355.GA54492@faui48f.informatik.uni-erlangen.de>
References: <159363696301.1694.14970467680230111407@ietfa.amsl.com> <14763.1593644290@localhost> <20200701234100.GC60049@faui48f.informatik.uni-erlangen.de> <4988.1593649836@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4988.1593649836@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/1DPbF-YGqdn9k3rqiuIoBb2K3gg>
Subject: Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 23:14:04 -0000

On Wed, Jul 01, 2020 at 08:30:36PM -0400, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > The need to diligently document support for CRL/OCSP was done on
>     > behalf of securiy reviews. It is not meant to be a recommendation.
>     > There is mentioning of short-lived certificates in a few places in the
>     > doc.
> 
> I didn't see an RFC8739 reference.  Oh. It's I-D.ietf-acme-star.
> Your section 6.1.5.4 suggests CRLs are unnecessary when the lifetime is on
> the order of hours,  while RFC8739 is less specific about what is short.

2.3 days is one number i found in the RFC.

IMHO RFC8739 is not a relevant comparison for ACP (and i am not only
saying this because otherName killed our ability to use ACME CA with
RFC822 names ;-):

Unless i am missing something, ACP/EST renewal of certs is already the
same "lightweight" renewal that RFC8739 introduces for ACME.

In addition for ANI nodes, we always have re-enrollment via BRSKI/MASA.

Aka: ultimately, the question is whether/how we should deal with
expired certs under incomplete reachability. Max already said that
it should be perfectly fine for EST to accept expired certs as
a valid credential for renewal, that was just never top of mind when
EST was developed, and it certainly would cause hesitation at first
by IETF security review should that be added. 

I for once had to regularily re-activate enterprise WFH VPN clients
that where switched off  for months, then users sent me email, and
i had to go to the VPN server and configure "ignore lifetime for this cert",
so the VPN client would renew its cert.

> I think that a certificate lifetime on the order of a week would probably be
> workable.

I think that if you want to get rid of CRL/OCSP then you need to
get down to reaction time at the order of revocation, which i think
can be as little as 30 minutes. I think its not a problem to do that,
its just far off the beaten track people feel offended to think about
it. There are a lot of network operations aliveness operations at
a 30 seconds interval for every node (aliveness ping). Doing a simple
cert re-signing once every 30 minutes isn't worse IMHO.

> But, I think think we should get implementation experience.

Sure, but there are a lot long-term issues that can happen, sometimes
folks take yeas in deployments to figure out probems with cert lifetime
management, hence the theoretical discussion is useful here too.

>     >> I think that CRLs are not useful, and we should not use them.
> 
>     > I think we agree.
> 
> Good.
> 
>     >> 6.1.3 is clear that OCSP/CRLs may not be available when connecting!
>     >>
>     >> I think that use of STAR (https://datatracker.ietf.org/doc/rfc8739/ )
>     >> Short-Term, Automatically Renewed is the best recommendation!
> 
>     > In general yes, but the STAR use cases typically do not take into
>     > account  connectivity problems that are longer than the lifetime of
>     > a cert, whereas for the ACP this might be a problem.
> 
> yes, but the solution is to find a Join Proxy, reach out to the Registrar and
> renew the certificate using the LDevID one has.
> STAR even went into some detail about how one could renew expired
> certificates, I think. (I recall a discussion, but I'd have to check the
> document again)

Exactly, but that i think was also why the general purpose STAR document
didn't progress in LAMPS. But i forgot all the generic issues there,
i think to remember they are not an issue for ANI/ACP though, but
obviously that would have to be probed by going to LAMPS with a more
constrained EST renewal with expired certs discussion.

>     >> If we have to do OCSP (via https://datatracker.ietf.org/doc/rfc4806/ )
>     >> then we nodes can download their staple and provide it when connecting.
>     >> New nodes can get this using the Join Proxy.
>     >>
>     >> Perhaps this needs to be in a new document at this point.
> 
>     > Yepp.  I think to remember that MaxP was thinking of suggesting to
>     > talk about dealing with expired certs for our cases in i think LAMPS too
>     > but longer ago...
> 
> yes, the document wound up in ACME, and I think they did a good job, although
> it is proscriptive for ACME only, while our end-client interface is assumed
> to be EST.

Yepp. The comparison is probably that doing in ACME the revalidation of
ownership of (domain/email) name is as complex as going through BRSKI/MASA,
whereas doing just EST renewal, worst case via join-proxy (if cert is
expired) is exactly what RFC8739 does for ACME.

Cheers
    Toerless

> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



-- 
---
tte@cs.fau.de