Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt
Toerless Eckert <tte@cs.fau.de> Mon, 06 July 2020 23:14 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB813A0BE3 for <anima@ietfa.amsl.com>; Mon, 6 Jul 2020 16:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM5lXAfZUi4J for <anima@ietfa.amsl.com>; Mon, 6 Jul 2020 16:14:01 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EE143A0BDF for <anima@ietf.org>; Mon, 6 Jul 2020 16:14:01 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id DC64E548011; Tue, 7 Jul 2020 01:13:55 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id D3AB9440043; Tue, 7 Jul 2020 01:13:55 +0200 (CEST)
Date: Tue, 07 Jul 2020 01:13:55 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <20200706231355.GA54492@faui48f.informatik.uni-erlangen.de>
References: <159363696301.1694.14970467680230111407@ietfa.amsl.com> <14763.1593644290@localhost> <20200701234100.GC60049@faui48f.informatik.uni-erlangen.de> <4988.1593649836@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4988.1593649836@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/1DPbF-YGqdn9k3rqiuIoBb2K3gg>
Subject: Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 23:14:04 -0000
On Wed, Jul 01, 2020 at 08:30:36PM -0400, Michael Richardson wrote: > > Toerless Eckert <tte@cs.fau.de> wrote: > > The need to diligently document support for CRL/OCSP was done on > > behalf of securiy reviews. It is not meant to be a recommendation. > > There is mentioning of short-lived certificates in a few places in the > > doc. > > I didn't see an RFC8739 reference. Oh. It's I-D.ietf-acme-star. > Your section 6.1.5.4 suggests CRLs are unnecessary when the lifetime is on > the order of hours, while RFC8739 is less specific about what is short. 2.3 days is one number i found in the RFC. IMHO RFC8739 is not a relevant comparison for ACP (and i am not only saying this because otherName killed our ability to use ACME CA with RFC822 names ;-): Unless i am missing something, ACP/EST renewal of certs is already the same "lightweight" renewal that RFC8739 introduces for ACME. In addition for ANI nodes, we always have re-enrollment via BRSKI/MASA. Aka: ultimately, the question is whether/how we should deal with expired certs under incomplete reachability. Max already said that it should be perfectly fine for EST to accept expired certs as a valid credential for renewal, that was just never top of mind when EST was developed, and it certainly would cause hesitation at first by IETF security review should that be added. I for once had to regularily re-activate enterprise WFH VPN clients that where switched off for months, then users sent me email, and i had to go to the VPN server and configure "ignore lifetime for this cert", so the VPN client would renew its cert. > I think that a certificate lifetime on the order of a week would probably be > workable. I think that if you want to get rid of CRL/OCSP then you need to get down to reaction time at the order of revocation, which i think can be as little as 30 minutes. I think its not a problem to do that, its just far off the beaten track people feel offended to think about it. There are a lot of network operations aliveness operations at a 30 seconds interval for every node (aliveness ping). Doing a simple cert re-signing once every 30 minutes isn't worse IMHO. > But, I think think we should get implementation experience. Sure, but there are a lot long-term issues that can happen, sometimes folks take yeas in deployments to figure out probems with cert lifetime management, hence the theoretical discussion is useful here too. > >> I think that CRLs are not useful, and we should not use them. > > > I think we agree. > > Good. > > >> 6.1.3 is clear that OCSP/CRLs may not be available when connecting! > >> > >> I think that use of STAR (https://datatracker.ietf.org/doc/rfc8739/ ) > >> Short-Term, Automatically Renewed is the best recommendation! > > > In general yes, but the STAR use cases typically do not take into > > account connectivity problems that are longer than the lifetime of > > a cert, whereas for the ACP this might be a problem. > > yes, but the solution is to find a Join Proxy, reach out to the Registrar and > renew the certificate using the LDevID one has. > STAR even went into some detail about how one could renew expired > certificates, I think. (I recall a discussion, but I'd have to check the > document again) Exactly, but that i think was also why the general purpose STAR document didn't progress in LAMPS. But i forgot all the generic issues there, i think to remember they are not an issue for ANI/ACP though, but obviously that would have to be probed by going to LAMPS with a more constrained EST renewal with expired certs discussion. > >> If we have to do OCSP (via https://datatracker.ietf.org/doc/rfc4806/ ) > >> then we nodes can download their staple and provide it when connecting. > >> New nodes can get this using the Join Proxy. > >> > >> Perhaps this needs to be in a new document at this point. > > > Yepp. I think to remember that MaxP was thinking of suggesting to > > talk about dealing with expired certs for our cases in i think LAMPS too > > but longer ago... > > yes, the document wound up in ACME, and I think they did a good job, although > it is proscriptive for ACME only, while our end-client interface is assumed > to be EST. Yepp. The comparison is probably that doing in ACME the revalidation of ownership of (domain/email) name is as complex as going through BRSKI/MASA, whereas doing just EST renewal, worst case via join-proxy (if cert is expired) is exactly what RFC8739 does for ACME. Cheers Toerless > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > -- --- tte@cs.fau.de
- [Anima] I-D Action: draft-ietf-anima-autonomic-co… internet-drafts
- [Anima] use of CRLs in I-D Action: draft-ietf-ani… Michael Richardson
- [Anima] AcpNodeName -- Re: I-D Action: draft-ietf… Michael Richardson
- Re: [Anima] AcpNodeName -- Re: I-D Action: draft-… Toerless Eckert
- Re: [Anima] use of CRLs in I-D Action: draft-ietf… Toerless Eckert
- Re: [Anima] use of CRLs in I-D Action: draft-ietf… Michael Richardson
- Re: [Anima] use of CRLs in I-D Action: draft-ietf… Toerless Eckert