Re: [Anima] representing ACP info in X.509 certs

Eric Rescorla <ekr@rtfm.com> Sun, 21 June 2020 17:36 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C015C3A0788 for <anima@ietfa.amsl.com>; Sun, 21 Jun 2020 10:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwDtIfCCxF_s for <anima@ietfa.amsl.com>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7913A077D for <anima@ietf.org>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id n23so16731195ljh.7 for <anima@ietf.org>; Sun, 21 Jun 2020 10:36:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OAH8k1WPV3b51R8f/uTHnmfk/MC1WyQF9kQeKHlWVXE=; b=E5SaV2ik1BZKw8yMmDSN3dsJygKjOiJ98dPEIDGuAz+7s3mivKA1dklXz1qDb3uilt nI0E8QQwOzbw0ZmvosIYMqvkTY9Lo9EutM3b29YxibFto+3Q8bAbBaGCuFWL+74WN7VR 00ZX3BJtW3bhy4d/Ok+S4YRfpAfSFXxDwsNKUIWw5AuBnGVmU/ilE48z/CVKDTxP78Sh Yy699iqyV4vin9Jrcx2IQbhmGU61XJaeLg2sxcMF8ZsHuPogUUJVZ5LH/onfxh1esVDF Cw51qUC7tZw80RFPESV1IQYxhtWrVXgZ1rCrRnwO6wAZHtu/sn5f9bDwJeQrsIxGbCnt kRYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OAH8k1WPV3b51R8f/uTHnmfk/MC1WyQF9kQeKHlWVXE=; b=merfTRCqDXEDmY3WA+KRlhie9hFysU786X9/VywwbNe0lgaIHlfIM2YHkrss/ZWvAM jj6Sl1W2bL2tFZ7RV1fh+7DI3RJTtbnNISQ0QZ7WKNfSQTw2S++KBQ6fckq5vWqHnq+x lAtvy7SlKhAB8TCrPk3/bG4g0cWnrhBClPkdXtjLFRz4uAIsVR7+z6MKoee9MVMrRZVP KU4KUvE2bYsC7u614WSCE7Ir3L3Gl34ZX5TBgdZXq9cOzomXdvyYfNNfIOG38Hv3MPyc 7Qz4/cYLmqoo4tl2LhvaP9cUXUBjSQ11+KFkDGkrwtgulnVvRMMJ+TbTIsal1wHC2wv8 DoQQ==
X-Gm-Message-State: AOAM530MC1yCkstYdWd/dJPlTapqvvi1ojOh0DjNX1vO6TKH44SksFoQ hoZhmirRyhyh5ftX0uI2IZ+TBr/PdsdbXedcjHcrKQ==
X-Google-Smtp-Source: ABdhPJzFk1L7mS+Ix+u+PRdFjslpdhyUClv1zRAKpaVLiLSvcOL8l9gYx4MklqMyPWhVMGfIQpIskhnvE8yH5HUIcAw=
X-Received: by 2002:a05:651c:1044:: with SMTP id x4mr6240698ljm.409.1592760961253; Sun, 21 Jun 2020 10:36:01 -0700 (PDT)
MIME-Version: 1.0
References: <ece7aed3-ede3-5546-4586-1d98d3f71183.ref@verizon.net> <ece7aed3-ede3-5546-4586-1d98d3f71183@verizon.net> <CABcZeBMncZSQOfYsoVS-ZZoSbqZGOg+vQ41OdzAejrRfVozhyQ@mail.gmail.com> <4280.1592755750@localhost>
In-Reply-To: <4280.1592755750@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 21 Jun 2020 10:35:25 -0700
Message-ID: <CABcZeBMMTbX4dRuZsgj6TpHKeS71FaBAgiVmEnAMeMXSM=S9KQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, Anima WG <anima@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004ed69705a89b8fcc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/57GA6kkAZsAoIm0kHC0h909JbdU>
Subject: Re: [Anima] representing ACP info in X.509 certs
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2020 17:36:06 -0000

> Eric Rescorla <ekr@rtfm.com> wrote:
>     > One thing that's not clear to me: is the expectation that you will
be
>     > using a public CA or that you will be using an enterprise-level one?
>
> There are different many use cases, and it is precisely because we can't
be
> prescriptive about the operation of the CA involved that the WG
compromised
> on a solution that we know can be deployed today.
> I wasn't happy with the result, but I realized that I could live with the
> compromise result.  The WG did consider all the points that you have
raised.

Well, strictly speaking, I believe it was others who raised the points;
however, I do concur with them. In any cases, as Ben notes, this decision
cannot be made by this WG alone.


> 1) a private-CA internal to the ACP Registar.
>
> 2) an enterprise private-CA external to the ACP Registrar, which is
embedded
>    in another system, such as ActiveDirectory

I am not particularly expert on private CAs, though I see that
Sean made some notes on what could be done with that software.


> 3) when we started this work, it was possible to have (a) and (b) with
>    anchors toward public CAs
...

> 5) a small (or growing) enterprise entity that uses ACME to a public CA.
>    The is no "group" policy to deploy a private CA, and there is a strong
>    desire that the devices that are enrolled do not train users to think
>    security exceptions are "normal".
>    Obviously, the DN presented to a browser is not a rfc822Name,
>    but would have to be an dnsName.  The ACP rfc822Name
>    may not be the only SAN in the certificate, but it is one that
>    draft-ietf-acme-email-smime-08 allow the Registrar to validate.

I'm assuming that by "public CA" we are talking about a CA which
issues certificates which are acceptable to browsers or other generic
clients. On that topic, I would make a few points:

1. It is not impossible to get CAs to issue certificates with custom
extensions. For instance, DigiCert issues certificates with the
Delegated Credentials extension:

   https://engineering.fb.com/security/delegated-credentials/

It's of course possible that otherName would be different.


2. I believe the Mozilla Root Store Policy [0] would require a CA to
revoke certificates used as described in this specification. See
Section 6.2 (S/MIME Certificates) [1]:

   For any certificate in a hierarchy capable of being used for
   S/MIME, CAs MUST revoke certificates upon the occurrence of any of
   the following events:

   ...

   3. the CA obtains reasonable evidence that the certificate has been
   used for a purpose outside of that indicated in the certificate or
   in the CA's subscriber agreement;

I imagine that other root programs have similar restrictions.
Of course this wouldn't preclude a CA that wasn't subject to these
restrictions issuing ACP certificates.

-Ekr



[0]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
[1] There are a number of other clauses which I believe would also apply,
but I believe this is the most on-point.