Re: [Anima] [lamps] Long-lived certificates, but frequently renewed certificates

Eliot Lear <lear@cisco.com> Sun, 21 March 2021 09:30 UTC

Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B42393A1A2F; Sun, 21 Mar 2021 02:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.699
X-Spam-Level:
X-Spam-Status: No, score=-7.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giQqyX6Y2Dnf; Sun, 21 Mar 2021 02:30:16 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D61A3A1A2E; Sun, 21 Mar 2021 02:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1427; q=dns/txt; s=iport; t=1616319015; x=1617528615; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=Zmo3XDApHAjZmxaKsYHqO9Yo3Mrd6Rk/H7oJZ3XXgeE=; b=Pcol6F7VSHUjrVjLHQNR+MSHlc3gr/lM2FCVWA2YGxRN/gJzVZxUgJoD m0YiNbcUuycb18KdFXukrgyxvrKBdMtge/AHHSQZKBHlkxG9oBNOyM//T Lx8U3NP4dZ//8gdFcgwBuU2nQ1VH0C2v6E688Uz9XcKQYj+JwR2LtQk7H U=;
X-Files: signature.asc : 488
X-IPAS-Result: =?us-ascii?q?A0BHAABMEVdgjBbLJq1aHAEBAQEBAQcBARIBAQQEAQFAg?= =?us-ascii?q?T4FAQELAYN2AScSMY1GiEGaYYF8BAcBAQEKAwEBNAQBAYRQAoF8JjYHDgIDA?= =?us-ascii?q?QEBAwIDAQEBAQUBAQECAQYEFAEBAQGGR4ZEAQEBAwF5BQsLGC5XBhOCcAGCZ?= =?us-ascii?q?iGrJnWBNIVYhGgQgTkBgVKLcEKCC4E4HIIrLj6EKINjgisEg3GCD54WnHKDE?= =?us-ascii?q?IM5gUGXXAMfgzKQWZAvs3IBg3sCBAYFAhaBWwkogVszGggbFWUBgj4+EhkNj?= =?us-ascii?q?jgdjhNAAy84AgYKAQEDCY9VAQE?=
IronPort-HdrOrdr: A9a23:h0cDWagWj7Ym11x+Mno1/6vxi3BQXlgji2hD6mlwRA09T+Wzna mV7Zcm/DXzjyscX2xlpMCYNMC7LU/02JZp7eAqXIuKcxLhvAKTRr1KzYyn+DH4Hj27y+g178 ddWoxzEsf5A1Q/rcuS2mSFOvIhxNXCz6yyn+fZyB5WIj1CUK1r4wdnBgvzKCQfLzVuPpY3GI GR4cBKvVObCBEqR/6mDXoIVfWrnbP2va/hCCR2ZSIP2U2rhTOs5KWSKWn94j4uFxVS3Lwl7W /J1yv+66nLiYDc9jbsk0nO8p9RhNztjuFmOfXJoM0UJjLw4zzYA7hcZw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,266,1610409600"; d="asc'?scan'208";a="34362899"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Mar 2021 09:30:11 +0000
Received: from [10.61.144.61] ([10.61.144.61]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 12L9UAsY014241 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 21 Mar 2021 09:30:10 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <C68F9273-6D0F-44DB-AB0A-670D9F58FA59@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_724D87B4-498E-4643-A968-2460A4068B8C"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Sun, 21 Mar 2021 10:30:09 +0100
In-Reply-To: <4058.1616263221@localhost>
Cc: Nico Williams <nico@cryptonector.com>, Toerless Eckert <tte@cs.fau.de>, LAMPS <spasm@ietf.org>, anima@ietf.org
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <20210318165455.GM8957@faui48f.informatik.uni-erlangen.de> <20210318183001.GN30153@localhost> <2113.1616093888@localhost> <718D80AD-8F12-4AA0-9D2A-2D8806B487C2@cisco.com> <4058.1616263221@localhost>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.61, [10.61.144.61]
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/GvCssFl7JrVyJZ3SPC792Y2XMvs>
Subject: Re: [Anima] [lamps] Long-lived certificates, but frequently renewed certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 09:30:21 -0000


> On 20 Mar 2021, at 19:00, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> It has to be a three phase commit, and it needs to be initiated from the EST server.

See my answer to Nico.  The EST server certainly knows when it wants to roll the information.  But doing so in the middle of a heart bypass operation is not something it should decide.  Once the decision is made, however, the three phase commit sounds good,

Eliot