Re: [Anima] [lamps] Long-lived certificates, but frequently renewed certificates

Tomas Gustavsson <tomas.gustavsson@primekey.com> Sat, 20 March 2021 17:41 UTC

Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418693A1A68; Sat, 20 Mar 2021 10:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=primekey.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wv4P-gvCSLhM; Sat, 20 Mar 2021 10:41:10 -0700 (PDT)
Received: from mta.primekey.com (mta.primekey.com [84.55.121.182]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A12323A2703; Sat, 20 Mar 2021 10:41:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mta.primekey.com (Postfix) with ESMTP id 278FF10079766; Sat, 20 Mar 2021 18:41:03 +0100 (CET)
Received: from mta.primekey.com ([127.0.0.1]) by localhost (zmtaproxy1.primekey.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id YEfOku_B8Tc8; Sat, 20 Mar 2021 18:41:02 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by mta.primekey.com (Postfix) with ESMTP id 9EB6D100B73EF; Sat, 20 Mar 2021 18:41:02 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.10.3 mta.primekey.com 9EB6D100B73EF
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=primekey.com; s=6D774DCE-6C46-11EB-A247-1FC5EFC89CA4; t=1616262062; bh=QpLQw2J+j9kgnntTY56JqgI625MnfpM9V4hHJ2i2fbY=; h=To:From:Message-ID:Date:MIME-Version; b=eAq7FKD2wVm5x/ABtS2h1yp4qQoIWrPJwdDOQKxAis29uF1HnZFCSNGU5mP+CqQle 3ExwWjAEgt9pdhC2V08ulcgz5+S5CK5aCSVmWN7leKy9MI/lotWuEbfbDEx1sSmVTl 8614L/hAWt4+iqQXl5qNwGFKecKuTV33mvmTelPxOSQXT0bJMCzNGG40N9bi0vprMa MilPS+mj3oE9G//yRzfeSZDBoQCh8h3INs9guv4Atyo+5ZWAwPZeXiTFVb+uDu5GCO CJMiye0gK9tSySGQq3p5IUokqO+wdO7nBOPXF1l5EgHmE65Wi5M3cJsNfYdFLtjmwl eDViUZLFxczQQ==
X-Virus-Scanned: amavisd-new at zmtaproxy1.primekey.com
Received: from mta.primekey.com ([127.0.0.1]) by localhost (zmtaproxy1.primekey.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yuue4OVadZnR; Sat, 20 Mar 2021 18:41:02 +0100 (CET)
Received: from [192.168.1.113] (unknown [172.21.0.2]) by mta.primekey.com (Postfix) with ESMTPSA id 7558210079766; Sat, 20 Mar 2021 18:41:02 +0100 (CET)
To: Michael Richardson <mcr+ietf@sandelman.ca>, spasm@ietf.org, anima@ietf.org, netconf@ietf.org
References: <20210318130241.A6B44389A8@tuna.sandelman.ca> <22886.1616091336@localhost> <8f637c08-3539-4eaf-c6cf-82f3c8edd8d7@primekey.com> <C1885B8E-BB13-4364-A0DC-F4C192BF067B@vigilsec.com> <5804c0f5-0ec8-d6d5-5aad-beda86c83845@primekey.com> <29802.1616261525@localhost>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Message-ID: <79084994-2bd0-dcea-2968-c64f197c50e1@primekey.com>
Date: Sat, 20 Mar 2021 18:41:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <29802.1616261525@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/WMKNF8DKtUvD5dmKtO172HxOfTE>
Subject: Re: [Anima] [lamps] Long-lived certificates, but frequently renewed certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2021 17:41:12 -0000

On 2021-03-20 18:32, Michael Richardson wrote:
> 
> Tomas Gustavsson <tomas.gustavsson=40primekey.com@dmarc.ietf.org> wrote:
>      >>> It's common in eID/ePassport, such as ICAO 9303, to sign "new with
>      >>> old". That way, if trusting the old trust anchor, you can automatically
>      >>> trust the new. The other way (old-with-new) I have not seen any use of
>      >>> in practice.
> 
>      >> The old-with-new and new-with-old practice is described in RFC 2510.
> 
> I wandered through the document, it does not have a ToC.
> I think section 2.4 _Root CA key update_ ?
> The terminology OldWithNew explained in 2.4.1 but not directly.
> In RFC2510, it doesn't matter, since we do all four combinations.
> 
>      > I know that. I'm merely pointing out that I have not seen anyone actually use
>      > new-with-old in real life. I put a question to the list some time ago (during
>      > CMP update discussion) and no-one (that answered) remembered ever seeing it
>      > in real use.
> 
> I see.
> 
>      > Old-with-new is fairly trivial, both technically and
>      > organizationally. New-with-old puts completely different requirements on a CA
>      > rollover procedure, for in most cases no reason. Anything new designed I
>      > would rather see analyze the usage and need instead of simply copying the
>      > notation from RFC2510.
> 
> Let me expand the terms:
>    old-with-new  -> old public key signed with new anchor
>    new-with-old  -> new public key signed with old anchor

Hah, I managed to trip myself up, that was funny :-)

I meant of course that new-with-old is what I see used extensively in 
practice (ICAO 9303 being one example), while I have not seen 
old-with-new in practice.

(new-with-new is always created of course, as self-signed Root CA 
certificate)

Cheers,
Tomas