Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 31 March 2020 20:42 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58EE3A07F6; Tue, 31 Mar 2020 13:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLDURW0ru592; Tue, 31 Mar 2020 13:42:27 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A539F3A07F5; Tue, 31 Mar 2020 13:42:22 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 378463897B; Tue, 31 Mar 2020 16:40:47 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id BC818F3A; Tue, 31 Mar 2020 16:42:16 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, anima-chairs@ietf.org, anima@ietf.org, tte+ietf@cs.fau.de
In-Reply-To: <20200331150202.GH50174@kduck.mit.edu>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 31 Mar 2020 16:42:16 -0400
Message-ID: <600.1585687336@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/whFCERNNzblpNVEkBeuZV2hB5Z8>
Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 20:42:33 -0000

Benjamin Kaduk <kaduk@mit.edu> wrote:
    > My interpretation of "pinned-domain-cert is always a CA certificate" seems
    > to have persistent support throughout the text:

I see how you might conclude that the pinned-domain-cert is always a CA
certificate from the text, rather than being a trust-anchor that the pledge
is to use to validate the chain that it got.

It certainly can be a CA certificate. That does work, because when the
pledge puts it into it's trust-anchor list, the result is that it is able to
validate the TLS Server Certificate of the provisional TLS connection.
But, it has no RFC6125 process it can follow to validate a name.

It does not have to be *the* CA root certificate, it could be some
intermediate CA if such a thing existed (such as an Enterprise CA), and in
some cases, if this was a public trust root and there were no path
constraints, that might actually be *insecure*, since that would authenticate
any TLS connection.

I think that this means that the voucher would be able to validate any
owner within that public CA's list.  It's okay if it's a private CA.

Eliot says in the call:
      The pinned-domain-cert must include sufficient chain to validate the TLS
      connection.  This certificate must only be used for this purpose.
      Longer use trust anchors are retrieved as part of the EST /cacerts request.

My implementation of the MASA puts the EE certificate in which is as narrow
as one can be.  The Siemens implementation puts in the CA certificate, and we
interoperate because of how we treat this on the pledge.  Siemens has much
stronger supply chain restrictions though.



This is the diff that I would make.
I am most concerned about the difference in the voucher:

-        <t hangText="pinned-domain-cert:">The domain CA cert. See <xref
+        <t hangText="pinned-domain-cert:">The domain's EE cert. See <xref

Because this is too narrow rather than too wide now.


diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml
index b800ec3..3bdf797 100644
--- a/dtbootstrap-anima-keyinfra.xml
+++ b/dtbootstrap-anima-keyinfra.xml
@@ -2143,11 +2143,11 @@ locator3  = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]></artwork>
             The registrar's certificate chain is extracted from the signature
             method.  The entire registrar certificate chain was
             included in the CMS structure, as specified in <xref target="RequestVoucherFromMASA" />.
-            This CA certificate will be used to populate the
+            The EE certificate will be used to populate the
             "pinned-domain-cert" of the voucher being issued.
           </t>
           <t>
-            If this domain CA is unknown to the MASA, then it is to be
+            If this domain's CA is unknown to the MASA, then it is to be
             considered a temporary trust anchor for the rest of the steps
             in this section.  The intention is not to authenticate the
             message as having come from a fully validated origin, but
@@ -2377,7 +2377,7 @@ INSERT_TEXT_FROM_FILE example-voucher.json END
         <t hangText="assertion:">The method used to verify the relationship
         between pledge and registrar. See <xref
           target="MASAassertion"/>.</t>
-        <t hangText="pinned-domain-cert:">The domain CA cert. See <xref
+        <t hangText="pinned-domain-cert:">The domain's EE cert. See <xref
           target="MASApinned"/>. This figure is illustrative, for an example,
         see <xref target="exampleprocess" /></t>
         <t hangText="serial-number:">The serial-number as provided in the
@@ -2454,10 +2454,12 @@ INSERT_TEXT_FROM_FILE example-voucher.json END
         </section>
         <section anchor="PledgeAuthenticationOfProvisionalTLS"
                  title="Pledge authentication of provisional TLS connection">
-          <t>The 'pinned-domain-cert' element of the voucher contains the domain
-            CA's public key. The pledge MUST use the 'pinned-domain-cert' trust
-            anchor to immediately complete authentication of the provisional TLS
-            connection.</t>
+          <t>
+            The 'pinned-domain-cert' element of the voucher contains the
+            domain CA's issued EE certificate. The pledge MUST use the
+            'pinned-domain-cert' trust anchor to immediately complete
+            authentication of the provisional TLS connection.
+          </t>
           <t>If a registrar's credentials cannot be verified using the
             pinned-domain-cert trust anchor from the voucher then the TLS
             connection is immediately

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-