Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 30 August 2019 10:47 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8755A12080B for <iot-onboarding@ietfa.amsl.com>; Fri, 30 Aug 2019 03:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=gYd38WnK; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=QySfXxiL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bvn6UKOESHC1 for <iot-onboarding@ietfa.amsl.com>; Fri, 30 Aug 2019 03:47:21 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191AE120046 for <iot-onboarding@ietf.org>; Fri, 30 Aug 2019 03:47:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5248; q=dns/txt; s=iport; t=1567162041; x=1568371641; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3i/0G0D8ScEf/XgqR+tjWK/5zIVLhOYyEI8YlPp2lsY=; b=gYd38WnKQytTzcE7OFOn0W4HQsMGMBu69JtPSjjTQueOGz61yyJu9lca cOR2TyPSDI0pfWxLJcrPTu7M9RnjJcc7a2BMZNrz7B2z4z1i8JsRy+9AF +f/GN+EBwwo/Cqyk9uOnlbA6lVCunBzypNxyKfW5JFQaz8D2q5M9o7VgZ g=;
IronPort-PHdr: =?us-ascii?q?9a23=3AnpkQhRE29XP4/gUDZLrs0J1GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e4w3Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNV?= =?us-ascii?q?cejNkO2QkpAcqLE0r+efnkdS03GOxJVURu+DewNk0GUMs=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ApAADo/Whd/51dJa1mGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBVgIBAQEBCwGBRFADbVYgBAsqCoQXg0cDinKCXJdsglIDVAk?= =?us-ascii?q?BAQEMAQEnBgIBAYFLgnQCF4JJIzcGDgIDCAEBBAEBAQIBBgRthS4MhUoBAQE?= =?us-ascii?q?DARIREQwBATcBCwQCAQgRBAEBAQICJgICAjAVCAgCBA4FCBqDAYFqAw4PAQ6?= =?us-ascii?q?hDQKBOIhhc4EygnwBAQWBMgEDAwsFGCaDCRiCFgMGgQwoAYo0gUMYgUA/gRF?= =?us-ascii?q?Ggkw+gmEBA4E5EBgVgnQygiaPKJxrCoIfhnCOAphiijeLLpBRAgQCBAUCDgE?= =?us-ascii?q?BBYFmIoFYcBWDJ4JCCwEXg0+FFIU/chGBGIp3ASQHgQQBgSIBAQ?=
X-IronPort-AV: E=Sophos;i="5.64,447,1559520000"; d="scan'208";a="317119715"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Aug 2019 10:47:20 +0000
Received: from XCH-ALN-016.cisco.com (xch-aln-016.cisco.com [173.36.7.26]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x7UAlKMp022534 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 30 Aug 2019 10:47:20 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-016.cisco.com (173.36.7.26) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 30 Aug 2019 05:47:19 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 30 Aug 2019 06:47:18 -0400
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 30 Aug 2019 05:47:18 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gu4CKu6+exBT00JIhVRTbez+VqWjWd0UCDjx3P1wbOax7LWZ7haFNhS2Sgn/rs593jLscOPsM8jG5+hTgmD7j1WQ0Bm1NLfGeSk5yMnwJOUCtt2kXixnXw3x9Ydv/nL5CNbZDiiCSgTUIZIfbFRq2klI19INnmFlnxeg1wntGHAshODK9BU+3ETQK35angQqui/c6vOyTck0HoQAwLdz3RZSkFJMxp6yR8+k36BXokU0Ag85dBzNNFgJ6E29/SvQVyWvEDqopt38GkduaDuRrtgVr0rN4ByJFE14o8IHXnLOskm4gsQ8MNNJleKSjP8lveSISDlyJi/vAOwuzmHCdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3i/0G0D8ScEf/XgqR+tjWK/5zIVLhOYyEI8YlPp2lsY=; b=Bft/c2lZkpqSRI51Le2nqbVpFUJukjOGT1GbiwG6Jq3Hs8Tymgo9WgaR99KKblbhVV71V7SDtUGkV4l/16dizyOv86kFJoLncKUlk8uVq2/78jSBzBnJSC8ZfdWZ6uLOcw5qI3gEmBU7tifb35eMHl8OEKnt9WqNBshwgOK0cVc0QbXiORu/oj3b4KGy3MN0v1f4yaa8SWFMxrXtqz4tDw1SSdFUhrncZoc35aFIUc/sYWWyrBQ28eG5W7omeFk1j4NgTtuPc1CbriuGa9IuO7j3pRK9lg49DSsYgbNGDuq/9FmKWPvu8uFMgpxDVqJ8aXQSDKhaAxDJIHmSOq/9rw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3i/0G0D8ScEf/XgqR+tjWK/5zIVLhOYyEI8YlPp2lsY=; b=QySfXxiLyrdGr6EXd31E3KuDNf78fF0buY2TX0Th6iYPmP2jwVpFOCXVSaUOD7uZsOp9mx29tGTYjcZ0r2dtDthCZcDrg7wBsbWHqRmgSvrQ03+PctCmyirdtu0+lp4WV/OU3xZzakvoPpkji2dycHj43phWnF5s5rAcyTRy6QQ=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2150.namprd11.prod.outlook.com (10.172.76.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Fri, 30 Aug 2019 10:47:17 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4%5]) with mapi id 15.20.2220.013; Fri, 30 Aug 2019 10:47:17 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] what can pinned-domain-cert actually pin?
Thread-Index: AQHVXPTdRdfIG1V6k0+L04J9EcMpEqcPVJEAgADrXPCAAIPLgIAAWrWggAFceQCAAQdCAA==
Date: Fri, 30 Aug 2019 10:47:17 +0000
Message-ID: <CY4PR1101MB22789600E60FFA85053CEFDFDBBD0@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <2693.1566923418@localhost> <0100016cd46359e7-8c844438-dc7a-45df-9868-ba0957bcc89f-000000@email.amazonses.com> <CY4PR1101MB22782817AA5A55C3812A3EEFDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com> <12883.1567010221@localhost> <CY4PR1101MB22788341CC8F7D5EBB72C33EDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com> <16322.1567104534@localhost>
In-Reply-To: <16322.1567104534@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf217517-c255-478f-b2f9-08d72d376d49
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2150;
x-ms-traffictypediagnostic: CY4PR1101MB2150:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR1101MB21505A211ED9C0054E1D9FBCDBBD0@CY4PR1101MB2150.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714;
x-forefront-prvs: 0145758B1D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(189003)(199004)(51444003)(13464003)(186003)(966005)(6436002)(14454004)(14444005)(5660300002)(71190400001)(86362001)(74316002)(7696005)(71200400001)(256004)(66574012)(45080400002)(498600001)(102836004)(33656002)(6506007)(305945005)(7736002)(66066001)(6116002)(3846002)(26005)(52536014)(76176011)(6306002)(486006)(446003)(4326008)(76116006)(64756008)(66556008)(66446008)(66476007)(53546011)(229853002)(81156014)(81166006)(6246003)(11346002)(8676002)(476003)(2906002)(99286004)(53936002)(9686003)(55016002)(66946007)(8936002)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2150; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rgLiLCLkM6SL+GxGR2K8Gc8ViufCE19qT5CxWg1Ale63ej2qsOlMeY8eYJffo+ZMp5b59m0n8DGx2qLZQGQ/MjtkP5rf4RrRBQllPk8sZgS0Q0+itgidGJxN3LUeiA3CMQckgLogjC5vdWKr3tjmkVLWq3eno4aCk/SBo/PPfrs1A7VAAOxpyYe46WagD4ds6W/KlE0S8RY1+OPlH0LNYDotCuUBZM44apPPbXgsAzqP9vzOq1C/EO1Wxgta4G7ar7SJQHGPsqq741c5HWdLfKuYTDC9kjMDXsQ0aQ3iQ8OY7fmx67oKgxEtTN/gnX4L8UmiNdAV1+MzMZ9UX5mWouV4vaZba3R3fs5IhYMov0BolJavmsnHMRR1EO3t0SDa4eIWUpanzlnwnl0t270IO/zjZTJhepnBQ/ilCMhrFfU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cf217517-c255-478f-b2f9-08d72d376d49
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2019 10:47:17.4882 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h5OH+1scgNp6ViPVBT6GLlF3Zr+bgUE9+qm3vmPxn1mF7KWjrBAL8gCibgEZDfE8ll8apGY1sDvCFfwzYYie/g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2150
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.26, xch-aln-016.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/-MdlfFaMPb_8QWvKoXsbxRCpJj8>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 10:47:24 -0000


> -----Original Message-----
> From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of
> Michael Richardson
> Sent: 29 August 2019 19:49
> To: Owen Friel (ofriel) <ofriel@cisco.com>
> Cc: iot-onboarding@ietf.org
> Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
> 
> 
> Owen Friel (ofriel) <ofriel@cisco.com> wrote:
>     >> 1) LetsEncrypt does not issue 825 day certificates. (That's 2 1/4 years).
> 
>     > I never said LE issued 825 day certs. CA/Brower forum allows public CAs
>     > to issue 825 day certs. LE is currently at 90.
> 
> I know you didn't :-)
> The 90 day limit by LE is a significiant operational challenge.
> An 825 day limit is significantly less so, however my understanding is that the
> pressure is on to lower that limit significantly; to use ACME to (re-)issue
> certificates significantly more often, particilarly in light of the STAR work.

That  is correct, the CA/Browser forum is already discussing that: https://cabforum.org/2019/08/08/2019-07-25-minutes-of-the-server-certificate-working-group/#5-Validation-Subcommittee-Updatenbsp

" Another topic they discussed was the Certificate lifetime which Ryan introduced at the F2F in Thessaloniki. He is close to creating a draft ballot to reduce lifetime to roughly 1 year or roughly 13 months. "

But it is contentious:  https://cabforum.org/2019/08/26/2019-08-08-minutes-of-the-server-certificate-working-group/#5-Validation-Subcommittee-Updatenbsp

" Dean said that DigiCert is actively gathering feedback from large enterprise customers with multi-year certificates and no automation. "


> 
>     >> 2) I'm not worried about the LE key rolling, because the RFC8649 will
> likely
>     >> be used.
> 
>     > I wouldn’t necessarily say so. Have any CA providers, whether public
>     > CAs or private CA implementations (e.g. Microsoft ADCS) committed to
>     > supporting this? I'm not aware of a single one that has. Plus, RFC8649
>     > requires that the existing root CA includes the hash of the next root
>     > CA keys, meaning that when the existing LE root expires in 2035, then
>     > the next root CA could include the RFC8649 hash, and then the next root
>     > after that can be seamlessly rotated to. In like 2045. I hope to be
>     > long retired by then.
> 
> They haven't announced anything, but I think that it they will, and I think that
> it provides a very nice way to deal with private CA keys rolling over.
> 
>     > Regardless, LE root rotation is not at issue here. The issue is what
>     > happens if an operator wants to move from GoDaddy to
>     > LetsEncrypt. Either (i) all existing vouchers are dead or (ii) we need
>     > multiple pinned-domain-cert entries. And maybe (i) is fine and if an
>     > operator wants to change root CA providers, then the operator sucks it
>     > up and reissues all nonceless vouchers.
> 
> We could also consider pinning the public key of the Registrar.
> This is how constrained-BRSKI works.  There are crypto-hygiene issues here,
> but maybe it's better than putting more fragile logic into a device that might
> remain on a shelf for many years.

Right. You could pin the raw public key and then the RA EE cert could rotate provided the key remained the same. Obviously any changes to the key (length, algorithm, etc.) invalidate vouchers.

> 
> This is my only real objection to pinning an DNS-ID: the cost of the full PKI
> validation that it requires the Pledge to have (in a bug-free way for a period
> of decades), and that the rules for validation of chains won't change during
> that period of time.
> 
> This is core of the tussle.

Yep.

> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-