Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

Michael Richardson <> Thu, 29 August 2019 18:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47627120B79 for <>; Thu, 29 Aug 2019 11:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EvCT6YGY4KGa for <>; Thu, 29 Aug 2019 11:48:56 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1CCAE120B4E for <>; Thu, 29 Aug 2019 11:48:55 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id 3F72F3808A; Thu, 29 Aug 2019 14:47:43 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 1D5BBD8C; Thu, 29 Aug 2019 14:48:54 -0400 (EDT)
From: Michael Richardson <>
To: "Owen Friel \(ofriel\)" <>
cc: "iot-onboarding\" <>
In-Reply-To: <>
References: <2693.1566923418@localhost> <> <> <12883.1567010221@localhost> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 29 Aug 2019 14:48:54 -0400
Message-ID: <16322.1567104534@localhost>
Archived-At: <>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Aug 2019 18:48:59 -0000

Owen Friel (ofriel) <> wrote:
    >> 1) LetsEncrypt does not issue 825 day certificates. (That's 2 1/4 years).

    > I never said LE issued 825 day certs. CA/Brower forum allows public CAs
    > to issue 825 day certs. LE is currently at 90.

I know you didn't :-)
The 90 day limit by LE is a significiant operational challenge.
An 825 day limit is significantly less so, however my understanding is that
the pressure is on to lower that limit significantly; to use ACME to (re-)issue
certificates significantly more often, particilarly in light of the STAR work.

    >> 2) I'm not worried about the LE key rolling, because the RFC8649 will likely
    >> be used.

    > I wouldn’t necessarily say so. Have any CA providers, whether public
    > CAs or private CA implementations (e.g. Microsoft ADCS) committed to
    > supporting this? I'm not aware of a single one that has. Plus, RFC8649
    > requires that the existing root CA includes the hash of the next root
    > CA keys, meaning that when the existing LE root expires in 2035, then
    > the next root CA could include the RFC8649 hash, and then the next root
    > after that can be seamlessly rotated to. In like 2045. I hope to be
    > long retired by then.

They haven't announced anything, but I think that it they will, and I think
that it provides a very nice way to deal with private CA keys rolling over.

    > Regardless, LE root rotation is not at issue here. The issue is what
    > happens if an operator wants to move from GoDaddy to
    > LetsEncrypt. Either (i) all existing vouchers are dead or (ii) we need
    > multiple pinned-domain-cert entries. And maybe (i) is fine and if an
    > operator wants to change root CA providers, then the operator sucks it
    > up and reissues all nonceless vouchers.

We could also consider pinning the public key of the Registrar.
This is how constrained-BRSKI works.  There are crypto-hygiene issues here,
but maybe it's better than putting more fragile logic into a device that
might remain on a shelf for many years.

This is my only real objection to pinning an DNS-ID: the cost of the full
PKI validation that it requires the Pledge to have (in a bug-free way for a
period of decades), and that the rules for validation of chains won't change
during that period of time.

This is core of the tussle.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-