Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 29 August 2019 18:48 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47627120B79 for <iot-onboarding@ietfa.amsl.com>; Thu, 29 Aug 2019 11:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvCT6YGY4KGa for <iot-onboarding@ietfa.amsl.com>; Thu, 29 Aug 2019 11:48:56 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CCAE120B4E for <iot-onboarding@ietf.org>; Thu, 29 Aug 2019 11:48:55 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3F72F3808A; Thu, 29 Aug 2019 14:47:43 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1D5BBD8C; Thu, 29 Aug 2019 14:48:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Owen Friel \(ofriel\)" <ofriel@cisco.com>
cc: "iot-onboarding\@ietf.org" <iot-onboarding@ietf.org>
In-Reply-To: <CY4PR1101MB22788341CC8F7D5EBB72C33EDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <2693.1566923418@localhost> <0100016cd46359e7-8c844438-dc7a-45df-9868-ba0957bcc89f-000000@email.amazonses.com> <CY4PR1101MB22782817AA5A55C3812A3EEFDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com> <12883.1567010221@localhost> <CY4PR1101MB22788341CC8F7D5EBB72C33EDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 29 Aug 2019 14:48:54 -0400
Message-ID: <16322.1567104534@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/G44pdkXfprXHA9CVTOI2Kz26LdE>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 18:48:59 -0000

Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    >> 1) LetsEncrypt does not issue 825 day certificates. (That's 2 1/4 years).

    > I never said LE issued 825 day certs. CA/Brower forum allows public CAs
    > to issue 825 day certs. LE is currently at 90.

I know you didn't :-)
The 90 day limit by LE is a significiant operational challenge.
An 825 day limit is significantly less so, however my understanding is that
the pressure is on to lower that limit significantly; to use ACME to (re-)issue
certificates significantly more often, particilarly in light of the STAR work.

    >> 2) I'm not worried about the LE key rolling, because the RFC8649 will likely
    >> be used.

    > I wouldn’t necessarily say so. Have any CA providers, whether public
    > CAs or private CA implementations (e.g. Microsoft ADCS) committed to
    > supporting this? I'm not aware of a single one that has. Plus, RFC8649
    > requires that the existing root CA includes the hash of the next root
    > CA keys, meaning that when the existing LE root expires in 2035, then
    > the next root CA could include the RFC8649 hash, and then the next root
    > after that can be seamlessly rotated to. In like 2045. I hope to be
    > long retired by then.

They haven't announced anything, but I think that it they will, and I think
that it provides a very nice way to deal with private CA keys rolling over.

    > Regardless, LE root rotation is not at issue here. The issue is what
    > happens if an operator wants to move from GoDaddy to
    > LetsEncrypt. Either (i) all existing vouchers are dead or (ii) we need
    > multiple pinned-domain-cert entries. And maybe (i) is fine and if an
    > operator wants to change root CA providers, then the operator sucks it
    > up and reissues all nonceless vouchers.

We could also consider pinning the public key of the Registrar.
This is how constrained-BRSKI works.  There are crypto-hygiene issues here,
but maybe it's better than putting more fragile logic into a device that
might remain on a shelf for many years.

This is my only real objection to pinning an DNS-ID: the cost of the full
PKI validation that it requires the Pledge to have (in a bug-free way for a
period of decades), and that the rules for validation of chains won't change
during that period of time.

This is core of the tussle.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-