Re: [Iot-onboarding] what can pinned-domain-cert actually pin?

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 28 August 2019 22:29 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D844B1200E3 for <iot-onboarding@ietfa.amsl.com>; Wed, 28 Aug 2019 15:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=U+kLO0zS; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Pw0swbIX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcLt_FdpefcN for <iot-onboarding@ietfa.amsl.com>; Wed, 28 Aug 2019 15:29:53 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4AF91200CD for <iot-onboarding@ietf.org>; Wed, 28 Aug 2019 15:29:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3978; q=dns/txt; s=iport; t=1567031392; x=1568240992; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=qjiRlYpgS4qTDOW79I17fouOQZHNF/VMVXj5XA38IoY=; b=U+kLO0zSpzVJ+gYMnTM5nB0l/hTLw3JXMmq/EZi2ceVrpuKp9hXSPW8f Ir/zoaw7eioaDCEL8Q13Oe5P0dxhL7qEGBJiGPOwKV9kmbE3RltCnZKgn 7ylTRwdfy+b5SfSiVuPfHt5DJsBJLnQObBY4C+49ejCeybvRFQxoGjiie U=;
IronPort-PHdr: =?us-ascii?q?9a23=3Aaa3i9R2k4J3H5oZssmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxGOt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQDkPhLfPuRyc7B89FElRi+iLzPA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DZBABI/2Zd/4ENJK1lHAEBAQQBAQc?= =?us-ascii?q?EAQGBVgQBAQsBgURQA21WIAQLKgqEF4NHA4pxGjOCD5UGgmSCUgNUCQEBAQw?= =?us-ascii?q?BASMKAgEBgUuCdAIXgjkjNwYOAgMIAQEEAQEBAgEGBG2FLgyFSgEBAQECARI?= =?us-ascii?q?REQwBATgEBwQCAQgRBAEBAQICJgICAjAVCAgCBAESCBqDATSBNgMODwEOois?= =?us-ascii?q?CgTiIYXOBMoJ8AQEFgTNRA4MEGIIWAwaBDCgBi1geGIFAP4ERRoJMPoF5giU?= =?us-ascii?q?ogwkygiaPIpxfCQKCHoZtjX6YWYozgzmHb5BCAgQCBAUCDgEBBYFmIoFYcBW?= =?us-ascii?q?DJ4JCCwEXg0+FFIU/chOBFos2gTABgSABAQ?=
X-IronPort-AV: E=Sophos;i="5.64,442,1559520000"; d="scan'208";a="402103422"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Aug 2019 22:29:51 +0000
Received: from XCH-RCD-012.cisco.com (xch-rcd-012.cisco.com [173.37.102.22]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x7SMTptP006270 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 28 Aug 2019 22:29:51 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-012.cisco.com (173.37.102.22) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 28 Aug 2019 17:29:51 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 28 Aug 2019 17:29:50 -0500
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 28 Aug 2019 17:29:50 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E0zFiO/UjEjS8Ureu9CwjyfoBvudKibSpE/QgIFcr43cnmtTzZZAMiIuSPhdHliEj3bjZM24GipIX+R6D5SSJNnTemWP+W/p6CgTd1CQcq0nbmzy1VUIAxHPPYqhZpzO8HKV5LN2evWYKh5ltoRnEC4gle1l6twJOKyb+RjY8ZCdtRQ9kkWjw5LLUuE2eXQl3R36X/hJlsdpD3mHS6kTVsDDvZ2NeL7ZLdjtsNClW16+E+rLhodFBkRV564Jl+9kwtBRzJ0MLQsXA5NIsWIQIjOaFq9YcvgkXEncPzRxJATRwRUSWjvcGB2CGvjYluLXXrDkLfzXTipQe1p6WxV03w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qjiRlYpgS4qTDOW79I17fouOQZHNF/VMVXj5XA38IoY=; b=CYQ++/w1E1nGAk0jbYhnXS2zx2cv8jfl5syY8YUdXReLIoyIbgdpCv60WyanBmNUSTC3Xovv/iZV0CgnSdsrA+SMf7PzcgjBfWwpJud0WrD4RXYueqyGtohbwzL3nIDEgZ25L1JU1TicjkVmHd1rrKAmmGzg0hFVhkZdoGZTev6s0DCTCjjCLyctO457WoEF8Jq/S4s1WiVbc5OVKMZcQDg+7b442q1Z0nTYh+37S+cY6pBR32BathPyYIDMjRHQ9mpx94FVL+hFcJnFMa7iOKzyyjdwWAibKMrJgfScf+sEbNsRXN+1bn2DyhnqWm3W8W2qly2ElfpbRAQaC5Xq9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qjiRlYpgS4qTDOW79I17fouOQZHNF/VMVXj5XA38IoY=; b=Pw0swbIXWa2dk2pF6MQnWRoR1QNDHNLnzymcF8mvdjtHSPuW8JsaiQCd/sazP6D9P4n1PQSeMRoDYdFu3EaoQSe7DsCtCzsH7f4TPwffrs8U7GVOwoESlcklRglx+xguW5cuJiTxzmWWwmk/ybRXPNCFn4rCQZr2U1KTTbGCsC8=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2198.namprd11.prod.outlook.com (10.172.78.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.19; Wed, 28 Aug 2019 22:29:49 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::9098:374:9205:d0c4%5]) with mapi id 15.20.2199.021; Wed, 28 Aug 2019 22:29:49 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] what can pinned-domain-cert actually pin?
Thread-Index: AQHVXPTdRdfIG1V6k0+L04J9EcMpEqcPVJEAgADrXPCAAIPLgIAAWrWg
Date: Wed, 28 Aug 2019 22:29:48 +0000
Message-ID: <CY4PR1101MB22788341CC8F7D5EBB72C33EDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <2693.1566923418@localhost> <0100016cd46359e7-8c844438-dc7a-45df-9868-ba0957bcc89f-000000@email.amazonses.com> <CY4PR1101MB22782817AA5A55C3812A3EEFDBA30@CY4PR1101MB2278.namprd11.prod.outlook.com> <12883.1567010221@localhost>
In-Reply-To: <12883.1567010221@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.45]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8cda8131-f1f1-497e-399f-08d72c073cab
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2198;
x-ms-traffictypediagnostic: CY4PR1101MB2198:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <CY4PR1101MB2198C80748404A435BBD066EDBA30@CY4PR1101MB2198.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 014304E855
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(39860400002)(346002)(396003)(136003)(199004)(189003)(13464003)(25786009)(99286004)(3846002)(86362001)(55016002)(76116006)(6436002)(2501003)(14444005)(9686003)(66446008)(64756008)(53936002)(66556008)(66476007)(66946007)(45080400002)(478600001)(6116002)(229853002)(6246003)(966005)(14454004)(6306002)(305945005)(7696005)(446003)(11346002)(66574012)(76176011)(81156014)(316002)(81166006)(110136005)(2906002)(8676002)(7736002)(476003)(486006)(5660300002)(8936002)(102836004)(71190400001)(66066001)(53546011)(71200400001)(26005)(6506007)(256004)(74316002)(33656002)(52536014)(186003)(15398625002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2198; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zEx1CW3OrBUmmWBw42fVvuf+BoZOVPWiIsRnxXpdYpq2vMPZAdyOw1B6xhvTDHJ2BPFiwQZIISHdYafr3LW1IQSisvpOp+bS3yBR4VbMfqkQt3n6FUQj3lXPAXO8podQUSGIjlz6Lb5/abUQ5r2BY2TnnV85vIAaNIScXmVIlXZt8OL+3wcdyujggHCrUqQmjgqfs6AFY40ay7SjD799AKfMzbOeK7//ZyTjE+tUOPmIEu0lbiSkv11XtnbNxT1nDxgsgDwM40fN+CdV6k1vlen7dSLiKGewWENqctkuMrZ4Yozcs6n2WXmj8LBJ6exCcuwhluQIo+rmIzfytqQKZDv+13rNl3oq3K0JzHvBNbTrktSbZVJgCHuM8N9bbX1gmj6CX1/wXL6xP4sSW7Q969Ma5x5EGFdAzvIxiJlo1Kk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8cda8131-f1f1-497e-399f-08d72c073cab
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2019 22:29:48.8822 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v8fWgTvO13sDYNHIskQ5K6ZFm75MwBAos/uKgiJs9Q+BqdgO579KXmsanEb1sLDOTcfjGtnDX9O1qCA4WM7Oyg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2198
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.22, xch-rcd-012.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/KGzIvWFpv-d_BkIx_yDyecjQ44w>
Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 22:29:55 -0000


> -----Original Message-----
> From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of
> Michael Richardson
> Sent: 28 August 2019 17:37
> To: iot-onboarding@ietf.org
> Subject: Re: [Iot-onboarding] what can pinned-domain-cert actually pin?
> 
> 
> Kent wrote:
>     >> In SZTP, pinned-domain-cert is the long-lived TA to a potentially short-
> lived
>     >> "Owner Certificate".  In theory, the root of the pinned-domain-cert PKI
> could
>     >> be a public CA but, in practice (because public CAs don't issue long-lived
>     >> certs), it means that a private PKI needs to be used.  Due to the nature
> of
>     >> these PKIs NOT being used to secure TLS-based services, the need for
>     >> a public root TA isn't there, so no big deal.
> 
>     > What do you mean by long-lived? Public CAs can issue EE certs with
>     > expiration times up to 825 days as per
>     > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-
> 1.6.5.pdf.. When
>     > thinking about pinned nonceless vouchers for thing onboarding, that's
>     > still pretty long. If pinning the EE cert, then the voucher is valid
>     > until the EE cert expires (assuming of course that the non-bootstrapped
>     > thing has an accurate trusted view of time). If the public CA root is
>     > pinned, then that 825 day limit doesn't matter as the public CA root
>     > will be long lived. E.g. Lets Encrypt ISRG Root X1 root expires in
>     > 2035, but if pinning that then we have the DNS-ID issue.
> 
> 1) LetsEncrypt does not issue 825 day certificates. (That's 2 1/4 years).
> 

I never said LE issued 825 day certs. CA/Brower forum allows public CAs to issue 825 day certs. LE is currently at 90.

> 2) I'm not worried about the LE key rolling, because the RFC8649 will likely
>    be used.
> 

I wouldn’t necessarily say so. Have any CA providers, whether public CAs or private CA implementations (e.g. Microsoft ADCS) committed to supporting this? I'm not aware of a single one that has. Plus, RFC8649 requires that the existing root CA includes the hash of the next root CA keys, meaning that when the existing LE root expires in 2035, then the next root CA could include the RFC8649 hash, and then the next root after that can be seamlessly rotated to. In like 2045. I hope to be long retired by then.

Regardless, LE root rotation is not at issue here. The issue is what happens if an operator wants to move from GoDaddy to LetsEncrypt. Either (i) all existing vouchers are dead or (ii) we need multiple pinned-domain-cert entries. And maybe (i) is fine and if an operator wants to change root CA providers, then the operator sucks it up and reissues all nonceless vouchers.

> 3) By Long Lived, I mean 10 to 30 years.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
>