Re: [Iot-onboarding] [Anima] EST CACerts and Pinned Domain Certificate

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 24 March 2020 14:33 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3359F3A0819; Tue, 24 Mar 2020 07:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVQ25JIG-0go; Tue, 24 Mar 2020 07:33:37 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80139.outbound.protection.outlook.com [40.107.8.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B75873A07FE; Tue, 24 Mar 2020 07:33:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XT6+IsWjnBBQeJcEswC1BqMup8zz9IFIpwRd0oj8Sp+exUmqbg5r5fCAMHqK1OOZPoQVi87kaiErGuNjzFlPMBdZVZH2xykZ0z0j/iqEgALU8M+eQ6FqG3MzWQSe7o2QgTS1XFd5Gh+dGf01MRcnjRSgBFCI52+JiCLPOg25BzmtzKtPT3QUITDe8GaoWLTl0WWyAJn9Cxy6sTCGaV1G3oYSdDGq80YUoWCpE4wR43PZjHYoE8AvY8g4N/3vV9d9zXwghpaGcKW3UQbT8Oxefhib8i5U6ie0HFnRggrZy06q3UOOT/TUltvcG5+Dzbt25ilNG+uuFxoG2RArjXrwhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ebR/Thqu1tEoc77Fc4BGobgAIQCJqH220ptlfltZS+Y=; b=cAScG8T17L2lHXREvWCscLkLQtgM59tRvvZcTn5TPLBBEUQthKTmqcAE0rjn2uyEgL+8BEWp76uj1sJdzPfktM4zE4fo1EvnLsiim1mqQjkEEin62kH1H94AXz490YQ0ECKL1d7HHd+Giuf4qTBdwN08LEw3eUHbCKTLlsLVyIpd1wTCw4jiizUqVG6ZUtrLHLQB4jXHAxrIJVubJaFOUlAwbqQKNaWAoI5+9E17tsmnaSGT7ipAezfLsdVbGV0/DmOgRxJfBJroyPiExkTFjnBbA0t52AQ3aFvJWj/CNmNpcmLErlEDaQSxNcLQsk1xnRD3Gs8+UZVi3faT5CDBag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ebR/Thqu1tEoc77Fc4BGobgAIQCJqH220ptlfltZS+Y=; b=XyRoOGVN5SY0u1IeIW8LfXpbo395Nu0PzwDQrBbY+ZU49+xgtbBMRZMCPniye10t8QEtqTRXs0rgN5Ld5Vr9I2M0HOpKRT0I+u4vNfA4Z2QkYW1GusGjqIk/t5QlWSKQ6zIpg0nWFmDpgDr4gFLNU0yrSvafQrkAADss/Gmw36o=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0449.EURP190.PROD.OUTLOOK.COM (10.161.64.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.20; Tue, 24 Mar 2020 14:33:33 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2835.021; Tue, 24 Mar 2020 14:33:33 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Eliot Lear <lear@cisco.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "M. Ranganathan" <mranga@gmail.com>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] [Iot-onboarding] EST CACerts and Pinned Domain Certificate
Thread-Index: AQHWAUjw+3yyVzF7skSS+DuZl7ARm6hXsPmwgAAR4wCAAAlJcA==
Date: Tue, 24 Mar 2020 14:33:33 +0000
Message-ID: <AM5P190MB0275A293D0DD55801492D155FDF10@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <CAHiu4JO93swur42mT7rjhGTouVhefjjXftHJi=4Bnpk=t_aV-Q@mail.gmail.com> <30498.1584991523@localhost> <AM5P190MB0275693D588858FA230BE113FDF10@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <64FF468B-A4DB-42C6-8462-F08BABA80127@cisco.com>
In-Reply-To: <64FF468B-A4DB-42C6-8462-F08BABA80127@cisco.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b98e3a43-5156-443d-a6dc-08d7d000549f
x-ms-traffictypediagnostic: AM5P190MB0449:
x-microsoft-antispam-prvs: <AM5P190MB0449622AAF45106E7A232B4BFDF10@AM5P190MB0449.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03524FBD26
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39830400003)(346002)(376002)(396003)(136003)(6506007)(8676002)(81156014)(26005)(5660300002)(86362001)(7696005)(52536014)(53546011)(8936002)(71200400001)(9686003)(81166006)(44832011)(66946007)(76116006)(54906003)(2906002)(9326002)(66446008)(55016002)(33656002)(4326008)(66476007)(6916009)(66556008)(508600001)(316002)(186003)(64756008); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5P190MB0449; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y9S5GzawPyCxtTLjbfnYumwoX2Kf1NRcQdMEKBVSdUyGuTGRr+iC8mBSc9zJpDv5QpuaZuRCHk/fJzyYUprU7xYVjsDGhTPvY1wn+FV9FRzO8ybueUDzJf0owg2Bidairrik5VZIShRJQEpp1P02xaVETC2X8sERNz9aHCtfQP1eYpGBCoaGuY7iIOv3cTLRZ6BF7omMddKFu44OLQEzm4UsmJnDiU/RxMQVR2ZzQVLnkI8p2bKNzVTwBskYGdl+6sO2AxaeeDIfrN41UQRt0jRwWNIBVPOM4CdE3J+rhhaoAVviNFRueRiFhEF4VduIv7q5XIeu7mtNtVgQ3RYkEQxS0iVL8cV3V9UTHXBG7WK9RqxQCK+mPPKRfD6KUSlZRNsCcu/2pefNVXloyZf38bPxDK6RdGMwiFREZGC0Jbbuut19aaic0podu6PiL9qn
x-ms-exchange-antispam-messagedata: /fQ2DUEDOxyOAVV2ZlwgaeTMEmaYPvWCMPUfmPwbuLaOMatWJdcbP0NvnZ6veGJ918RxQXAADjIFBoSm27rDfVFe2pVwZos42/TpLyPqERl6CuUJMmuZroVn+ketdjvGB02o7QNhrHXvJR7UwMa94Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM5P190MB0275A293D0DD55801492D155FDF10AM5P190MB0275EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: b98e3a43-5156-443d-a6dc-08d7d000549f
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2020 14:33:33.3532 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: L54rtOxGdLTzwIERjRlGfGfPFBtej5JxpPRuNcQ46FAmiLrgd24juqigHutpw8B980R+W5NzjRP9LqNivY9jGNjHnXI9KlpPJ+R0P4yZtrE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0449
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/OqzfDIGkbKVE4ATSULOXigGkjJk>
Subject: Re: [Iot-onboarding] [Anima] EST CACerts and Pinned Domain Certificate
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 14:33:41 -0000

Hi Eliot,

You mention:

> But this to me seems like a misconfiguration, because RFC 7030 states in Section 4.1.3:
>    The EST server MUST include the current root CA certificate in the
>    response.

That requirement in 7030 doesn’t really help to answer the question in case that the EST server’s CA certificate is a subordinate CA of the root CA. Sure, the root CA (self-signed) must be included. But what if the pinned-domain-cert is a subordinate CA cert (Domain CA cert) which is not the root CA? Then it is not clear from 7030 text alone if that Domain CA cert should be included or not.  Having a subordinate CA cert seems to me a valid case also – i.e. the Registrar pins its own CA cert that is also used for its EST server as a CA that signs the operational certs. If a Pledge performs the EST CA Certificates Request, it will get e.g. the EST CA cert plus a self-signed root CA cert for the Domain. The EST CA cert is in this case the pinned-domain-cert, and it is a Domain CA cert, but not necessarily *the* Domain CA root cert.

Esko

From: Eliot Lear <lear@cisco.com>
Sent: Tuesday, March 24, 2020 14:47
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>ca>; M. Ranganathan <mranga@gmail.com>om>; iot-onboarding@ietf.org; anima@ietf.org
Subject: Re: [Anima] [Iot-onboarding] EST CACerts and Pinned Domain Certificate

Hi Esko


On 24 Mar 2020, at 14:08, Esko Dijk <esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>> wrote:

Hello Michael,

Looking at text in 5.6.2 of BRSKI:

  The 'pinned-domain-cert' is not a
  complete distribution of the [RFC7030] section 4.1.3 CA Certificate
  Response, which is an additional justification for the recommendation
  to proceed with EST key management operations.  Once a full CA
  Certificate Response is obtained it is more authoritative for the
  domain than the limited 'pinned-domain-cert' response.

Which basically says that the Domain CA cert (that is present as 'pinned-domain-cert') is a sort of partial response to the CA Certificates Response of EST.

The primary purpose of the pinned-domain-cert is to validate the previously established TLS connection.


So, the Domain CA cert must be included in the full CA Certificate Response.
Suppose the full response does not contain Domain CA cert. If the Pledge receives the full response and - as stated in above text - replaces the limited response (with Domain CA) with the more authoritative full response (without Domain CA cert) then it would have to discard its Domain CA cert! That's not wanted in this case. So from this I would conclude that Domain CA cert needs to be in the (full) CA Certificates Response of EST.

But this to me seems like a misconfiguration, because RFC 7030 states in Section 4.1.3:


   The EST server MUST include the current root CA certificate in the

   response.




Another angle to consider is the following: by design, the pinned-domain-cert is in BRSKI a Domain CA cert (i.e. it must be a CA). Why would any CA certificate not be included in the list of CA certificates, that is given by the CA Certificates Response?

Why, indeed!



Third, in Section 5.9.1.:

  The pledge SHOULD request the full EST Distribution of CA Certificates message.  See RFC7030, section 4.1.
  This ensures that the pledge has the complete set of current CA
  certificates beyond the pinned-domain-cert

This suggests that pinned-domain-cert is part of the complete set of current CA certificates.

Right.



RFC 7030 is not fully clear to me regarding our question - there are requirements on what should be included in the message; let's assume that the EST server certificate is a subordinate CA; then the RFC states in 4.1.3:

  if the EST CA is
  a subordinate CA, then all the appropriate subordinate CA
  certificates necessary to build a chain to the root EST CA are
  included in the response.

It is unclear if the EST CA's own certificate must be included or not in order to build the chain. In other words if the chain is X (subordinate CA) -> Y (subordinate CA) -> Z (root CA) then does it include only Y / Z or all of X / Y / Z ?

I agree that there is some ambiguity here, but because this amounts to a privileged operation on the device, and we are not using X to validate the current connection during the EST part of the transaction, it is safe to include it.  It’s all a matter of what happens next.  Now you have X in your store, chained to Y and Z, both also in your store.  TLS and DTLS should not blow up because the intermediate certificate is present in the store, even if it is presented in the HELLO.  The question is what happens if X and Y are not present in a normal HELLO.  TLS 1.3 says that’s ok.  But I’m not convinced that’s a good idea.




Still, overall it would be strange to exclude Domain CA, as it is part of the full set of CA certificates, and because the "full response" would replace the single pinned Domain CA cert as indicated in BRSKI.

But see above.

Eliot