Re: [Iotops] [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt
Amir Omidi <amir@aaomidi.com> Wed, 02 August 2023 16:50 UTC
Return-Path: <amir@aaomidi.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5ABC151AF8 for <iotops@ietfa.amsl.com>; Wed, 2 Aug 2023 09:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NezeBEspfNjU for <iotops@ietfa.amsl.com>; Wed, 2 Aug 2023 09:50:25 -0700 (PDT)
Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CC33C1526F4 for <iotops@ietf.org>; Wed, 2 Aug 2023 09:49:52 -0700 (PDT)
Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-1bf54f415afso476310fac.3 for <iotops@ietf.org>; Wed, 02 Aug 2023 09:49:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1690994991; x=1691599791; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kFgFYqYeVqIQeoXnqXZ9d9vMHiHybPI7rXSEzh+aXV4=; b=ODqCBf5fyMszFmKSLmelBdvBEjcfuGyHpQBZCbpgcsezFL23s6EkXwG7XBNhtCbAr+ +U7rUz778VJbHXXZNdwPPaMpALCSuDpEoZP2IFGlbQ2Y0r8YavTR0H1AQaNUJWzjrq2F TFcKJOBjkjxiQrLrM5ArhTbDrcPAEesh5NJalMHMzHeENUQaYySxS2xNBAwwECO45umH o5Te0BAjfa4CGXXTa3gfXQD2y+C2xqO5e9e7gY7Zvii8OLUved9OKVGFxuUOTZGJY3w6 c8SitlyZrXyGRVBTaWqsuZZanMZ5KZqGHqJJvo4lm3l63qAkFXi/reQSKDBe4yKQiim+ CrEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690994991; x=1691599791; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kFgFYqYeVqIQeoXnqXZ9d9vMHiHybPI7rXSEzh+aXV4=; b=II/KctUK9MoHERUPZhPqFobDs1cCoyEx1NjppKhDF1tSnSiMa/27ScOTsuv2mfkbWy od/U5r0IiWE8pOROI8fApsDILWl+Jz2Y8p0hEHnjEIcb54s5QgpqZD4ajN5fOlbqtgnG BQXD4QrlTbLq512Z2uU7N0pM0JMvIkQ1Jq5yHgALocLhrAk9kaeE1B7NJ+AS8cY3wvTa ZBkRWlktznf3axttcZO364vjFv+MDWQ8TkLitIhloNFpp7pSqDGGqju/M+1YhwLGetdB rWu6onXpgnsR5fvwKkpFmz9wLbhWflNNrj9PHRi5Q2w5KZ+4xr3kj6rUv6/C3CQBGhWB cbyw==
X-Gm-Message-State: ABy/qLYMJivGW3goRl59PIpo2lvoKzSy4n66UVHk6MULq4EC1paQDevR ib1nL6not0pGeLU3dHun+o+mKFerl1GSdpuc5DDAfqonx19ZPZhuPFGXyQ==
X-Google-Smtp-Source: APBJJlHECp09l8crz6AoRrhBKExYpeOAOZzBIxq5GZNQj9wg3OA07KX5YXJijde+YB7VRQR0fBLv/Rw6UQQg+NMdwoc=
X-Received: by 2002:a05:6870:6488:b0:1be:f7d9:c0df with SMTP id cz8-20020a056870648800b001bef7d9c0dfmr8613066oab.10.1690994990696; Wed, 02 Aug 2023 09:49:50 -0700 (PDT)
MIME-Version: 1.0
References: <169099211414.11957.13218136675686326535@ietfa.amsl.com> <C33D08FE-DB2A-4319-9FCD-45B6C2379D55@msweet.org>
In-Reply-To: <C33D08FE-DB2A-4319-9FCD-45B6C2379D55@msweet.org>
From: Amir Omidi <amir@aaomidi.com>
Date: Wed, 02 Aug 2023 12:49:39 -0400
Message-ID: <CAOG=JU+Mp5SrP2mxeG==tRd+b9LLw3+KU3YcA7Dkx4yuk_G6Bg@mail.gmail.com>
To: Michael Sweet <msweet=40msweet.org@dmarc.ietf.org>
Cc: IOTOPS Working Group <iotops@ietf.org>, acme@ietf.org, PWG IPP Workgroup <ipp@pwg.org>
Content-Type: multipart/alternative; boundary="000000000000bce73d0601f3734a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/2L8mFCuFz5z1Ca4C1Ra6QP7AnV0>
Subject: Re: [Iotops] [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2023 16:50:28 -0000
This seems very interesting! I would love a good mechanism for local certificates, even just in basic development. A couple of points of feedback: 1) Name constraints on the root: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-root-ca-certificate I'd recommend specifying that the root should be generated with name constraints for `.local` and whatever IP space that's being used. More name constraints can be used if the root is also going to do things like local smime. 2) Restricting key types, etc: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-root-ca-certificate I'm not sure if it makes sense to create this restriction here. Especially with PQ coming up, it might be a good idea to recommend a few specific curves/methods, but not require that those are the only ones to be used. 3) Handling Revocation: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-revocation-and-reissuance-r It might be useful to specify if OCSP/CRLs/Some other mechanism will be used here. 4) Revoking old mDNS names: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-mdns-domain-name-collisions For a device to revoke all of the old mDNS names, I think since the name has changed, it must use the ACME account revocation method. I think it might be useful to define that the account key should be stored on the client device so it can do this operation. Alternatively, a device coming onto the network can check to see if there are any certificates with its mDNS name that it doesn't know about, and revoke those? 5) Client device trust on first use: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-client-device-configuration I'm not sure how I feel about a client (say, my laptop) just trusting a root that's on the network with no input from me. Maybe some language on that if the client is an interactive client, it should somehow inform the user? And a client MUST reject a certificate that doesn't utilize name constraints as mentioned in #1. 6) nit: Key protection: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#section-4.10 Language here somewhat implies that it's okay for a client's key to somehow end up on the server. I don't believe that's the intention. Some clarifying language here may help. 7) Validity of certificates: https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-iot-device-certificates I would recommend significantly reducing the validity of these certificates. In a local-only situation, a validity period of more than, say 14 days does not seem worth it here. If you could justify bringing that number to ~7 days, then you can probably ignore the complexity of revocation as well due to the caching of OCSP/CRLs. Thank you! On Wed, Aug 2, 2023 at 12:09 PM Michael Sweet <msweet= 40msweet.org@dmarc.ietf.org> wrote: > All, > > This version addresses the feedback I've received since IETF-116, namely: > > - Using the ACME server's root certificate as the network identifier > - Highlighting where/how this fits with secure network connection > - Clarifying the trust model > - Adding security considerations WRT key material > > As always, feedback and questions are appreciated! > > > Begin forwarded message: > > *From: *internet-drafts@ietf.org > *Subject: **New Version Notification for draft-sweet-iot-acme-04.txt* > *Date: *August 2, 2023 at 12:01:54 PM EDT > *To: *"Michael Sweet" <msweet@msweet.org> > > > A new version of I-D, draft-sweet-iot-acme-04.txt > has been successfully submitted by Michael Sweet and posted to the > IETF repository. > > Name: draft-sweet-iot-acme > Revision: 04 > Title: ACME-Based Provisioning of IoT Devices > Document date: 2023-08-02 > Group: Individual Submission > Pages: 13 > URL: > https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.txt > Status: https://datatracker.ietf.org/doc/draft-sweet-iot-acme/ > Html: > https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html > Htmlized: https://datatracker.ietf.org/doc/html/draft-sweet-iot-acme > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-sweet-iot-acme-04 > > Abstract: > This document extends the Automatic Certificate Management > Environment (ACME) [RFC8555] to provision X.509 certificates for > local Internet of Things (IoT) devices that are accepted by existing > web browsers and other software running on End User client devices. > > > > > The IETF Secretariat > > > > ________________________ > Michael Sweet > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Iotops] Fwd: New Version Notification for draft-… Michael Sweet
- Re: [Iotops] [Acme] Fwd: New Version Notification… Amir Omidi
- Re: [Iotops] [Acme] Fwd: New Version Notification… Michael Sweet
- Re: [Iotops] [Acme] Fwd: New Version Notification… Carl Wallace
- Re: [Iotops] [Acme] New Version Notification for … Michael Sweet