IETF Logo Mail Archive

Re: [saag] Comment added to draft-gutmann-scep history

"Max Pritikin (pritikin)" <pritikin@cisco.com> Thu, 31 May 2018 22:40 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4BF12E3AE; Thu, 31 May 2018 15:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQnh8T_8vW5G; Thu, 31 May 2018 15:40:46 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7888E13182A; Thu, 31 May 2018 15:40:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13372; q=dns/txt; s=iport; t=1527806446; x=1529016046; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pAcbZKnTDGM0id4pRFN6hZLDCXI8wVnKEU8KMMu4PnU=; b=kmgzaF2H2/LXgsHquFr5v76dL8D+MfnZkEVtOEWmTXieU05Bq8zFpjON PmdPh7nPgmK4MoMoqqheF5ycGDV+40MPRnZdDsXDKPCtnWRu7QHRCQSnp M9LmNXsmMSE0FMknWsVDforFnX73Zex708pdUICdjW+a+Cfz/o0UJ1i57 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CmAADFeBBb/5hdJa1cGQEBAQEBAQEBAQEBAQcBAQEBAYNEYn8oCoNtiASMZYF5gQ+TPBSBZAsYDYRHAheBbSE0GAECAQEBAQEBAmwcDIUoAQEBAwEBARYLEToLBQsCAQgYAgImAgICJQsVEAIEDgWDIgKBdwgPpzaCHIhBgWMFgQqGMoEFghOBDySCaYMRAQECAQEWgS8BLYJpMIIkAoVEgWAlkSAJAoVqgliCaIM1gTyDdYJjhH+JcYZ9AhETAYEkHTiBUnAVOyoBghiCIBeIWYU+b40JB4EngRkBAQ
X-IronPort-AV: E=Sophos;i="5.49,464,1520899200"; d="scan'208";a="123168018"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 May 2018 22:40:45 +0000
Received: from XCH-RCD-015.cisco.com (xch-rcd-015.cisco.com [173.37.102.25]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w4VMej8A026306 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 31 May 2018 22:40:45 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-015.cisco.com (173.37.102.25) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 31 May 2018 17:40:44 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1320.000; Thu, 31 May 2018 17:40:44 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyADRoNAIAjv1MAgADagIA=
Date: Thu, 31 May 2018 22:40:44 +0000
Message-ID: <B6E084E5-9B9F-440F-8F2F-5BA7C2A68CEE@cisco.com>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <682FEF03-A08D-40F7-9F25-4071B7A2143F@cisco.com> <2c8b2388-cf2c-ba87-0761-b7facd672426@isode.com>
In-Reply-To: <2c8b2388-cf2c-ba87-0761-b7facd672426@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9DA7B45083593247AEB6FCF775D2031C@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IwR4OcXP5M0KFU2uNqotnr0C8pQ>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 22:40:50 -0000


> On May 31, 2018, at 3:38 AM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
> 
> Hi Max,
> 
> On 08/05/2018 18:44, Max Pritikin (pritikin) wrote:
>> 
>> To re-enforce a point peter is making inline: there are “errors” in how SCEP uses a number of HTTP fields, and “unclean” uses of unregistered MIME types and a bunch of other little things. What SCEP got right was simplicity. This allowed it to endure for 20yrs or so. 
>> 
>> Updating SCEP to modern understandings of how all this stuff should be used (while maintaining the simplicity) is why EST (RFC7030) exists. If SCEP had been an RFC I’d suggest that EST “obsoletes” it. 
>> 
>> I don’t see the value in updating all this stuff in SCEP at this point — despite agreeing with the concerns. Doing so would only create yet another new protocol in this already crowded space. I wouldn’t even begin to know how to explain all this to somebody new to the field.   
> 
> I understand that this exercise is mostly about documenting a protocol
> which was in use for a long time. So I don't expect SCEP to change on
> the wire. However I don't think publishing an RFC that seem to bless
> incorrect or outdated use of HTTP and MIME is a good idea. I would like
> to have very clear disclaimers in the document, either at the beginning
> or in specific cases where it deviates from best current practices. This
> is not a big ask and this is not hard to do.

You accurately summarize part of why the document is in the current state. “Informational” or “Historic” is a solid way to document when we “don’t expect SCEP to change on the wire” and to acknowledge that it isn’t up to snuff. It also provides that clear disclaimer you’re looking for. Strengthening the discussion to your point in s1 Introduction to recommend RFC7030 might go further. (Current language is “MAY”, which might not be as clear as you’re looking for). 

- max

> 
> Best Regards,
> Alexey
> 
>> - max
>> 
>>> On Apr 30, 2018, at 6:43 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>> 
>>> Apologies for the long delay in responding, I've been buried in other work.
>>> Also, I'm not sure who to send this to, I got notified via a do-not-reply
>>> address, I assume it goes to the SAAG list?
>>> 
>>> A general response to this, I didn't write this document so as with the
>>> previous review I'll have to say "it was like this when I got here" in several
>>> cases, I've left the original authors' text intact wherever possible but
>>> without rewriting half the doc in my own words I can't really defend a lot of
>>> the text because I didn't write it.
>>> 
>>> Also, some of the comments apply to things that have already been picked over
>>> and corrected.  What will happen if I start making alterations to the
>>> alterations?  Will it go to publication after that, or will it reset the
>>> counter back to requiring further changes if people object to the changes?
>>> I'm concerned that I'm going to get caught between two lots of editing
>>> changes, I tried to change/fix everything that people pointed out last time,
>>> but if I make more changes now it may end up undoing or changing the things
>>> that people wanted the last time round.
>>> 
>>>> 1) In general, the document is using several unregistered MIME types with
>>>> "x-" prefix:
>>>> 
>>>> application/x-x509-ca-cert
>>>> application/x-x509-ca-ra-cert
>>>> application/x-pki-message
>>>> application/x-x509-next-ca-cert
>>>> 
>>>> These should be registered in the IANA Considerations as per Appendix A of
>>>> RFC 6838.
>>> 
>>> Isn't the whole point of the x- type that it doesn't need to be, and indeed
>>> can't be, registered?  RFC 6838 says:
>>> 
>>> Types in this tree cannot be registered and are intended for use only with
>>> the active agreement of the parties exchanging them.
>>> 
>>>> application/x-x509-ca-cert
>>>> 
>>>> How is this different from application/pkix-cert registered in RFC 2585?
>>> 
>>> No idea, it was like that when I got here.  I assume one is a CA cert and the
>>> other isn't.
>>> 
>>>>  "GET" CGI-PATH CGI-PROG "?operation=GetCACaps"
>>>> 
>>>> This is not a correct ABNF (in case you intended to define a formal syntax
>>>> here) and this is not a correct HTTP request line. Please make it one or
>>>> another, or clarify somewhere syntax that you use.
>>> 
>>> What form should it be in?  It's been like this for close to twenty years, I
>>> just left what the original authors had put there in place, I honestly don't
>>> know what else to put in there.
>>> 
>>>> Also, I don't think CGI-PATH and CGI-PROG are significant for the request
>>> 
>>> They aren't, that's why I updated the text to mention this.  However everyone
>>> seems to use fixed values for these based on close to 20 years of draft use,
>>> so they're not used but their presence is required.
>>> 
>>>> Again, this is neither correct formal syntax nor correct HTTP requests.
>>> 
>>> Quite probably.  What should it say?
>>> 
>>>> Firstly, clients don't care about HTTP server using CGI, they just care about
>>>> knowing where to send SCEP requests.
>>> 
>>> Sure, that's why I said so in the updated draft, just hardcode in "/cgi-
>>> bin/pkiclient.exe" for compatibility with existing implementations.
>>> 
>>>> Secondly, hardcoded URI paths are in violation of RFC 7320. You can read more
>>>> on this in Section 4.4 of
>>>> 
>>>> <https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?include_text=1>
>>> 
>>> SCEP predates RFC 7320 by 14-15 years, so it's a bit late to the party...
>>> 
>>>> I understand that this is a deployed protocol and the default path used is
>>>> unlikely to change. However, I don't think the document should pay so much
>>>> attention to use of CGI-PATH/CGI-PROG. My suggestion is: a) Remove any
>>>> reference to CGI-PROG/CGI-PATH from the document b) Replace the above section
>>>> with something like this:
>>> 
>>> See above, the text already says that it's only there for backwards
>>> compatibility.  I can change it to remove CGI-PROG/CGI-PATH if required, but
>>> I'm worried about this triggering another round of comments and editing,
>>> particularly since there are multiple places in the text that will require
>>> changes.
>>> 
>>>> 1) Missing references:
>>> 
>>> Are these really needed?  References to AES and SHA-2 and LDAP?  It's just
>>> going to add a lot of noise to the spec, will people really need to be given a
>>> reference to the AES spec in order to implement SCEP?
>>> 
>>>> 2) Should ACME work be mentioned in the Introduction?
>>> 
>>> There are quite a lot of cert-enrolment protocols, the original SCEP text only
>>> covers CMP and CMP which date from the same time as SCEP, I didn't want to get
>>> into a survey of other protocols because it'd be a long and somewhat tedious
>>> list.
>>> 
>>>> Clients shouldn't care whether or not SCEP is provided by a CGI program.
>>>> Please change this to "CA HTTP URL path" or "CA HTTP URI path".
>>> 
>>> See above about potential cascading changes throughout the text, I'd really
>>> prefer to just leave this stuff alone since it's worked OK for nearly 20
>>> years.
>>> 
>>>> How often and for how long should a client poll? Recommending some defaults
>>>> would be useful to set expectations.
>>> 
>>> I have no idea... I mean I literally have no idea, I don't know what
>>> implementations do in practice.  I know that in some cases with manual
>>> approval it can take hours, but I'm not sure if that's typical.  It could be
>>> seconds, minutes, hours...
>>> 
>>>> Why not "MUST NOT" and what are possible implications of violating the SHOULD
>>>> NOT?
>>> 
>>> Because some implementations may choose to parse at least a few common error
>>> strings.  They shouldn't, but they can if they want to.
>>> 
>>>> What does the last requirement actually mean? Is this describing order of
>>>> certificates or just saying that it is not an intermediate certificate?
>>> 
>>> It's saying that the leaf certificate in the chain is the issued certificate.
>>> 
>>>> So just to double check that I understood this correctly: the client is
>>>> generating a self-signed certificate B in order to retrieve its certificate A
>>>> signed by CA?
>>> 
>>> Yes.
>>> 
>>>> The last requirement is quite problematic for extensibility. I understand why
>>>> this sentence is there though. Are future extensions to SCEP likely?
>>> 
>>> Why is it problematic for extensibility?  What's returned is lines of text,
>>> you can add any further lines you like.
>>> 
>>>>  A SCEP CA is the entity that signs client certificates.  A CA MAY
>>>>  enforce any arbitrary policies and apply them to certificate
>>>>  requests, and MAY reject a request for any reason.
>>>> 
>>>> I think this is pretty much granted and doesn't need to be said, especially
>>>> the latter part.
>>> 
>>> This was something that previous people who commented on it requested, see my
>>> earlier comment about being caught between conflicting requests for changes.
>>> 
>>>> When referncing RFC 4648 you should specify the section number to avoid all
>>>> confusion. I assume you meant Section 4?
>>> 
>>> Yes, I've updated the text although it already points out that it's "base64"
>>> and not "base64url" that's used.
>>> 
>>> Peter.
>>> 
>>> _______________________________________________
>>> saag mailing list
>>> saag@ietf.org
>>> https://www.ietf.org/mailman/listinfo/saag
>> 
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>> 
>

v2.23.0 | Report a Bug | By Email