[saag] Another AD review of draft-gutmann-scep-10
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 15 March 2018 12:08 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4D5127867; Thu, 15 Mar 2018 05:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6mhjyUURSE1; Thu, 15 Mar 2018 05:08:32 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7051241F3; Thu, 15 Mar 2018 05:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1521115711; d=isode.com; s=june2016; i=@isode.com; bh=CQnQgfbALHszuAG1x0jQiUlVVktT7hbda7XvAfqRfjw=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=AKh8biomsRmPQNWK8jRPPWpAWx3hRcf+OByGQpUcBolU5JMFtEt7dJ/xidtQTE6CN61Eqy TQOUR44Z3fKEgz8MitCPYh0fJc5BQsTefLgr1W4ux4y56kODdftk7JqtZVPSVAp6rDIqyJ sPv3+Z5YwXSUvP994lDdvTjpCh7Cu+I=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <WqpiPgBV-LbI@waldorf.isode.com>; Thu, 15 Mar 2018 12:08:31 +0000
To: draft-gutmann-scep.notify@ietf.org
From: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "saag@ietf.org" <saag@ietf.org>
Message-ID: <8251a239-4efe-9603-4b62-e792681a4310@isode.com>
Date: Thu, 15 Mar 2018 12:08:08 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/k9540IwNhp_9BW5etFAn9Jc9kj4>
Subject: [saag] Another AD review of draft-gutmann-scep-10
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 12:08:37 -0000
Hi, Kathleen passed AD-sponsorship of this document to me. So here is another review of the document: In general the document is quite readable and contains enough details to implement a SCEP client/server. However it is rather light on references. I don't think readers need to fallback to google in order to find them. (I identified some of the most important ones below). The document also violates several HTTP related conventions. I am glad that this document is Informational, as the bar for Standards Track is higher. Major issues: 1) In general, the document is using several unregistered MIME types with "x-" prefix: application/x-x509-ca-cert application/x-x509-ca-ra-cert application/x-pki-message application/x-x509-next-ca-cert These should be registered in the IANA Considerations as per Appendix A of RFC 6838. application/x-x509-ca-cert How is this different from application/pkix-cert registered in RFC 2585? 2) Use of CGI-PROG/CGI-PROG and hardcoded paths in general are problematic. More on this below: 3.5.1. GetCACaps HTTP Message Format This message requests capabilities from a CA, with the format: "GET" CGI-PATH CGI-PROG "?operation=GetCACaps" This is not a correct ABNF (in case you intended to define a formal syntax here) and this is not a correct HTTP request line. Please make it one or another, or clarify somewhere syntax that you use. Also, I don't think CGI-PATH and CGI-PROG are significant for the request 4.1. HTTP POST and GET Message Formats SCEP uses the HTTP "POST" and "GET" messages to exchange information with the CA. The following defines the syntax of HTTP POST and GET messages sent from a client to a CA: "POST" CGI-PATH CGI-PROG "?operation=" OPERATION "GET" CGI-PATH CGI-PROG "?operation=" OPERATION "&message=" MESSAGE Again, this is neither correct formal syntax nor correct HTTP requests. where: o CGI-PATH defines the path to invoke the CGI program that parses the request. o CGI-PROG is set to be the string "pkiclient.exe". This is intended to be the program that the CA will use to handle the SCEP transactions. o OPERATION depends on the SCEP transaction and is defined in the following sections. The CA will typically ignore CGI-PATH and/or CGI-PROG since it's unlikely to be issuing certificates via a web server. Clients SHOULD set CGI-PATH/CGI-PROG to the fixed string "/cgi-bin/pkiclient.exe" unless directed to do otherwise by the CA. The CA SHOULD ignore the CGI-PATH and CGI-PROG unless its precise format is critical to the CA's operation. Firstly, clients don't care about HTTP server using CGI, they just care about knowing where to send SCEP requests. Secondly, hardcoded URI paths are in violation of RFC 7320. You can read more on this in Section 4.4 of <https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?include_text=1> I understand that this is a deployed protocol and the default path used is unlikely to change. However, I don't think the document should pay so much attention to use of CGI-PATH/CGI-PROG. My suggestion is: a) Remove any reference to CGI-PROG/CGI-PATH from the document b) Replace the above section with something like this: SCEP uses the HTTP "POST" and "GET" messages to exchange information with the CA. The following defines the syntax of HTTP POST and GET messages sent from a client to a CA: "POST " SCEP-PATH "?operation=" OPERATION " HTTP/1.1" "GET " SCEP-PATH "?operation=" OPERATION "&message=" MESSAGE " HTTP/1.1" where: o SCEP-PATH is the HTTP URL path for accessing CA o OPERATION depends on the SCEP transaction and is defined in the following sections. Clients SHOULD set SCEP-PATH to the fixed string "/cgi-bin/pkiclient.exe" unless directed to do otherwise by the CA. Minor: 1) Missing references: The first mention of X.509 certificate needs a Normative Reference to RFC 5280. The first mentions of SHA-256, AES and AES128-CBC need Normative References, as these are mandatory to implement. The first mention of LDAP needs an Informative Reference to RFC 4510. In Section 3.3.3: ASN.1 syntax needs to be a Normative Reference, as you define a new structure using ASN.1 syntax. 2) Should ACME work be mentioned in the Introduction? 3) 2.1.1. Client A client MUST have the following information locally configured: 1. The CA fully qualified domain name or IP address. 2. The CA HTTP CGI script path (this usually has a default value, see Section 4.1). Clients shouldn't care whether or not SCEP is provided by a CGI program. Please change this to "CA HTTP URL path" or "CA HTTP URI path". 4) 2.5. Certificate Enrolment/Renewal If the CA returns a CertRep message (Section 3.3.2) with status set to PENDING, the client enters into polling mode by periodically sending a CertPoll message (Section 3.3.3) to the CA until the CA operator completes the manual authentication (approving or denying the request). How often and for how long should a client poll? Recommending some defaults would be useful to set expectations. 5) 3.2.1.4. failInfo and failInfoText The failInfoText is a free-form UTF-8 text string that provides further information in the case of pkiStatus = FAILURE. In particular it may be used to provide details on why a certificate request was not granted that go beyond what's provided by the near- universal failInfo = badRequest status. Since this is a free-form text string intended for interpretation by humans, implementations SHOULD NOT assume that it has any type of machine-processable content. Why not "MUST NOT" and what are possible implications of violating the SHOULD NOT? 6) 3.3.2.1. CertRep SUCCESS In the table for "PKCSReq" (and similar text for GetCert): The reply MUST contain at least the issued certificate in the certificates field of the Signed-Data. The reply MAY contain additional certificates, but the issued certificate MUST be the leaf certificate. What does the last requirement actually mean? Is this describing order of certificates or just saying that it is not an intermediate certificate? 7) 3.3.4. GetCert and GetCRL A self-signed certificate MAY be used in the signed envelope. This enables the client to request their own certificate if they were unable to store it previously. So just to double check that I understood this correctly: the client is generating a self-signed certificate B in order to retrieve its certificate A signed by CA? 8) 3.5.2. CA Capabilities Response Format Near the bottom of page 24: The Content-type of the reply SHOULD be "text/plain". Clients SHOULD ignore the Content-type, as older implementations of SCEP may send various Content-types. The last requirement is quite problematic for extensibility. I understand why this sentence is there though. Are future extensions to SCEP likely? Nits: 1) 2.1.2. Certificate Authority A SCEP CA is the entity that signs client certificates. A CA MAY enforce any arbitrary policies and apply them to certificate requests, and MAY reject a request for any reason. I think this is pretty much granted and doesn't need to be said, especially the latter part. 2) In Section 3.3.3: s/od/of 3) In Section 4.1, last paragraph: When using GET messages to communicate binary data, base64 encoding as specified in [2] MUST be used. When referncing RFC 4648 you should specify the section number to avoid all confusion. I assume you meant Section 4? The base64 encoded data is distinct from "base64url" and may contain URI reserved characters, thus it MUST be escaped as specified in [8] in addition to being base64 encoded. Finally, the encoded data is inserted into the MESSAGE portion of the HTTP GET request. Best Regards, Alexey
- [saag] Another AD review of draft-gutmann-scep-10 Alexey Melnikov