Re: [Secdispatch] IETF 102: draft-sheffer-acme-star-request for consideration
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 07 July 2018 17:20 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021E8130E82; Sat, 7 Jul 2018 10:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id usaDC5yqtJJc; Sat, 7 Jul 2018 10:20:54 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99351126CC7; Sat, 7 Jul 2018 10:20:54 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5F6EE20091; Sat, 7 Jul 2018 13:36:06 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id AE34D2677; Sat, 7 Jul 2018 13:17:39 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id AB2F02674; Sat, 7 Jul 2018 13:17:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
cc: secdispatch@ietf.org, draft-sheffer-acme-star-request@ietf.org
In-Reply-To: <68049d34-4403-bc28-c691-5f14bf2c0ab0@gmail.com>
References: <68049d34-4403-bc28-c691-5f14bf2c0ab0@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sat, 07 Jul 2018 13:17:39 -0400
Message-ID: <17777.1530983859@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/gilzzeLxmSDt0n8CqSZYG7BYs1s>
Subject: Re: [Secdispatch] IETF 102: draft-sheffer-acme-star-request for consideration
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 17:20:56 -0000
I have read draft-sheffer-acme-star-request. I am probably more ignorant of ACME that I should be, but the part where: The CA automatically re-issues the certificate (using the same CSR) before it expires and publishes it to the URL that the NDC has come to know at the end of the bootstrap phase. seems to be new functionality required from the ACME CA, and therefore this really is an extension to ACME. The document would seem to belong in ACME. When I started reading, I thought that the IdO would be in charge of asking the CA to renew. In that way, the IdO was completely (actively) in control of when/if the certificate would renew, and that a failure of the IdO (an omission) to do so would stop the process. Instead, I read that the IdO must cancel the renewal (a commission), and to do so it has to remember the Order ID. section 3.1.1, "the client" was ambiguous and hard for me to sort out. HTTPS is assumed between the STAR Client and STAR Proxy, and the ability for the STAR Client to connect to the STAR Proxy. I was thinking about how I'd want to run this, and the ability to just put some files in a directory and rely upon an rsync (over ssh) has some appeal to me, assuming that rsync was used to populate the contents of the CDN running on the STAR Proxy. I am particularly pleased with "4.1. Multiple Parallel Delegates", as it not only makes it easy to do, but it also makes it clear the CA deals with the IdO only. The CA is going to have to be willing to issue parallel certificates to the name cdn.example.com. This is yet another implicit requirement upon an ACME CA. It would be nice to have a section "Implications/Requirements for ACME CAs" (I am also thinking about how this may apply to ANIMA ANI certificate renewal needs) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Secdispatch] IETF 102: draft-sheffer-acme-st… Yaron Sheffer
- Re: [Secdispatch] IETF 102: draft-sheffer-acme-st… Michael Richardson
- [Secdispatch] IETF 102: draft-sheffer-acme-star-r… Yaron Sheffer
- Re: [Secdispatch] IETF 102: draft-sheffer-acme-st… Melinda Shore