IETF Logo Mail Archive

Re: [Secdispatch] IETF 102: draft-sheffer-acme-star-request for consideration

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 07 July 2018 21:20 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1C58130DC3; Sat, 7 Jul 2018 14:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nz-KvS80qQDe; Sat, 7 Jul 2018 14:20:25 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2612312F1A2; Sat, 7 Jul 2018 14:20:25 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id h10-v6so7223188wre.6; Sat, 07 Jul 2018 14:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ybNZx12iw79L9VUU4Jeo9tmw4ku27W6XszDPEpiNbjE=; b=HlJRnv2E9fBLB4SKDOkC6/Y2D61BXJx299omwJ6yjZZ2jUTK8IynpvDwKTzHfsn6N1 xhkI0SfAjGfqFgap9sXLG0fgAwI190QscJB4Y08gTjxOD105vKyHTCfkkhvA3xO17/h0 W25w0voGYq1B0sliSNE2hr+cmz/vZmxZlhuYN+NXV92X+utbZdQrCvMXPQ+4ua2Rj4OU 1JvWPIZxBsBPq0Ke9z9IXSdSCRfx66j9j1WgXeotM4rfOg7ejLCt14Y/fs1je9URsZMp ONzbj4Iq5OYinYdBgZL8mRdZIp26deJ4t+gbSeKHo92jM7JDfosWHwdl8fyVLDe+m0Ku n4lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ybNZx12iw79L9VUU4Jeo9tmw4ku27W6XszDPEpiNbjE=; b=MrCfHluhgiQ+Rmsvjjyrzvca5GrzvgWlaIxOTBM/EEJ1sU2ZHvbjByc5rY2WKAXy7M K/oPmseLbB7vJBwRpSbZfNlYDwg6AoaCnjmGXS7Bkz0KLEu1+AK+nntxg/vqt+EaXP2S /F/XQ18gxG9w6nKJYZgpccUkCtpgtGR4mtJj+hi3nvSoBD+8g0wvKpgfW9KJduBzosLd HBeL4IvMkRl+MxINqhVYoMvjV507bmsjOoYVszKzPc+XJ5Aax9YG/zKt+tOw8TBJP7la ncITCl23oXVXZ3j/7p5rnaKnQLzeS3NeovOXGvP2ow4U9oUCxWxXiTPRGwiQKl8ADTb5 L/ug==
X-Gm-Message-State: APt69E3U9CKMmZvazt2is4+VbWLB22HiG0rlpX8E9T89VxLusueU17HE C2XWpDV1vUllpvVs4KTquqD79S6Q
X-Google-Smtp-Source: AAOMgpeyZX33Rpz0k2McQRNazU6MzyRtIJXbj1QrJjDDOCNgvAQEidqPvMccGKZ7d8e0XcANIZaI2g==
X-Received: by 2002:a5d:6250:: with SMTP id m16-v6mr11460662wrv.179.1530998423341; Sat, 07 Jul 2018 14:20:23 -0700 (PDT)
Received: from [10.0.0.143] (bzq-109-65-69-22.red.bezeqint.net. [109.65.69.22]) by smtp.gmail.com with ESMTPSA id j77-v6sm10585827wmd.19.2018.07.07.14.20.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 Jul 2018 14:20:22 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: secdispatch@ietf.org, draft-sheffer-acme-star-request@ietf.org
References: <68049d34-4403-bc28-c691-5f14bf2c0ab0@gmail.com> <17777.1530983859@localhost>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <b9a66e93-fa03-0f14-08fb-8188c0123709@gmail.com>
Date: Sun, 08 Jul 2018 00:20:20 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <17777.1530983859@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/uazXEMxr35syVEJ4TntQQkQmllo>
Subject: Re: [Secdispatch] IETF 102: draft-sheffer-acme-star-request for consideration
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 21:20:27 -0000

Hi Michael,

Thanks for your review! Please see responses inline.

Thanks,
	Yaron

On 07/07/18 20:17, Michael Richardson wrote:
> 
> I have read draft-sheffer-acme-star-request.
> I am probably more ignorant of ACME that I should be, but the part where:
> 
>     The CA automatically re-issues the certificate (using the same CSR)
>     before it expires and publishes it to the URL that the NDC has come
>     to know at the end of the bootstrap phase.
> 
> seems to be new functionality required from the ACME CA, and therefore this
> really is an extension to ACME.  The document would seem to belong in ACME.
> 

This document has a companion (and much more advanced/detailed) 
document, draft-ietf-acme-star. This is where the ACME extension is 
described, as a "delta" from the baseline ACME protocol.

Even though draft-sheffer-acme-star-request is NOT strictly an ACME 
extension, it is arguably close enough to belong in the ACME working group.

> When I started reading, I thought that the IdO would be in charge of asking
> the CA to renew.  In that way, the IdO was completely (actively) in control
> of when/if the certificate would renew, and that a failure of the IdO (an
> omission) to do so would stop the process.  Instead, I read that the IdO must
> cancel the renewal (a commission), and to do so it has to remember the Order
> ID.

I understand your point. However the current design assumes high 
availability (at least to some degree) of the CA, which is a reasonable 
assumption from an ACME server. The IdO is not necessarily highly 
available, and relying on it for certificate renewals could result in 
failed operations.

> 
> section 3.1.1, "the client" was ambiguous and hard for me to sort out.
> HTTPS is assumed between the STAR Client and STAR Proxy, and the ability for
> the STAR Client to connect to the STAR Proxy.

Yes, it's a bog standard REST API. I think the sentence at the top of 
3.1 should be rewritten to clarify who "the client" is. It is the same 
as "STAR Client" as you already figured out.

> 
> I was thinking about how I'd want to run this, and the ability to just
> put some files in a directory and rely upon an rsync (over ssh) has some
> appeal to me, assuming that rsync was used to populate the contents of
> the CDN running on the STAR Proxy.

No, this is not the architecture we're targeting (and I'd need to 
re-read the draft to understand which part is unclear). The STAR Proxy 
is the IdO, the component that requests *once* the STAR certificate 
sequence from the CA (a.k.a. STAR server). The CDN is associated with 
the CA (not the Proxy!), to ensure that new certificates are always 
available to download.

> 
> I am particularly pleased with "4.1.  Multiple Parallel Delegates", as it
> not only makes it easy to do, but it also makes it clear the CA deals with
> the IdO only.  The CA is going to have to be willing to issue parallel
> certificates to the name cdn.example.com.
> This is yet another implicit requirement upon an ACME CA.

Agree, we should have mentioned it in draft-ietf-acme-star.

> 
> It would be nice to have a section "Implications/Requirements for ACME CAs"

Again, IMO, such implications belong in draft-ietf-acme-star.

> 
> (I am also thinking about how this may apply to ANIMA ANI certificate renewal
> needs)

Looking forward to meet and discuss in Montreal.

> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>   -= IPv6 IoT consulting =-
> 
> 
>

v2.23.0 | Report a Bug | By Email