IETF Logo Mail Archive

[lamps] Comments on CMP Updates, draft-ietf-lamps-rfc4210bis-07

Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com> Thu, 25 January 2024 14:49 UTC

Return-Path: <Tomas.Gustavsson@keyfactor.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC15DC14F6BF for <spasm@ietfa.amsl.com>; Thu, 25 Jan 2024 06:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=keyfactor.com header.b="mz6gdQi6"; dkim=pass (2048-bit key) header.d=keyfactorinc.onmicrosoft.com header.b="JFOLBqqn"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1kaYZbj9RmJ for <spasm@ietfa.amsl.com>; Thu, 25 Jan 2024 06:49:06 -0800 (PST)
Received: from mx0a-0041f601.pphosted.com (mx0a-0041f601.pphosted.com [148.163.147.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C0ACC14F61B for <spasm@ietf.org>; Thu, 25 Jan 2024 06:49:06 -0800 (PST)
Received: from pps.filterd (m0365589.ppops.net [127.0.0.1]) by mx0a-0041f601.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 40PDISVO020359 for <spasm@ietf.org>; Thu, 25 Jan 2024 14:49:06 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=keyfactor.com; h=from:to:subject:date:message-id:content-type:mime-version; s= pps1; bh=26+VR/+mmBBIALDpqR8fLRFkQhhwd0YBJD2MCKAPgyw=; b=mz6gdQi 6DC9H0km8x/2BnnKuHQ/+ptzPJK7bBdxuHORweabQYUwD/9UdDdyw4F0B74OU5ww rAcCEp6reOYMJG/idegx7nBddAe6ZNZyVY9MzL0/JE1BLZURvZnMPoC9muWYKz1I H8Df0DZRwkeUJxAx63KErdOkyQobqnlZeejt02L17f3MZOSfxtBiNmXKwCuI6EFt 0qPoZjAmVLIzj8TLhIPv86Z/3kJsGoCEAX4e1+6jiwieF+KfKO/R9pWlw1qpuZdY U2L/5Iqx5ELMF4arbKUMG8V8L6FHBuxIisvga/jC2XxKR27BZ+SjUqZFOhb//DyO iAhj/X7rmLvxYbA==
Received: from eur05-vi1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2168.outbound.protection.outlook.com [104.47.17.168]) by mx0a-0041f601.pphosted.com (PPS) with ESMTPS id 3vtmp796hy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <spasm@ietf.org>; Thu, 25 Jan 2024 14:49:05 +0000 (GMT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=flDytUbItawbKafCQTNrIMpgK5t3Mhum/tpuDS197rDQQ8Zst9338TSyaCkzOoAYNOaEQ4PVH9Z7vRmDJGuhVQ23/D60Qxom0B/VLSlUa6QQngiB2sZdHpZymOykeizViQGdQQZxzsTkFRIerys8MQvcmGAWpNK4uFUf1qleeI4Sa0ap222ijOFXfDV9hShmUc04yT6qkIVviiSnxR7uFyYhnSMLR419YHCWe5/C4aEWJzvpX+OaEGfl9So7V8J/fJXYsGT+7k+FTnoA2jKr3vmZ+1WRFxzaMbuDQlXY6grPapXjXONqSPsHCqude7swxKlADlma3RfKbXhk1VPsWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=26+VR/+mmBBIALDpqR8fLRFkQhhwd0YBJD2MCKAPgyw=; b=CoVWfhfcnCQPXBe/wS74DKgUYWadnyNSukpWnN0sX91aK7dECrPyjuHKmCxgGm7g+/jnS98MOy9unEPGN7e5FnG+kTNwkUNXPF9ixDM3iWMKkgFH43rCrKHChOwJunBNiKGHo83vG5W7EbK4XEjdd59bRIaQUQT/mc7xvDmytm474GBdZEAELUz15JO1QH4ywQD2ZPwSXejuCL4AI+0kcQLASgZDAr+1vMgQmSfHvufP5H6Kf9u+hZL3zqV4SjUHR+x90leULusHcocoYWkRkyKVJyn4Kl6dbJ8fesXKG3tEtXl29ODvL3YQRDCjRV4vCP2Cj37PlBNc09bWqe8aQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=keyfactor.com; dmarc=pass action=none header.from=keyfactor.com; dkim=pass header.d=keyfactor.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=26+VR/+mmBBIALDpqR8fLRFkQhhwd0YBJD2MCKAPgyw=; b=JFOLBqqnViSmCjljZv9OsaZzX4y0tEHARj5sKqDFWt/+n2SoCl9xqwhRBed3WcWqa7J330DOe5mJeQbz1JoYG7aYHIhHwnccNlYfP6/wg2auALf8hXZ92lgEi2QOZWyG/9OQlgRbuVWtVFlJ9kCLDgYfXQJEo28h1IccPd/ZrogfXPlmHfmOFWQMOu9BcKgF55V27bOrVLrYIBMvIjK3dd9SLBJPoDFSAE71kiRKJCAfsJ3Gyc6AOmCvhlZXCFpmOtrEpyls/Uq8RhWzupg4u4KaAOq7p08mNGdxg64jm/RiDY2m6qFjSZ3cNfkdlOZBMwPRUaZiMbUO+uUsO0a7JA==
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com (2603:10a6:10:3ef::5) by AS8PR03MB9095.eurprd03.prod.outlook.com (2603:10a6:20b:5b3::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.26; Thu, 25 Jan 2024 14:49:00 +0000
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::b8c:a1e7:eaca:c408]) by DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::b8c:a1e7:eaca:c408%7]) with mapi id 15.20.7202.035; Thu, 25 Jan 2024 14:49:00 +0000
From: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Comments on CMP Updates, draft-ietf-lamps-rfc4210bis-07
Thread-Index: AQHaT5edcAvoHWpQFk6Bh7LNDUfcag==
Date: Thu, 25 Jan 2024 14:49:00 +0000
Message-ID: <DU0PR03MB86969B1265A930380C034B8B867A2@DU0PR03MB8696.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR03MB8696:EE_|AS8PR03MB9095:EE_
x-ms-office365-filtering-correlation-id: 2d94c848-b94e-4e88-fb95-08dc1db4c448
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2kkZgmyWHTHyPE6+RDUB2MalZtGb625Jzrze0UP9TRT800TA7L0153gHAdWpLjPMrcxdMpNGuHxDlTWJWPuiC1+mEh6EMSIIJQtI3gSQ9CBfq9bIVreStcbOIknTPMt6flYqWn248ZVhAHMZyAkeCnxQqLuF2JLH5nfztk7HIcTAWyCtU+25x8WjJCvmU3/syV8H+U6Spqg5qzdyJQfWAIQQzeSE80U+YXxvijApqwGOPQletwZ0dvqu2ZNHMuKFMqhwG9JSCFwSvwtl+gON5brzeHlVmEw0JTlt0WGSCKw6ynNu19XKRSiCLRv5FCy1c1VGE1IlvpcCAY3ezcEZX7eBMYgocLD+O7RjIufHnucVjfMCGkUmQuQmK/D28xbYBk0wnLsu2f1HFxDNvdovQCHbxJEEDBvszyb7kbYoXlbGoD6UZprgRAAf1CQf5wTqih1GCAPtmFiIK0K4H7pRGqkNwGg2e6LuWWfP7teeTmzKBgECJFpUphsL3JH/g1CMKSnistVcSK5e8vxEMbbKJQKnTII0emY58r/n0E2CdGumqYRKzaYDpgBEioztExBSDlCUfqyn7aT5NfG3AWcOz0wJtHmX+3c7ZWQikLdSZVtdYq0yQDNU6o4dWl6y0FMM
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR03MB8696.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(376002)(39850400004)(366004)(396003)(346002)(230922051799003)(64100799003)(451199024)(186009)(1800799012)(83380400001)(41300700001)(9686003)(26005)(38100700002)(122000001)(8936002)(15650500001)(52536014)(5660300002)(8676002)(2906002)(478600001)(6506007)(7696005)(64756008)(66446008)(66476007)(66556008)(66946007)(6916009)(76116006)(316002)(71200400001)(91956017)(38070700009)(86362001)(33656002)(55016003)(19627405001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BevMQSEEv1qFTfANKhx5cMmXWcAgp/TH+JZClFNgINF/spcVOKMAFfDbLW0H0oDtzXt1TZRqPkBeHf3kDVePy5w0DidvRuSg2iBufbcUrAoY5FuGI7RnIOfcaqQcEnm/39isTRHu6GwyVCgU5jZUcnc02sC7oVAW+E6xnbdJlmeMeXVgfkgtMxhHoLMF6Q0Hneb6ysMjcQvhBdShtLgayi2ZNBCzGpJMqe/G7q0MEHLdXTUpvfay8XFm/qkU2f3yC017y0t2D2KaGrLuIg1DhjUODkPKShN+PuDKoDabBk4ntzQF0XjnM0PowJUk1eK5RKDW9IjbFiBWUQvwbkp9LhDxmrSDaowK/MC5LSnXr87hs1ASC3N7O5x+wucfdF2cZJaIPVD1GI3reoHwSy72xUdNZdWqTitHNjluaQtvDR+K7hhXEAzJtU2lR/imupe/JLJCtXpBOE7AJ0ZpmOIXF03O6j8QHbIXMFS5smi6h0dp/z+HEdLyI36uoEwnwc0IADco7SEHhwI75u12u1vCdIqrqS3GFwImk3vcDdtKol1jMk9xgC71h3j22Odtij49IjM7I0AGhWAEvn9gOP650SSN3qWwiBMgC3Y3+ieWvsKG6XOI4IvtWRewiYyuBuR5pgfCR8QBC0R2yldGEVTAPs8D0wpJei1v2aVRxv1U5fANN/0pRzrmQ4SXFtU4rZitgtWtbtkuuSChd/gMB/NxzxGnfoKN6lWHWKGxOvqBnRhbqb9FG+a6y9XztAO4dsvQwRxNT8QK5aiMVgLXs51oktpIQdg4baBkdhdEUzf7g+uOChSH7sgTCTwiAQu6Bza+hYbrxVp79c+hPAFxvITtAIglXRx0Go59y7HthhD7Y0/S6FPvRbNueEPOX5s37N8uXPiNlzfG/FZGzvsuCeo4/yX8ZxNX2FATECmX1Ntz0veg0ww6aSB5+MLEQWdyWM3VapM9MEt8C4SeDGVSv8E65cs2jjwwB6NG9tJ8/f2gNJLRDUwGYLiHSXmYtEMxRHTETtakq6ira6Vgxx8oj1qyIU4YUNOWSuEMeE9ON0aKbhTMicrm6Xtsl//B6gnRlUPwsLV+VGwRhPWKbZBPlDdj/vg9o34N4OxP1uVPi4HoOaOi7/ADFbS4gUFic8k7gOTMRz9eoRf1oqWwkMYrEDElTPderjxvEDc7hit6889irWoq3sILn2gEJU+C4ocX1jjLjJ8IjwQaXF0rEc5tKmuNSGDkSMtsuuVm5dFXx84oIUgeaqutziWOo34SJWXDbnySI+usPeHPc59rxsdt+6VDqd9vVkyLSZip3eY2n4f8VOyFKBVbyKMf0m8qMRwGnBiyOpFsuTPvVPPaDRB6rtfEEi0vjWDa/YKHlvSbq4rLumHX5v/EYLyp783+NTSA3F0Qu2UedH95YK2ccaqrKpW/R86qrhDlkM7V7lLIi6M1JHW7dFu/Vv0SAFpz+euHVZzNirtPdw8HIJlz0RF5GCzepJj3gGL3VdnFgt6bFQ48sj6vXP2vcLNC1yxk4QtUdiBylDe8ORpQe8i15nLv2JPXuxzzkkQ6ph05U1+CzKgHSJQX8VJbD9ThbdMDkyQf4ouj
Content-Type: multipart/alternative; boundary="_000_DU0PR03MB86969B1265A930380C034B8B867A2DU0PR03MB8696eurp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: NEOk/JGq/xg6+fT3PqFsNIC4m8vr46VVzYWYL9TE1K+sbXzlPSpH59Ft16GF1Tpmo7ON8WEP+rP6spmG9/Tx6DtfDyG+GkN3kON77j3rE6Gbg2RYNVBQsp5U9XAI0TvAMuKfz9T1cOPviZ4g0YXO9uFnrA45bZdu/GlaWf967iOxCNuyMEr9Zu6jrAhtvAovO/J8KqoIztBhBIfLQaSC4E/EVHYsIjFkF3dqdxbh41TJ47OeZkIHcYiLKsCo+nEPkXa7fMc4AeL8paK867KZ7SAosRPU6JQFn9Ky0sO6oQDYptufOC7rBa+TROicXI7s/JWN+ZZgtzFYENd1x9NUtMZD9QhJj0OIOtZCVWXyxGFydD2fYtQTLzrDdbfdh5qBLq/hZx0ay9GlMLRxWFB0fxryN2FQVWVswmsPre/EHa7R0psu3opZ9WyO9UvCsWmTQ9V9Cnm0Uv/+phvi2ldpUID8o+Z7XhfOOyklk9jfodSL3QhAoZ1/0j2bNOn5Q0y9RPHKPNxjuXu8Zz0vz1R3y4JEyOrH4WJVUCK+486XPepwZOw4hfXTH6yU70h7CHI4UFND15CbB4m45YerbLtGagC79Zj9Z9kyJiG9CjM8xnm83LJsWCS951vh1gWU3IZ1
X-OriginatorOrg: keyfactor.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB8696.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d94c848-b94e-4e88-fb95-08dc1db4c448
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2024 14:49:00.3865 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: erUJ2VejFfqp/hKLS+6d1uP2u6ZnTOSnhcRtXoAaHCSxQdPgAi9cLNlNWj9lGBV68goMuub+QkKgrXLvpNgo0hpe2peqWE7Hq6qszECENoI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB9095
X-Proofpoint-GUID: Oe1tTiC9b6FqNMALBiO_gzVPBi5KXMTw
X-Proofpoint-ORIG-GUID: Oe1tTiC9b6FqNMALBiO_gzVPBi5KXMTw
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-25_08,2024-01-25_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2ejX7xYcC1VNJbMzb4iO9DoZIfI>
Subject: [lamps] Comments on CMP Updates, draft-ietf-lamps-rfc4210bis-07
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 14:49:11 -0000

Hi,

I'm not sure how much work is currently going on on this draft? I started reading it and have a bunch of comments. Perhaps it's being thought of already, but posting it here if anyone is interested.
I acknowledge that updating CMP, to something that includes new things like KEMs, and yet makes CMP easier to use and deploy on scale, is a truly monumentous task.

Here some points for discussion after reading through parts of the draft.


  1.
Section 4.2.2.1 describes it as mandatory that the CA can send a CMP message to the end entity directly. I think this is an extremely rare case, and very hard to interpret. CAs can virtually never make an on-line connection to end entities, so this scheme assumes an out-of-band deliver of the CMP message, which is hard to envision imho. At least without stating that this is outside of the scop. The most basic cases I know of always involve some RA that initiates the request to the CA. This is confusing to me.
  2.  Section 4.4 on root CA key update seems very verbose.

It discusses the odd case of CA rollback to great lengths, which I'm sure is extremely rare.
We discussed during the period of RFC9480, about the need for OldWithNew, which is why RFC9480 have both NewWithOld and OldWithNew as optional in 5.3.19.15. I don't think it is good to bring that back here in the form of: "Thus, when a CA updates its key pair it must generate two extra cACertificate attribute values if certificates are made available using an X.500 directory (for a total of four: OldWithOld, OldWithNew, NewWithOld, and NewWithNew).".
Using an x.500 directory as reference I don't think is a good one.

  *
Keeping these optional enables us to cut down on the verbose wording quite some. You can basically remove the whole section 4.4.1, or shorten it substantially.
  *   It would be good if section 4.4 gave more advice on the standard use case of CA Renewal
  *
Section 4.4.2.x seems to assume an LDAP directory. Also nothing that is common, I don't think the CMP draft should specify which LDAP attributes to look up ("Look up the cACertificate attribute in the repository"). Either CMP have a mechanism to distribute new certificates, or it's out of scop and we can remove those words.
  *   The section assumes support for X.509 v1, without extensions. I don't think this is appropriate. CMPv3 makes extensive use of extensions in the specification so assuming X.509v3 with extensions I think would be better. CMPv3 will not work without extensions anyhow.


  1.
Section 5.1.3.4 talks about Alice and Bob. I think the CMP specification should make use of CMP terminology. I.e. from RFC4210, is it an End Entity, CA, RA or KGA.
     *   This flows into Appendix E as well
  2.
Section 5.2.5 should be removed imho. It says it is out of scope, why define ASN.1 data structures for something that is out of scope of the document? I think it's right to keep it out of scope, but then the whole section can be removed.
     *
KEM keys and message protection:Sections 5.1.3.4, Appendix E: For message protection I wish some more guidance could be provided, or I fear there will be much confusion and many alternatives asked. I think the case of an end entity possessing solely a KEM key will be rare. The more common case is probably that the end entity have both a signature key and a KEM key. In that case isn't it more efficient to use the signature key/cert to authenticate also the request for a KEM key? In essence the same way an IDevID is used to request an operational certificate. The way it is worded in 5.1.3.4 "In case the sender of a message has a KEM key pair". Given the extra roundtrip outlined in Appendix E, I would prefer "In case the sender of a message only has a KEM key pair". I would like it described the case where KEM key certificates are requested, using normal signature based protection, and hope that could be the preferred scenario.
        *   Migrating existing systems to that model is much easier than to move to only using KEMs and extra rountrips (or suppliing every RA and CA with KEM certificates just to avoid a round-trip).

Best regards,
Tomas

v2.23.0 | Report a Bug | By Email