IETF Logo Mail Archive

Re: [lamps] Call for adoption of draft-nir-saag-star

Russ Housley <housley@vigilsec.com> Fri, 27 July 2018 17:48 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F211D131006 for <spasm@ietfa.amsl.com>; Fri, 27 Jul 2018 10:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FVEvD5Ji0t6 for <spasm@ietfa.amsl.com>; Fri, 27 Jul 2018 10:48:54 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F36E3130E0C for <spasm@ietf.org>; Fri, 27 Jul 2018 10:48:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D9E79300A3E for <spasm@ietf.org>; Fri, 27 Jul 2018 13:48:51 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pYRZUcNIBnah for <spasm@ietf.org>; Fri, 27 Jul 2018 13:48:50 -0400 (EDT)
Received: from a860b60074bd.home (pool-71-127-50-4.washdc.fios.verizon.net [71.127.50.4]) by mail.smeinc.net (Postfix) with ESMTPSA id 67419300541; Fri, 27 Jul 2018 13:48:50 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <B44AAFBA-A7C1-4565-8307-D3B493A964B8@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_90F8B857-83E4-49AA-B575-44DE5F3A8DFE"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 27 Jul 2018 13:48:50 -0400
In-Reply-To: <BN6PR14MB1106140408FFB08553DEAE98835F0@BN6PR14MB1106.namprd14.prod.outlook.com>
Cc: SPASM <spasm@ietf.org>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
References: <BN6PR14MB1106140408FFB08553DEAE98835F0@BN6PR14MB1106.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3RZ_8UErpb4hSrTnmoUUCM2HEcU>
Subject: Re: [lamps] Call for adoption of draft-nir-saag-star
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 17:48:56 -0000

This document was discussed at IETF 102 in Montreal.  the DRAFT minutes say:

'"""
A WG call for adoption is underway.  This document is about Short-Term
Auto-Renewed (STAR) certificates.  There is no revocation information
for these certificates, and the short validity period of makes this
acceptable.  The automatic issuance of replacement certificates
overcomes the operational challenges of short-term certificates.
Two use cases are driving this work: IPsec VPNs and software-defined
storage.  These certificate might not be suitable for the Web PKI.

Many people in the room felt that an extension for that tells the
relying party that no revocation information is available is needed.
The authors feel that such an extension should be defined in another
document; this document should remain a BCP.

Some people felt that these certificates should point to an empty CRL
and a similar OCSP responder so that anyone looking for revocation
information would not get a failure.

Some people felt that the WG should not adopt this document until
it addresses thes two topics.
"""

My conclusion from this discussion is that an update to the Internet-Draft is needed for the LAMPS WG to consider adoption.  Please speak now id you come to a different conclusion.

Russ




> On Jul 14, 2018, at 12:01 PM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote:
> 
>  
> The recently approved LAMPS WG Charter adds this work item:
>  
> 3. Specify the use of short-lived X.509 certificates for which no revocation information is made available by the Certification Authority.
>  
> Short-lived certificates have a lifespan that is shorter than the time needed to detect, report, and distribute revocation information.  As a result, revoking short-lived certificates is unnecessary and pointless.
>  
> It has been suggested that the WG adopt draft-nir-saag-star as the starting point for this work.  Please voice your support or concerns on the list.
>

v2.23.0 | Report a Bug | By Email