Re: [lamps] rollover of CA
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 03 September 2021 17:45 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C35E73A26A0; Fri, 3 Sep 2021 10:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV9yPd_6PzU2; Fri, 3 Sep 2021 10:45:40 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983DB3A269E; Fri, 3 Sep 2021 10:45:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 42E6F39543; Fri, 3 Sep 2021 13:51:42 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CCQZJi5cz2Fc; Fri, 3 Sep 2021 13:51:34 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3F1E639515; Fri, 3 Sep 2021 13:51:34 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 06DC9AC; Fri, 3 Sep 2021 13:45:28 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, SPASM <spasm@ietf.org>, anima@ietf.org
In-Reply-To: <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com>
References: <17240.1630591789@localhost> <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 03 Sep 2021 13:45:28 -0400
Message-ID: <13231.1630691128@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8MwCZCNqcDhXA-HvgZbZM0Ieomo>
Subject: Re: [lamps] rollover of CA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 17:45:55 -0000
Ryan Sleevi <ryan-ietf@sleevi.com> wrote: rs> I mean, there's rs> https://datatracker.ietf.org/doc/html/rfc4210#section-4.4, but that's rs> more or less unsupported, and would strongly recommend against it: rs> the _key_ rollover creates vast issues with implementations. That's the section I was looking for. Thank you for being my google :-) This is for ANIMA's constrained-voucher/constrained-BRSKI-EST mechanism. It is relatively greenfield. For a variety of implementations, in draft-ietf-anima-constrained-voucher (inheriting from draft-ietf-ace-est-coaps, almost RFC9148) the trust anchor return prefers to use application/pkix-cert rather than RFC7030's "application/pkcs7-mime; smime-type=certs-only", which avoids having a bunch of useless CMS code. The downside of this is that we can have a single trust anchor returned. We have discussed being able to call /crts multiple times to get multiple anchors. (/crts/0, crts/1...). The RFC4210 process to deal with key rollover creates a new certificate chain that new nodes need to have, and in the constrained situation, we don't have a good way to figure out how to transmit this during certificate renewal. In the P2MP data collection IoT network, where the nodes only talk to "the cloud", then it's probably trivial for the cloud server to have both the previous CA and the new CA to validate the nodes. They can renew as they like. The (D)TLS connection from the nodes needs to always use the RFC8446 _4.2.4. Certificate Authorities_ extension to indicate which anchor the node has loaded so that the cloud can respond with new or old certificate. Arranging for one or two cloud servers to have this double certificate is a pain, but it can be done. For P2P communication, including that used by RFC8994 (IKEv2 connections among peers), then using RFC4210 seems like a better win. IKEv2 includes a CertREQ which allows each end to see whether the other end needs the chain. On ACP networks (with 10G+ links) there is really no significant downside to passing an extra 300 byte certificate signing the new CA with the old CA. For pure RFC7030 "certs-only" download, we can get this extra certificate in easily. DTLS connections between nodes in an LLN can use the same mechanism, but the cost of the extra certificate is significant and so we'd like not to have to send it around unless actually needed. Esko, we could go into some significant detail here. There are some operational parts here that are pretty clear to me, but there are a few unknowns that remain. One thought is that we can retain the old trust anchor when we get a new LDevID, and a new certificate. That lets new nodes continue to trust old nodes. This removes the need for nodes with LDevID0 to know that they need to send some newCA->oldCA certificate. The new nodes would have the oldCA->newCA certificate, so the old nodes can verify the chain. But, it would also be nice to know when the transition is likely to be complete so that nodes could stop sending the extra bytes. So another thought that I had was to define an extension somewhere (maybe in the certificate oldCA->newCA?) which indicates a time at which the node should return to get some update to trust anchors, but not necessarily to renew a certificate. The other interesting thing is whether the nodes with oldCA could cache the oldCA->newCA certificate, and then would be able to state both as trust anchors, avoiding the new to send that certificate everytime DTLS between nodes rekeys. {My reading of MATTER spec didn't reveal any rollover support. Hmm} -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Ryan Sleevi
- Re: [lamps] rollover of CA Deb Cooley
- Re: [lamps] rollover of CA Tomas Gustavsson
- Re: [lamps] rollover of CA Brown, Wendy (10421)
- Re: [lamps] rollover of CA Eliot Lear
- Re: [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Michael Richardson
- [lamps] kinds of trust relationships in IoT netwo… Michael Richardson
- Re: [lamps] rollover of CA Deb Cooley
- Re: [lamps] rollover of CA Tomas Gustavsson