Re: [lamps] Renewing (short lived) certs with EST (RFC7030) [was: Re: Sean: Permissibility of expired cert renewal]

Michael Richardson <> Thu, 30 August 2018 21:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8D06130EC9; Thu, 30 Aug 2018 14:18:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OFR8cuVKIriQ; Thu, 30 Aug 2018 14:18:50 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 83605130E98; Thu, 30 Aug 2018 14:18:49 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id 6044020491; Thu, 30 Aug 2018 17:37:03 -0400 (EDT)
Received: by (Postfix, from userid 179) id BF765B32; Thu, 30 Aug 2018 17:18:48 -0400 (EDT)
Received: from (localhost []) by (Postfix) with ESMTP id BBE86FB; Thu, 30 Aug 2018 17:18:48 -0400 (EDT)
From: Michael Richardson <>
To: Sean Turner <>
cc:,, Toerless Eckert <>, Jim Schaad <>
In-Reply-To: <>
References: <> <> <> <> <19312.1535640189@localhost> <051f01d44086$639dac60$2ad90520$> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 30 Aug 2018 17:18:48 -0400
Message-ID: <18707.1535663928@localhost>
Archived-At: <>
Subject: Re: [lamps] Renewing (short lived) certs with EST (RFC7030) [was: Re: Sean: Permissibility of expired cert renewal]
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Aug 2018 21:18:53 -0000

mcr> I think that what we want to do is write a Security Considerations for renewing
mcr> certificates using EST with an expired certificate as
mcr> authentication.    We need to outline what kinds of policy might be required,
mcr> and when it would be approrpriate not to accept specific certificates, or when it
mcr> might be appropriate to accept no expired certificates (perhaps for an interval
mcr> of time).  Or just how old (as a percentage of cert life) is too old.
mcr> I think that the threat case here is that devices are inappropriately disposed of
mcr> (vulnerable to dumpster diving or ebay acquisition), with the assumption that
mcr> the credentials are old and do not need to be wiped.
mcr> Probably there are other threat cases that I have not thought of, and I think that
mcr> the goal would be to write the threats down... ideally to give them names.

On Aug 30, 2018, at 13:25, Jim Schaad <> wrote:
> One of the issues that you need to make sure to include is that revocation
> information must be kept by the EST server until the point in time that the
> expired certificate would not be permitted to be used for authentication.
> There is currently on a requirement that this information be kept by the
> server until "the first CRL after the certificate expired as been issued."

That's a very good point.

Sean Turner wrote:
> Mike,
> If you do that then I think you’ll be good to go.


Toerless, are we trying to put this into draft-ietf-anima-autonomic-control-plane ?
If so, I'll attempt to draft something that fits into that document.

If it belongs somewhere else, then please tell me.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-