Re: [lamps] [Anima] RFC8994/8995 requirements for CSRattr

David von Oheimb <nl0@von-Oheimb.de> Sun, 05 September 2021 13:09 UTC

Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862233A1658; Sun, 5 Sep 2021 06:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cKesDvllsRC; Sun, 5 Sep 2021 06:09:20 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80FF33A1656; Sun, 5 Sep 2021 06:09:18 -0700 (PDT)
Received: from [192.168.8.103] (ip-109-43-50-218.web.vodafone.de [109.43.50.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 6C0034217B9; Sun, 5 Sep 2021 15:09:14 +0200 (CEST)
To: Michael Richardson <mcr+ietf@sandelman.ca>, Eliot Lear <lear@lear.ch>, Dan Harkins <dharkins@lounge.org>, Owen Friel <ofriel@cisco.com>, Peter van der Stok <stokcons@bbhmail.nl>, max pritikin <pritikin@cisco.com>, Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, spasm@ietf.org, Thomas Werner <thomas-werner@siemens.com>, anima@ietf.org
References: <26149.1630260692@localhost> <1dec22e1-3856-4df7-21d6-4ad6c94e0ee2@lounge.org> <13498.1630308106@localhost> <0a744c63-464b-9801-2a46-9853af1efb0c@lounge.org> <479b3595-cb44-8ece-aa80-4f30a2cdafce@lear.ch> <285e354a-8b5f-7ab4-0e03-20d06328d897@von-Oheimb.de> <da2ce36c-3756-f4c0-7907-a5976d492a82@lear.ch> <ce27e660-6636-b44b-9599-954e9f1ec085@von-Oheimb.de> <d7377093-54c0-3577-f42d-5d410d307eaf@lear.ch> <1351.1630688419@localhost>
From: David von Oheimb <nl0@von-Oheimb.de>
Message-ID: <0d4084ab-c3d5-ef3b-3853-e31d77976b78@von-Oheimb.de>
Date: Sun, 5 Sep 2021 15:09:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <1351.1630688419@localhost>
Content-Type: multipart/alternative; boundary="------------156F33D36BDB6F2C645283E8"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CYL7OYkJqFNTUiLDVhe8hI-T3qc>
X-Mailman-Approved-At: Sun, 05 Sep 2021 06:52:04 -0700
Subject: Re: [lamps] [Anima] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Sep 2021 13:09:26 -0000

On 03.09.21 19:00, Michael Richardson wrote:
> I'm unclear if CMP allows for a standardized way to override the CSR
> contents, or if it simply provides more authority for the RA to create a new
> CSR of its own.
CMP does not offer a direct/explicit "override" mechanism for CSRs, but
it is foreseen that an RA checks a CSR and then modifies it, using the
RAVerified option instead of the typical signature-based PoP.
This is one of the use cases we describe in more detail in our new
Lightweight CMP profile - see
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#section-5.2.3.2
BTW, CMP also offers a variety of further forms of PoP, for keys that do
not have the capability for signing - see
https://datatracker.ietf.org/doc/html/rfc4210#section-5.2.8.4
<https://datatracker.ietf.org/doc/html/rfc4210#section-5.1.3.4>

With EST this is not possible simply because it uses the rather limited
PKCS#10 format, which requires self-signature, which is not possible at
the RA (even for keys that can be used for signing) because it does not
have the needed private key. In other words, PKCS#10 and thus EST does
not support on-behalf CSRs.

> While I would also prefer to enhance the RA/CA protocol, I'm not entirely keen on mechanisms that break the original PoP.
Yeah, I also prefer avoiding this - as long as the overhead to the EEs
is bearable.

For cases where the PoP is broken by an intermediate entity, CMP cert
request message may contain the original (unmodified) CSR for reference
purposes - see https://datatracker.ietf.org/doc/html/rfc4210#section-5.1.3.4


> Anyway, we are going to enhance the CSRattr description to support all the requirements.

Good to have this option then in the future.

    David