Re: [lamps] [Anima] RFC8994/8995 requirements for CSRattr

Tomas Gustavsson <tomas.gustavsson@primekey.com> Mon, 06 September 2021 07:18 UTC

Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2583A24A7; Mon, 6 Sep 2021 00:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=keyfactorinc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSWH2bWXvhGW; Mon, 6 Sep 2021 00:18:16 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2111.outbound.protection.outlook.com [40.107.92.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1F9C3A24A5; Mon, 6 Sep 2021 00:18:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XZ33W1dERVmS0wkRUpRqBeGB5Ifl6s96XKVizaRENyxg0ue2wMLAU+iuW3gXTnWEz2gk10F0R5C9GpDmBb/RWe50gGSkHrYnMmWYgEDEeC/uPd4X8DlBcZRjbZNaKpsv8LVLL8q3l9ZcRGC6WbqckV91YL++Tz+PbWafQHi66OtL4fu5Cs0rWmxEdID0ocOGX2mX7h3bGhxczitry5fuuddHQ8vtCfu/aYsZHMzOhJD20pPutNawkUYIuE7QokTQFc7pNT+geYUles2UKfbQCHqV/xOHkFEREJPEGXxozItk7mdwAwd9kK3EW3oBbSrixo+EUsjP6hnGgvvW0cKwBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=WjS8nR7FbYm05wOUtq6i+AITxMtnuWprpQNgY6tqwcM=; b=L4xMAfYJxS6RAPm7y73SN4TiPNf+nJiww2GoRv6xE0VdlBgZaLqrkGHSqTSqjaGyEdG7l1c3Bz2YCUT6aGtALEh1MxKZITIqIB0vlIGic5G3kyJnS5IX8O4K/dweqov3qdA5Yrsf0AZ0NbBSwjRrsV1/BukkB3FtGdFrv0oSXPqLT6BBmV4TTdV+oHHwurBd1qGvgLB/TcnhZCSsyPD8a1RUKA8oGZn69kByHV/+flmHJmAP2SBhf/KctLmOXJedDY5O4MnjNa3mIDnXh2KiXSlnVKv6C7YbGsme4MZzdgNbBTZpYXgIrRz9DQ0flDgMbwG0m5ezYND2S1BQwG+5Hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=primekey.com; dmarc=pass action=none header.from=primekey.com; dkim=pass header.d=primekey.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WjS8nR7FbYm05wOUtq6i+AITxMtnuWprpQNgY6tqwcM=; b=YaxUXn4R1ivcrXhsl4NjZQAR/3cO2rS5Ul/v0ndQgmPrpSmm1ueEfyWJgKpk+pvcyUrVWQwChBp63xeAPhdz7oyjryFdwv5w1lE1QncRodrQbfQg4dRh05F6P1mIEPdS5lNJiAYGdx0QsDSlQICUzol77ttoZ7iqTFkr7EeE2A8=
Received: from SJ0PR22MB2542.namprd22.prod.outlook.com (2603:10b6:a03:328::8) by SJ0PR22MB2557.namprd22.prod.outlook.com (2603:10b6:a03:320::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.17; Mon, 6 Sep 2021 07:18:12 +0000
Received: from SJ0PR22MB2542.namprd22.prod.outlook.com ([fe80::5a6:7d47:2553:9773]) by SJ0PR22MB2542.namprd22.prod.outlook.com ([fe80::5a6:7d47:2553:9773%7]) with mapi id 15.20.4478.025; Mon, 6 Sep 2021 07:18:12 +0000
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
To: David von Oheimb <nl0@von-Oheimb.de>, Michael Richardson <mcr+ietf@sandelman.ca>, Eliot Lear <lear@lear.ch>, Dan Harkins <dharkins@lounge.org>, Owen Friel <ofriel@cisco.com>, Peter van der Stok <stokcons@bbhmail.nl>, max pritikin <pritikin@cisco.com>, Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>, "spasm@ietf.org" <spasm@ietf.org>, Thomas Werner <thomas-werner@siemens.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [lamps] [Anima] RFC8994/8995 requirements for CSRattr
Thread-Index: AQHXol1+kpL4h5cQ8Umtp5NI3meAhquWmFnd
Date: Mon, 6 Sep 2021 07:18:12 +0000
Message-ID: <SJ0PR22MB2542E4982D5C4008C46CAA1CE8D29@SJ0PR22MB2542.namprd22.prod.outlook.com>
References: <26149.1630260692@localhost> <1dec22e1-3856-4df7-21d6-4ad6c94e0ee2@lounge.org> <13498.1630308106@localhost> <0a744c63-464b-9801-2a46-9853af1efb0c@lounge.org> <479b3595-cb44-8ece-aa80-4f30a2cdafce@lear.ch> <285e354a-8b5f-7ab4-0e03-20d06328d897@von-Oheimb.de> <da2ce36c-3756-f4c0-7907-a5976d492a82@lear.ch> <ce27e660-6636-b44b-9599-954e9f1ec085@von-Oheimb.de> <d7377093-54c0-3577-f42d-5d410d307eaf@lear.ch> <1351.1630688419@localhost> <0d4084ab-c3d5-ef3b-3853-e31d77976b78@von-Oheimb.de>
In-Reply-To: <0d4084ab-c3d5-ef3b-3853-e31d77976b78@von-Oheimb.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: von-Oheimb.de; dkim=none (message not signed) header.d=none; von-Oheimb.de; dmarc=none action=none header.from=primekey.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 51ee5f0b-ffc6-4121-0d56-08d971067c97
x-ms-traffictypediagnostic: SJ0PR22MB2557:
x-microsoft-antispam-prvs: <SJ0PR22MB2557B7745D0A4C25FB60939FE8D29@SJ0PR22MB2557.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XX/kDkOTWfl6Eg2ydgVXV3i//2dsEjPbKXbvXZYEE+2lpoh4DzaSb39qbSQXNXgFW7ngc2H/GTQWD+PU45noTrxiWmBKOomF0G0MqBSij4CPqWGsZjrDosh73HHpfy6uqlscdQ7k2j+AtPAd0/7iCBVHNgbpSbQwaKs5AkbL6F1DIh8i5AvaWnGv/xC08Q9v5zFQL4WNgy2qB/187Z7Gm1G7L5pmfhOE1zkNFu+PLmy6t1xkDbGokVyq351bCRbFMyLInctgSHlgaiSRCC5qIxCf3c8r4qaY5Y7Dfkr0GpV5zwJjhKAfcduOPjPeX4FvUvXskPaLUwNQeFoZyhLQgsWGy7luZHvTOSuNs0aOQalHM2VB3pRPUQxJF9ri8Q/20Y3oJQPNwmfxrpjdhudpOsE0sEQnFrP7i0LU7fuCSQBWqQvJHRx2dmbZeaWWGE80QaQv3mP6XVHR8U0PX5Tvmyf6SB2TrLcgP91VJVxOWJemU6D6h/TgXxaS1VXLeihMILgdWuxVUOEYjVohvxNnoGRFdhXf3YwtVhdhvCf3LCU9qosG/7ngzFuApZ99dZXVhNfgwGuP7M1Jn0EtNlvM+yIRDvMl3+Eq8LaPo0FAxQ+86hpUcvRrqq2JLgYYR/S+7A4XDs5GK7LWjOQrvm03HTFUfh2IMx0gvybtKVMieiOhFWQp+KjrA29fE5CZWt21AF/7KFggFtjzcPjKrVPUlJewXnzF/VnXl10o2nWXH1GQx63Inb/b15RLFF3XzhTxJVKEoP6NMPqjTHMXiMRX/ehP+QhDvpEtAgPsSWHbz2Dn0iwdt8Wb1eifAgOyo0I/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR22MB2542.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(346002)(376002)(366004)(136003)(396003)(921005)(19627405001)(7416002)(2906002)(71200400001)(110136005)(9686003)(6506007)(55016002)(5660300002)(38070700005)(44832011)(316002)(26005)(186003)(478600001)(53546011)(76116006)(38100700002)(91956017)(66946007)(66476007)(66556008)(64756008)(122000001)(966005)(66446008)(86362001)(166002)(8936002)(83380400001)(7696005)(52536014)(33656002)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?TgAXiR6pKjwHTAf4rBC8esBQyWWuhDtaO5I+rpPgxC5wt4DMiVxe6dUip0FA?= =?us-ascii?Q?Mtmh6KBKtlQBzf1pbVOwKm/zI1nE7pQjQu8rutCvoKIyBUArWdTnffuOs6EI?= =?us-ascii?Q?hIFX/g68lw1/ssqOK7jHuveF8jlEiOaXO4AnF/6JeDAT2JcqUyeXbWUoq+PM?= =?us-ascii?Q?uEsiibLCWX4sPP2QagLPpWSQvB2BE7h6eLrbDZ4xka5Eu93+RpB72fPoFugx?= =?us-ascii?Q?cQ4NBb7Wz66gbXO7vykCd8npWgMsgReKH87n3s61ThCkruyY59JKwkPl04I0?= =?us-ascii?Q?g73hbAh0f9VO94H3B9yNlHUjtC9QibLnESyQo7OgSiKtOpH81iyqNU04roOk?= =?us-ascii?Q?dSuQ3BvcQbwrBRnor9tdb6vCl9gUTHXJcdGqE1ZFhE1UxnHorufZ8lwCd+84?= =?us-ascii?Q?JXZ9p0Wg+kToD1G+d4/ZVG9DScR1JAW2BwVioCXEQhDhXC+hkPKFnpWagEs4?= =?us-ascii?Q?/DW1vSi9cpcjaRRKmeopaMDCSjREyMqVMeEX0ztQhLfpc+oejN6p9r+KIDyh?= =?us-ascii?Q?Z+l8J30mZ01RTNG0+6q3IQZRRr/sqGW61sKJGLF2NXZ09F4sBHx1op3ZaD4G?= =?us-ascii?Q?+nFkkgp9Ergipg1N+jQMWl+oefwMAy/Z1ColmQezv5A9BZHrgXyvCTIhnuG6?= =?us-ascii?Q?9yNQ9pGjZ4hVqpWk0qgnO39hHop2Y5Zwc2ZWU8nS3xRIkmVUJAN0y9UvC5Xp?= =?us-ascii?Q?9dq/XpB6RtCNrZy21EYbySgz0491BY0MgxZ+9WrO6G4alapQti/rA925UzRy?= =?us-ascii?Q?PbmZmQockEG3Oy4vGeQGZkujMZM7im+svKLXP6VzeEcEPrOSvCCmfnOI67wn?= =?us-ascii?Q?nsK7o3Eb/sQtPgd4wqlGV/QF58rpBIswCsJJaUcYExTmY5xjzLo4404roKD8?= =?us-ascii?Q?6JdQPUZVQK725qxsZONyO9ulBg+EOeO7b3yEmrh+bl4tTB7rPZ6K6YD896Xe?= =?us-ascii?Q?bH+qd+WBFYNc04Xstun66/BCZywBDr2JUKJi2jbzA+vGKWST/nQ5H02Jr0oS?= =?us-ascii?Q?Dp/zzRmCmi+CQ9WEC16zdsgWP3avfy19XfDVxdxI5owS5taiM1E+PiXFCImE?= =?us-ascii?Q?+KQKEmNWlQKcC2vUSqpn2Vo/ux0yE5ZlvXM2ryYugqJ8AMMkh+UcywF5ZVO/?= =?us-ascii?Q?WI3TCGi1D5/uhVHGlHydzOXPloiXav1uZqKWbmFz0W2H/E9ukPi7ciAn3tQo?= =?us-ascii?Q?LYWAHm2G1XRl6kg/4ZNRSVulMsX7M8jeWfVUk8KQ0UDSjVOifeFGGdfIQX2U?= =?us-ascii?Q?0fdBHncLjATCQFb07Wb5d3hgjojCuYSqfAoUTCfTS7dL9JXLqbcmuabO7Xem?= =?us-ascii?Q?Nv8=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR22MB2542E4982D5C4008C46CAA1CE8D29SJ0PR22MB2542namp_"
MIME-Version: 1.0
X-OriginatorOrg: primekey.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR22MB2542.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 51ee5f0b-ffc6-4121-0d56-08d971067c97
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2021 07:18:12.0605 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XJiZ4DBNykuBgIg8qbEa572dd3InmZ1Jd2W25DzISKveqHoOAY9QzMJjHGRI7/iELWtfiThMlozL2X/13rTeHRPbrfRClqtzJdQ99wPhM2g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR22MB2557
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_oTeoe8mDQtV2x08TxsGKBB1d3g>
X-Mailman-Approved-At: Mon, 06 Sep 2021 07:44:31 -0700
Subject: Re: [lamps] [Anima] RFC8994/8995 requirements for CSRattr
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2021 07:18:21 -0000

The most popular options that I encounter in the wild right now, and for the last 10 years or so, for augmenting RA->CA:

  *   CMP CRMF requests using raVerified POP (used quite a lot)
  *   REST or SOAP API transporting the original PKCS#10, augmenting outside of the CSR (used even more)

The drive today is clearly towards using some sort of REST API. There is no standard for this of course, perhaps ACME is the closest to a standardized REST API you get today?

Regards,
Tomas

________________________________
From: Spasm <spasm-bounces@ietf.org> on behalf of David von Oheimb <nl0@von-Oheimb.de>
Sent: Sunday, September 5, 2021 3:09 PM
To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; Eliot Lear <lear@lear.ch>ch>; Dan Harkins <dharkins@lounge.org>rg>; Owen Friel <ofriel@cisco.com>om>; Peter van der Stok <stokcons@bbhmail.nl>nl>; max pritikin <pritikin@cisco.com>om>; Toerless Eckert <tte@cs.fau.de>de>; Esko Dijk <esko.dijk@iotconsultancy.nl>nl>; spasm@ietf.org <spasm@ietf.org>rg>; Thomas Werner <thomas-werner@siemens.com>om>; anima@ietf.org <anima@ietf.org>
Subject: Re: [lamps] [Anima] RFC8994/8995 requirements for CSRattr

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com with any questions.

On 03.09.21 19:00, Michael Richardson wrote:

I'm unclear if CMP allows for a standardized way to override the CSR
contents, or if it simply provides more authority for the RA to create a new
CSR of its own.

CMP does not offer a direct/explicit "override" mechanism for CSRs, but it is foreseen that an RA checks a CSR and then modifies it, using the RAVerified option instead of the typical signature-based PoP.
This is one of the use cases we describe in more detail in our new Lightweight CMP profile - see https://datatracker.ietf.org/doc/html/draft-ietf-lamps-lightweight-cmp-profile#section-5.2.3.2<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-lamps-lightweight-cmp-profile%23section-5.2.3.2&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf3c492278d354bd84ce508d970745e06%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637664468472820632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fkIbEPvkQxAsRhNmOORlU7btYOJz0l1kpArTpQp8KZQ%3D&reserved=0>
BTW, CMP also offers a variety of further forms of PoP, for keys that do not have the capability for signing - see https://datatracker.ietf.org/doc/html/rfc4210#section-5.2.8.4
<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4210%23section-5.2.8.4&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf3c492278d354bd84ce508d970745e06%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637664468472820632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iVEmOILg4eP%2Btz0gY%2FkHJ1WSml9Q2%2B45eEKANCoLxug%3D&reserved=0><https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4210%23section-5.1.3.4&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf3c492278d354bd84ce508d970745e06%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637664468472830590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lOtKL1bozHRud9CSGiP5nbyj9X%2FefeTx4eGYeXWDkgo%3D&reserved=0>

With EST this is not possible simply because it uses the rather limited PKCS#10 format, which requires self-signature, which is not possible at the RA (even for keys that can be used for signing) because it does not have the needed private key. In other words, PKCS#10 and thus EST does not support on-behalf CSRs.


While I would also prefer to enhance the RA/CA protocol, I'm not entirely keen on mechanisms that break the original PoP.

Yeah, I also prefer avoiding this - as long as the overhead to the EEs is bearable.

For cases where the PoP is broken by an intermediate entity, CMP cert request message may contain the original (unmodified) CSR for reference purposes - see https://datatracker.ietf.org/doc/html/rfc4210#section-5.1.3.4<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4210%23section-5.1.3.4&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf3c492278d354bd84ce508d970745e06%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637664468472830590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lOtKL1bozHRud9CSGiP5nbyj9X%2FefeTx4eGYeXWDkgo%3D&reserved=0>


Anyway, we are going to enhance the CSRattr description to support all the requirements.

Good to have this option then in the future.

    David