Re: [lamps] rollover of CA

Tomas Gustavsson <tomas.gustavsson@primekey.com> Mon, 06 September 2021 07:25 UTC

Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2B1A3A24CE for <spasm@ietfa.amsl.com>; Mon, 6 Sep 2021 00:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=keyfactorinc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dc_vSk1ecK9O for <spasm@ietfa.amsl.com>; Mon, 6 Sep 2021 00:25:33 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam08on2113.outbound.protection.outlook.com [40.107.102.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2081A3A24CB for <spasm@ietf.org>; Mon, 6 Sep 2021 00:25:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nfwNMwwea+51mf8eSgqOhb6FC+f2zdn4zDh4eMl0mgN1xPsAUUyfRrnhbilLcXAkCcjrnkvJPsr7FnC7Y8C4VSaZVWUJKup+7MdKf+oescrguS3dBfqWYksanFn0Jp/p/Wpo7vZXedvjMLrluI3Z+whqjTYDPEtEIt7MzQ5APIPMDxzCtQc6lMcnuq1JQufBJiFnz3r2/D6Irv8sp+aJi4ne1LO0MA/rWBHYAJX6/j/GGdp5R+uLaS4f+rph3cW5qVTo6v38nshZkXZS7S+1cX1w9LDDXskXQQuB5d7wj/VG1X+j8gWM27RStPaXt8cbETwasRopuG8hxTpVs7UXPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OfCYJnZ+zULUwp526jFrR017oExhgJgVvEd3n/7xPrY=; b=RZJ4/rEqG5J010HrJhmStKo83X2txWDeNq/SWeOW5LojzovwkGy+isYHQThtUG8m1/fnqBjp7j2MgNzCBuc0pBjUzWov0ivIpQfXLe3wdXCED1nTcJWZcbDry12+j5LQHD3V2Ips+mODvtx6n9nSTQBKvQ+R7tGDsbjPM0QauqzUbxziF0MuRx3Pjhy2b4VfokUU20lEeddiJwrgdv2NGeCilvsEf8fnQWOWecGxCA0ZTTMCArsrOuPTMAjiEHM31wsYvMSYYjkLArLgWW4Q5GwMjcck1oGztRdNZ+2hL57IV5iOAPJRhSOoHySLaGmmOrMiqNbzBRh3/lj+crF3Sg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=primekey.com; dmarc=pass action=none header.from=primekey.com; dkim=pass header.d=primekey.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OfCYJnZ+zULUwp526jFrR017oExhgJgVvEd3n/7xPrY=; b=ZtR/eW/SknLsazNniW9keWpa9jEoB4cWcMuL9Ujlq4p5DYdLoZ8w3oqTMfD/B2CdlaluaMIM59Q9vK2Sj4ZBKTHX6symsqdo0YFlK4NCitbWWuTMijczZ3xL5nBJSJrZUFUeVw6gFZuuKglkn5N+lRRK0m/4cO7by688wUixOlo=
Received: from SJ0PR22MB2542.namprd22.prod.outlook.com (2603:10b6:a03:328::8) by SJ0PR22MB2559.namprd22.prod.outlook.com (2603:10b6:a03:319::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.17; Mon, 6 Sep 2021 07:25:30 +0000
Received: from SJ0PR22MB2542.namprd22.prod.outlook.com ([fe80::5a6:7d47:2553:9773]) by SJ0PR22MB2542.namprd22.prod.outlook.com ([fe80::5a6:7d47:2553:9773%7]) with mapi id 15.20.4478.025; Mon, 6 Sep 2021 07:25:30 +0000
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Deb Cooley <debcooley1@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] rollover of CA
Thread-Index: AQHXou+MoZdpD0LFb0Otg4YvvajVpw==
Date: Mon, 6 Sep 2021 07:25:30 +0000
Message-ID: <SJ0PR22MB2542E7AA97C054E4B5C4E4D6E8D29@SJ0PR22MB2542.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=primekey.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9eac9d37-ab20-4bf6-2d42-08d9710781c1
x-ms-traffictypediagnostic: SJ0PR22MB2559:
x-microsoft-antispam-prvs: <SJ0PR22MB2559C17DFF729D8D3A44F7EFE8D29@SJ0PR22MB2559.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BMsZngdJj3xs/NKFcrzvh+l4UvqLWz6tM30KPZBcArybr9tGjBKpCTg0X0KwqlQZ5ulFCAlKe87oQwv6wnW9KxP6VXIwKm0/N6Qkhj8ih8eISsT71ha32YMbOzYeKLLLGBS//bUjJTDfGpHMunKMYFcjyd80IDCu/PO8N9ETjbDIZE0FWRpfX2XL85Dg5OjFRszITaR+09nDOW/lURFFnvhWKW4bmthPbSKdLbZ6al5jVpZtGfdyjwfX16TCtbZ3dHiomcXC3rw6TDTyMpT5dSdc2MccVrF5szWKhuI1l0l3M0PuFNmqyLbIKOr1GPQSJ+09hVHV8ZseF/tkEvP+pk2Fl5Zfjy0TnIDY3efYkyx39TJc2+Kdgi5VvGqv39T+zDFFxAOCJPptzC9HTbf66QaQH4ElykKSmU+opxGCtp1MtaG2j7nuOJ1benQ6GuCcRKskX+GrUY/tg0JlwMluz+/pP5wLf9bBQtzR4z4w6uDCDSDMpT5/ZKfCOXGB+iZvmAFoBzA/wiwv6s8JH7IJrZpuAzKztnNJk73XJF4tjk84HgCIawzPDYWfCRX4YFMZRles8V6EsloJQIfdaS/TNlWnnjE3i/K8r6OWrFSVnlfxk9jfCMV/sL+qyEDLsm0rQSs6bGWT71BKrkYTHNUqwIMocTmcFFriMIwx8Ucz3JuFkA1QLsCp56PWC8EyrZ+wF6Qk8KTiXfdyMDv0RrnKFVAQwDb6yq3pOhKBHLMfujctW5sWAqh3gcAV8iNQ4cazyJ6hiWfGQ5R55i006jDCSFJqKjzxBZd8NJAJ/IOhys0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR22MB2542.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39850400004)(136003)(376002)(396003)(366004)(76116006)(8676002)(66574015)(83380400001)(66946007)(38070700005)(5660300002)(7696005)(52536014)(9686003)(66556008)(6506007)(53546011)(26005)(186003)(66476007)(91956017)(66446008)(64756008)(19627405001)(86362001)(8936002)(55016002)(2906002)(316002)(33656002)(966005)(122000001)(166002)(478600001)(71200400001)(110136005)(44832011)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?UGg2MFo3a2tsK3Uza1duK1YvVStMTkloWVhVR1E2N0grZzVlU1hlK3l1RjVN?= =?utf-8?B?WStVVXdzd0xoajNKaXBONHhCSUV5UE9CNWlqR1NLSXhKSithQ1RQNGRHMGhO?= =?utf-8?B?Rng4MTRCTmo2MjROMUNNTXlRWW1XcGVVSkFMejdxUFdPeTN0K0JRT0d6Q3JM?= =?utf-8?B?Q2h5a01kN2ZOaG4xY3craU91YUM2UTcxTmxhQWZ6L1JrMVU3enFZUS8rcjNK?= =?utf-8?B?UU1NTU1nNmJ0dEJmV2lzTjlodlNjY3N3TUlrRTNOWkNXREUyYVdURVlYR0Rj?= =?utf-8?B?Y0wzeGgzT3ZtczVCRFFpcng4YUpvSy9pUWFtZ09TVnFGbm9weXZ6eDlScE1Q?= =?utf-8?B?NCt0SGZ2RW5MWGt4MkcyajNvYm51Y3FEMmVlNFlmbXgvZUdqOE9wUUViWEN4?= =?utf-8?B?bGhFd3RoTFkwaklIOW95b3hUUHExOSs4dytnR0dLZW5xb0NUZnhzazBiNG9U?= =?utf-8?B?KzJDRDh2TmgrNmlwU2lVbzE3U3prYzh3dC9BS24zRkoxaUlZSzFlZFp0elo3?= =?utf-8?B?QmNxSGRVOERWSXpCSFRIZkZIbm0rbW4wemJ1N0JiRFNKcVA1NDVvWEFmMDRO?= =?utf-8?B?S3lRZnhwWDd0MTV6ZnZ6TFNQZlc2aElkUTZXV0dyM0lXcjBrR2tvTTRrdkxu?= =?utf-8?B?ODZqU0FtQzJRRkFid2crMzJreFMvYzNXZmNrMnpKQnZ1RHlMN0Vnb0JEUzJj?= =?utf-8?B?UjJPb0tHdkVYcVZHdWYxRjhHcDY3ck5xRnZMdm1VZ0x2bW1jTjFhK2drbzRz?= =?utf-8?B?R3d5Z1BXd0d0TDR1eEw4RVk0aER0YTNacUZ5RWVIMVF1b1Fpc1hCZCtNaFhl?= =?utf-8?B?blVjNWRiRHhNSlVzMDhGc1A2M3VOdjJlR1hTYkVRNnlYRlBuU0grTzFWSnl1?= =?utf-8?B?WExrTEt5TTVWcnUrc055RDlxaEJ6SUcycTdEMnZINVFmbU8yMWkrU21sMWd3?= =?utf-8?B?dVhEeWJRSmxqSW41SGNOeno0NUhlMHZ2MWJtQzRWZ1JUT0FDM1JKbXBiRzND?= =?utf-8?B?eXFYVjNNWlhtTXFMaXlGblhQTjgzMWRYN0d6SlU1M3BHcy9Oc1JXYUZqaEZC?= =?utf-8?B?eXdyOEwyWFpFZ2tzdXdpZ3BEOGVNcklyU1VIZ0VHMGVJRnlBZVBodkVzSU95?= =?utf-8?B?ZTNhRkhXQXhoN2Z0UktPYWJhMCt2OExPUlNUaVhuUTZpa3FvVGVYb3Awaks5?= =?utf-8?B?bkcvc0xkek5SbW1Mc3paTmlZcWx5NGFXZ3JDZWxRSkxmcmpCVlk1ZzFpdUtp?= =?utf-8?B?Y3lURCtlb2p1d1FhUTNTY3IycjJnZDBsVzNFbjZLV0RqN1BsRmNmOSs4VFJZ?= =?utf-8?B?dUNhV1RldmlicERmbFdUOVJ2aEtQREhzVTV4VXVCaW5aSmZ4U1BXNWdBUEVK?= =?utf-8?B?by9SaHYvbnh1RG9zWkRONmF6SnFtNFczTHFoSDZkT1FnSkNmY00xeW80TmIz?= =?utf-8?B?cEJobHdvejV2Z2tmVzJGOHBpQjlVeEdhT0lkRWJtN1hRZDlyZFppU2FNODVO?= =?utf-8?B?dHZkdDkrMDMvaFNqMzkxVnFjdUdBTHkzdzNzQXNHY053Rno4Z2l6dXdBTTBm?= =?utf-8?B?V055aTBLZTU5Lzg4c2VtTU5VUHZvQy9IMVZ0UkJaQlc0dzdZK2VRQ1Y4MUVa?= =?utf-8?B?eE9OeEo5ak9kaXowVmpsNkNUV3BPV1ZrNGRuVFN3T0RMQlZLd3pGN1h1WUVK?= =?utf-8?B?WkNsTC9nMk1FdWl4UVFKSXZoN0xtbkprV1FsTVQ0UzZ3cUhuNnVZaGIzQUtx?= =?utf-8?Q?hqNLYBba6mP9puduPY=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR22MB2542E7AA97C054E4B5C4E4D6E8D29SJ0PR22MB2542namp_"
MIME-Version: 1.0
X-OriginatorOrg: primekey.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR22MB2542.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9eac9d37-ab20-4bf6-2d42-08d9710781c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2021 07:25:30.4081 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iujYYgtpdQzMGu7AC2NY63iFxZhR1F/zl41fUi4SqPLiKXTE+IXcD27s4ZlaRUw+fL731QFwBJepdFbu9cbnk/8ljSajjEWHgYjLWryzWto=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR22MB2559
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/gE1QeCQaLZ76iFQQ05UYxbY1VY0>
Subject: Re: [lamps] rollover of CA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2021 07:25:39 -0000

Haha, nice reference 🙂

Those who control their devices often control the truststore as well, and populate new devices with non-expired CA certificates. The old SCEP protocol have a defined way of updating the trust anchor when devices renew, enabling controlled renewal+trust anchor update throughout a population of devices.

________________________________
From: Michael Richardson
Sent: Friday, September 03, 2021 8:08 PM
To: Tomas Gustavsson; Deb Cooley; Ryan Sleevi; SPASM
Subject: Re: [lamps] rollover of CA


Tomas Gustavsson <tomas.gustavsson@primekey.com> wrote:
    > I remember being part of that discussion Michael.

    > RFC4210 describes it in section 4.2.
    > https://datatracker.ietf.org/doc/html/rfc4210#section-4.4

    > In reality I have only seen rollover using newWithOld, for example in
    > ICAO 9303 part 12 (there called Link Certificate). The purpose being to
    > be able to automatically update trust anchor with a new Root if you
    > already trust the old Root.
    > https://www.icao.int/publications/Documents/9303_p12_cons_en.pdf

    > I have never understood the purpose of, or seen a practical use, of
    > OldWithNew.

OldWithNew allows a device with an OldCert to be trusted by a device that
has the NewCert.   If the device would simply retain the OldCA, then it's not
needed.

However a device which has been recently commissioned might have never seen
the oldCA.   If it has to validate a connection from a device which has been offline for
awhile, it would an issue.
In practice, how would the old device ever get the OldWithNew Link Certificate?
That implies that the OldWithNew Link Certificate would never get sent
inband, but rather needs to be provided to new devices when they enroll.

For a practical explanation of this, and the risks of it, I refer you to:
  https://www.youtube.com/watch?v=4HJ-Y8YTo8Q   :-)


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide