IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-cert-delegation-02

"Peterson, Jon" <jon.peterson@team.neustar> Fri, 20 March 2020 00:10 UTC

Return-Path: <prvs=4348621b58=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76593A12BD for <stir@ietfa.amsl.com>; Thu, 19 Mar 2020 17:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.078
X-Spam-Level:
X-Spam-Status: No, score=-2.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcOl0BqsA73M for <stir@ietfa.amsl.com>; Thu, 19 Mar 2020 17:09:56 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC5CE3A12E3 for <stir@ietf.org>; Thu, 19 Mar 2020 17:09:43 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02JNsUqF010051; Thu, 19 Mar 2020 20:09:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=1q5rO9bPlSaqYO0dkNSHWsPMVTWEDNk5y8DWeqhVkyA=; b=jss+Aqd19JE326SoDWJYjEnxPytYVVrPVNquneO+NRtvhvMuqosBEKMNQ/yAhSgJaNuo k4/WeBJtblTr2ZqxBQcYHgyQcy+yeBrpko7Dia1Lhg9XUCT1UsLmZ6ju/Bb7UP3CUFHa 3MZptv5aeFDnDzJICB5F4PGmEjFmyTkWcyuLhxYXUOiGm9JToqIkN8XLvTtIu8DOVjQ4 FIMXAg635qeyPu4VPWmpYGBASdnLwhMVaqYPHU1gFIN+TM8z5DznRek6AygjhM2WVY39 jYM9Ib4z6Ml1oedZ5SSIrFF0UzQBsdX0Uzfkj4LvTrq1KDQBIvgAyZA2dcfZUdax8TcD MQ==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2yu7623txd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 19 Mar 2020 20:09:40 -0400
Received: from STNTEXMB103.cis.neustar.com ([fe80::3c08:d7b1:b8d1:dac]) by stntexhc10.cis.neustar.com ([10.31.58.69]) with mapi id 14.03.0439.000; Thu, 19 Mar 2020 20:09:39 -0400
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] WGLC: draft-ietf-stir-cert-delegation-02
Thread-Index: AQHV97/kIANfI135T0Gd4MfeA/aGz6hHR44AgAkuVwA=
Date: Fri, 20 Mar 2020 00:09:39 +0000
Message-ID: <559D5447-153B-49BD-935D-324F51E5F441@team.neustar>
References: <bb76518f-3373-1368-d2d2-0959f7894e2b@nostrum.com> <93A15472-939F-4688-9487-CB9A582105D1@vigilsec.com>
In-Reply-To: <93A15472-939F-4688-9487-CB9A582105D1@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.12.200112
x-originating-ip: [10.96.14.67]
Content-Type: multipart/alternative; boundary="_000_559D5447153B49BD935D324F51E5F441teamneustar_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.645 definitions=2020-03-19_10:2020-03-19, 2020-03-19 signatures=0
X-Proofpoint-Spam-Reason: orgsafe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/3qzjAzsmdL5Z7kOzAZFNqcMFx5c>
Subject: Re: [stir] WGLC: draft-ietf-stir-cert-delegation-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 00:10:11 -0000

To the process question, those Info references should be coming along soon – we think the ACME authority token drafts are mature at this point, and acme-star seems to be in Pub Req already.  I’m not entirely sure where the TLS subcerts draft is, but the text about that isn’t too crucial, and if push comes to shove we could drop it.

I will implement the other fixes you recommend below – they all look great. When it comes to the definition of “cross certification”, I’m sure I stole that from some relevant RFC (that the term signifies a CA cert whose issuer is not the same as its subject), but I’m happy to go with your text. The reference in section 5 to “baseline STIR behavior” is to the definition of an authentication service in RFC8224: I’ll clarify that. Your fix to section 7 is also appreciated, as are the many nits.

Thanks,

Jon Peterson
Neustar, Inc.

From: stir <stir-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com>
Date: Friday, March 13, 2020 at 1:57 PM
To: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] WGLC: draft-ietf-stir-cert-delegation-02

Process question:  This is intended to become a Standards-track RFC, and there are a bunch of ACME Internet-Drafts referenced in Section 8.  Do we want to wait for them to get further in the process, or do we want this document to sit in the RFC Editor queue waiting for them to catch up?


Section 4, para 1, says:

  The parent certificate needs to have its CA boolean set to
   "true", indicating that that it can sign certificates.

This is correct, but the enough context.  I suggest:

  The parent certificate needs to contain a basic constraints
  extension with the cA boolean set to "true", indicating that
  the subject can sign certificates.

Also, later in the same paragraph, it says:

   Every STIR delegate certificate identifies its parent
   certificate with a standard [RFC5280] Authority
   Key Identifier.

Please add "extension" to the end of that sentence.


Section 4, para 4, says:

   Delegate certificates may themselves be issued with the CA boolean
   set to "true" so that they can serve as parent certificates to
   further delegates; effectively, this delegate certificate is a cross-
   certificate, as its issuer is not the same as its subject.

I would like to see similar context added here too,  And, I do not see how this create a cross-certificate, which happens when two CAs each issue a certificate to each other:

   +------+             +------+
   |      |------------>|      |
   | CA 1 |             | CA 2 |
   |      |<------------|      |
   +------+             +------+

I suggest:

   Delegate certificates may also contain a basic constraints
   extension with the cA boolean set to "true", indicating that
   they can sign subordinate certificates for further delegates.


Section 4.1, para 4: s/surely sufficient/sufficient/


Section 5, para 1: I am unsure what is meant by "baseline STIR behavior".  Is this [RFC8226]?


Section 6, para 1: s/AKID object/Authority Key Identifier extension/


Section 7, para 1:  s/PEM encoded/PEM-encoded/


Section 7, para 1: I think there is a better way to talk about AKID/SKID order.  I suggest:

   The list begins with the certificate used to sign the PASSporT,
   followed by its parent, and then any subsequent grandparents,
   great-grandparents, and so on.  The key identifier in the Authority
   Key Identifier extension in the first certificate MUST appear in
   the Subject Key Identifier extension in the second certificate.
   The key identifier pairing MUST match in this way throughout the
   entire chain of certificates.  Note that ACME [RFC8555] requires the
   first element in a pem-certificate-chain to be an end-entity
   certificate; however, STIR relaxes this requirement, because CA
   certificates are permitted to sign PASSporTs, so for STIR, the first
   element in a pem-certificate-chain MAY be a CA certificate.


Section 8, para 1: s/may delegate from it as/may delegate resources from it as/


Section 8, para 1: s/the CA boolean set to "true"/a basic constraints extension with the cA boolean set to "true"/


Section 8, para 2: s/CA's root certificate/CA's trust anchor/


Section 8, para 3: s/CPS/CPS [RFC3647]/

v2.23.0 | Report a Bug | By Email