Re: [stir] [Acme] Authority Token WGLC
Chris Wendt <chris-ietf@chriswendt.net> Fri, 16 September 2022 21:20 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B562DC1526F9 for <stir@ietfa.amsl.com>; Fri, 16 Sep 2022 14:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6H-Maub4zlo for <stir@ietfa.amsl.com>; Fri, 16 Sep 2022 14:20:30 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9D59C14F72B for <stir@ietf.org>; Fri, 16 Sep 2022 14:19:50 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id d15so16714052qka.9 for <stir@ietf.org>; Fri, 16 Sep 2022 14:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date; bh=bZ46lnPIqkyohdh5Jur5vV7wbnX/lCd+N6m9kK4OxDE=; b=vhIbhpeXm03bHMWBHgv+d6NCRnr+c9FDbtJ++h4rVC9L3edGEqYtiWZ1D7EIpMMdd0 q2gK6sDdC7m/pUc/1ipAPpANwniN8dfYX2iLFVPj+V0JduUaFIHaRhg3up9+RkvfOs9z lmzRQq3dtpY/dLl6/kFPsbn72n//wizzQjkeH/iS1Cqvzl3kQY1JQhs2dvY1/w4WqVS2 D2A8INcSvMQeleSC0OBY4fj2gYzWbXKgCMj+B1GR77sfHZ7T/YU4ep/tdaiRKDqVb/hu n2xOUxYOJ4Zf+UPsDw0FcFo9xWMez02TjsZTjE0XkbHuDrsqea4Ifq7peknN4b52VoT8 1HSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date; bh=bZ46lnPIqkyohdh5Jur5vV7wbnX/lCd+N6m9kK4OxDE=; b=JjLJYZOKrd4hlHfXLWFbsn7D6ygWrtWe7xtv0gCDYy/rK+35Lv3bN4j5VJvJh1wZs5 quQfjtnW1MI7oa+jtMmGWcWGoVFOnNBJNdLal3Bmg3zYrfdBwK/xTHBbL1vfOdlltipR 9dEmzZLAJy82m/znJzHnJ4yg+c5sHnHNV8NAjb/bZQ7RKvZyomMTizs5YmMtMVd02vu1 Tf/zjuhnUrKC2ACBag+ihiJRBsZDbPFKpaXu4IGN+sWO/bCB71i1iss04RGvO5/Rjpiv ayaMlXfHcQ3KiQfVIIkOWtUYVEz0cUhI1EKFIxcJB2lYjIsJyjDE5R6BzXukxBPIFG2l 9hOg==
X-Gm-Message-State: ACrzQf2sB2lm9lwP2wPeMfcv/IsrKBzZpgmrhqdXKN0kZbulgrSziVwN ci+UhQxOwwPUd2HVgyXjpUrzAg==
X-Google-Smtp-Source: AMsMyM5yVxBdjr8hSd68iekOiRNY2lk8+Ygzor6GVHi0UIrMJ6Ht+1afHqGdZW7WrZNIxDDi/+K5gQ==
X-Received: by 2002:a05:620a:4256:b0:6c7:ab84:6ad0 with SMTP id w22-20020a05620a425600b006c7ab846ad0mr5435441qko.32.1663363189930; Fri, 16 Sep 2022 14:19:49 -0700 (PDT)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id cp4-20020a05622a420400b0035bab4dd6c9sm5881959qtb.22.2022.09.16.14.19.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Sep 2022 14:19:49 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <BF31E86E-D718-4231-8C8E-CCFFDD9F89D2@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_11D472F1-E605-4BB5-91BD-857928A05D16"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Fri, 16 Sep 2022 17:19:48 -0400
In-Reply-To: <CAL02cgQwuEqToOdtcanJ1ZXR+TQ-ddBv-Q7RFHTv1gnqmiXAvg@mail.gmail.com>
Cc: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token@ietf.org, draft-ietf-acme-authority-token-tnauthlist@ietf.org, IETF STIR Mail List <stir@ietf.org>
To: Richard Barnes <rlb@ipv.sx>
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com> <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com> <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net> <CAL02cgQwuEqToOdtcanJ1ZXR+TQ-ddBv-Q7RFHTv1gnqmiXAvg@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/7JpjmN00VA7XL5tx7bleEs2w97g>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 21:20:32 -0000
Hi All, I coordinated a bit offline with Richard on new text, so this is integrated in the new draft revision as an optional technique. -Chris > On Aug 29, 2022, at 9:21 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Yeah, I was definitely thinking it would be optional. If the new field is present, a client could use it as its x5u parameter. If not, the client knows it has to download and republish the certificate. > > —Richard > > > On Mon, Aug 29, 2022 at 09:19 Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>> wrote: > Hi Richard, > > Thanks for the review. So, just to make sure i’m understanding, you are saying that we should have a feature where both the POST-as-GET standard ACME certificate URL is kept, but we also (maybe optionally or are you saying should mandate this?) offer the ability for a CA hosted URL that would be used directly in PASSporT for making the certificate available for relying party consumption? > > The idea that a CA offers direct URL to certificate has always been considered optional in SHAKEN, originally the thought was that it would be hosted under HTTPS address of the ACME client customer (service provider). I think as things have been implemented in the industry where it turns out many of the CAs are also hosted by vendors of the entire hosted STIR/SHAKEN solutions, as you state that hasn’t been the case and is often hosted under vendor/CA URL. > > I think if we include it as optional, I have no issue including it, if we think it needs to be mandatory would probably want to get more feedback from others. > > -Chris > >> On Aug 26, 2022, at 5:02 PM, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote: >> >> One minor point: >> >> STIR PASSporT objects reference certificates via the JWS "x5u" header, which requires that the URL respond to GET, vs. the POST-as-GET that is used for the ACME certificate URL. On the face of it, this would seem to require a STIR signer to download their certificate from the CA and republish it on a different server, and in fact ATIS-1000074 describes this behavior. However, current STIR CAs already offer GET-friendly URLs for their certificates, avoiding the need for such republication. It would be helpful (for STIR, but also more broadly) if this protocol had a field where a CA that provides this service could specify an "x5u"-friendly certificate URL. >> >> It seems like there's a simple solution here, namely to add a field to completed order objects (state = "valid") that responds to GET requests and provides the certificate in the format "x5u" expects. You could even just call the field "x5u" :) >> >> Anyway, I realize it's late for a feature request, but this seems like a minor addition, and it seems like fixing this gap would allow the ecosystem to fit together a little more smoothly. >> >> --Richard >> >> On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com <mailto:debcooley1@gmail.com>> wrote: >> As we agreed at the acme session at IETF 114, this is a limited WGLC for both: >> >> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/> >> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/> >> >> I've added stir to the to line for good measure (and to broaden the pool of reviewers a bit). We need to see if we can push these forward again. >> >> The review deadline is 6 Sep 2022. >> >> Deb Cooley >> acme co-chair >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org <mailto:Acme@ietf.org> >> https://www.ietf.org/mailman/listinfo/acme <https://www.ietf.org/mailman/listinfo/acme> >
- [stir] Authority Token WGLC Deb Cooley
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Matthew D. Hardeman
- Re: [stir] [Acme] Authority Token WGLC Sean Turner
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt