IETF Logo Mail Archive

Re: [stir] [Acme] Authority Token WGLC

"Matthew D. Hardeman" <mhardeman@ipifony.com> Mon, 29 August 2022 18:22 UTC

Return-Path: <mhardeman@ipifony.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 208F6C183F80; Mon, 29 Aug 2022 11:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyvtryQVQhb5; Mon, 29 Aug 2022 11:22:30 -0700 (PDT)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611C5C1524D8; Mon, 29 Aug 2022 11:22:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id CD29FB48943; Mon, 29 Aug 2022 13:22:28 -0500 (CDT)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QOeEXUIZZTsi; Mon, 29 Aug 2022 13:22:27 -0500 (CDT)
Received: from smtpclient.apple (047-036-194-141.res.spectrum.com [47.36.194.141]) by mail.ipifony.com (Postfix) with ESMTPSA id 530D3B40608; Mon, 29 Aug 2022 13:22:27 -0500 (CDT)
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Message-Id: <025B7459-2630-4F76-A024-C5120CE74BCE@ipifony.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1F418A4E-D8FD-46C7-ABDA-D3255492DD92"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 29 Aug 2022 13:22:26 -0500
In-Reply-To: <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
Cc: Richard Barnes <rlb@ipv.sx>, Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token-tnauthlist@ietf.org, stir@ietf.org, draft-ietf-acme-authority-token@ietf.org
To: Chris Wendt <chris-ietf@chriswendt.net>
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com> <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com> <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Ho9uV425ceEhVHAd8N6I8lQmptw>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 18:22:34 -0000

Hi all,

I'm a subscriber & relying party in the STIR/SHAKEN ecosystem.

I agree with both the comments from Chris Wendt and the proposal from Richard Barnes.

I do believe that the "x5u" parameter should be optional and should only be presented when the CA is offering/committing to publicly publish the certificate & chain in the form which would be expected of an x5u being referenced in a signed JWT, such as the case in the STIR/SHAKEN scheme.

I agree that hosting the issued certificate is optional in the space, but a quick review of call traffic from one of my systems shows that a majority of the certificates we're seeing referenced are being served up from URLs that are hosted by the issuing CAs.  The offering is common among STIR/SHAKEN CAs.

It is also hypothetically possible that other types of certificates from other spaces may also find value in the hosted certificate publication, particularly if these services are sending messages with any kind of signed JWT which will reference the issued certificate.

Thanks,

Matt Hardeman

> On Aug 29, 2022, at 8:19 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
> Hi Richard,
> 
> Thanks for the review.  So, just to make sure i’m understanding, you are saying that we should have a feature where both the POST-as-GET standard ACME certificate URL is kept, but we also (maybe optionally or are you saying should mandate this?) offer the ability for a CA hosted URL that would be used directly in PASSporT for making the certificate available for relying party consumption?
> 
> The idea that a CA offers direct URL to certificate has always been considered optional in SHAKEN, originally the thought was that it would be hosted under HTTPS address of the ACME client customer (service provider). I think as things have been implemented in the industry where it turns out many of the CAs are also hosted by vendors of the entire hosted STIR/SHAKEN solutions, as you state that hasn’t been the case and is often hosted under vendor/CA URL.
> 
> I think if we include it as optional, I have no issue including it, if we think it needs to be mandatory would probably want to get more feedback from others.
> 
> -Chris
> 
>> On Aug 26, 2022, at 5:02 PM, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
>> 
>> One minor point:
>> 
>> STIR PASSporT objects reference certificates via the JWS "x5u" header, which requires that the URL respond to GET, vs. the POST-as-GET that is used for the ACME certificate URL.  On the face of it, this would seem to require a STIR signer to download their certificate from the CA and republish it on a different server, and in fact ATIS-1000074 describes this behavior.  However, current STIR CAs already offer GET-friendly URLs for their certificates, avoiding the need for such republication.  It would be helpful (for STIR, but also more broadly) if this protocol had a field where a CA that provides this service could specify an "x5u"-friendly certificate URL.
>> 
>> It seems like there's a simple solution here, namely to add a field to completed order objects (state = "valid") that responds to GET requests and provides the certificate in the format "x5u" expects.  You could even just call the field "x5u" :)
>> 
>> Anyway, I realize it's late for a feature request, but this seems like a minor addition, and it seems like fixing this gap would allow the ecosystem to fit together a little more smoothly.
>> 
>> --Richard
>> 
>> On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com <mailto:debcooley1@gmail.com>> wrote:
>> As we agreed at the acme session at IETF 114, this is a limited WGLC for both:
>> 
>> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/>
>> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/>
>> 
>> I've added stir to the to line for good measure (and to broaden the pool of reviewers a bit). We need to see if we can push these forward again.  
>> 
>> The review deadline is 6 Sep 2022.  
>> 
>> Deb Cooley
>> acme co-chair
>> 
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org <mailto:Acme@ietf.org>
>> https://www.ietf.org/mailman/listinfo/acme <https://www.ietf.org/mailman/listinfo/acme>
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email