Re: [stir] [Acme] Authority Token WGLC
Richard Barnes <rlb@ipv.sx> Fri, 26 August 2022 21:02 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D825C1524C4 for <stir@ietfa.amsl.com>; Fri, 26 Aug 2022 14:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syIo32eL2skz for <stir@ietfa.amsl.com>; Fri, 26 Aug 2022 14:02:17 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0E4CC1524BA for <stir@ietf.org>; Fri, 26 Aug 2022 14:02:17 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id h21so2203013qta.3 for <stir@ietf.org>; Fri, 26 Aug 2022 14:02:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=OdtdA6/uUnyHRG3bUvjKLJeQ7qkJwgb1Jil/xLQ7DQg=; b=2wg3k5bBARNo4RgXdGCQpkBi0MdWiFU1tdo4yaKrGXe5/aWeBN39xKL4cKJS7RL8MH xia41tgP5EnfqRIaQZH7J+/gpvPLcz4ZUoXrOOSX+sB0JA3YXVgUQwOjL/BI1ArcgOJR Z7ifXs4nlenI2Zym4SmfuZjpIZU223dDuq3Q0RrbsQkwFfWzA8El/8dp+N4i/OkFbzZF T3R43dXcUcIXImSpNKMTNZsL9lJSDv5OI6fcNVxS3Y42Q4ngSZcXpox5HQFvY5Ga4YPj wqTGprBzR+oE+D47VJ8Iud+ZxfXVAc8tqskiip13zV/uQAZyBaD4rVpVzFixX/JypFLM wQpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=OdtdA6/uUnyHRG3bUvjKLJeQ7qkJwgb1Jil/xLQ7DQg=; b=4ZMBkkmSbuoug5jWLvC6cdTecItDVCTOMek30TeH8siYh9cy/J0vA6ZD4prkvZyZX7 qdvMedjy/PXCUZ4pf+Ny9Nc1ABaMmYhfN4KybJyNNbw4Tmc9suQybHzBxhUbjuJvp0EQ wWerADz3vO5Ghk9VabCD2Oy0X+T0pLfQtaRP8aE12gwp7YQFL3sO2Anl7Rhg6kXIWcVh 8hU1fzaWb4wsIDMdAWtv0v/S+dnAJunVrYa0PxPp3LpSM23bT2/4VkHFsoUD2mIUqn7j pDLfz4VRXHX0LTWF2ptSESn/x88/fsM1Vo3h07/jzwiLjUeJLptIPmhiqkTghTqnUaW0 MGyg==
X-Gm-Message-State: ACgBeo3nLZj9Sx07IiPlM2yEI1eVwW12SQciMpLS8iqEJfPcGnUP/dVF I7PBf3ECUKRj6IVEWwZyLLzLySoi0sdsnjIjpzydww==
X-Google-Smtp-Source: AA6agR4KtFVS42i+E+XvmlhaabgD4V7x48zVudubTiYDu5dpnp/HpmGfMWZGJmkA87m6k7vb+P9/4UJMiEtokKyZQNI=
X-Received: by 2002:ac8:5d49:0:b0:344:9232:be56 with SMTP id g9-20020ac85d49000000b003449232be56mr1264184qtx.122.1661547736279; Fri, 26 Aug 2022 14:02:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com>
In-Reply-To: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 26 Aug 2022 17:02:05 -0400
Message-ID: <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com>
To: Deb Cooley <debcooley1@gmail.com>
Cc: IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token-tnauthlist@ietf.org, stir@ietf.org, draft-ietf-acme-authority-token@ietf.org
Content-Type: multipart/alternative; boundary="00000000000099464205e72b3a6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/J-t_oQWFqimKcPbDqfxyBr0c-08>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 21:02:21 -0000
One minor point: STIR PASSporT objects reference certificates via the JWS "x5u" header, which requires that the URL respond to GET, vs. the POST-as-GET that is used for the ACME certificate URL. On the face of it, this would seem to require a STIR signer to download their certificate from the CA and republish it on a different server, and in fact ATIS-1000074 describes this behavior. However, current STIR CAs already offer GET-friendly URLs for their certificates, avoiding the need for such republication. It would be helpful (for STIR, but also more broadly) if this protocol had a field where a CA that provides this service could specify an "x5u"-friendly certificate URL. It seems like there's a simple solution here, namely to add a field to completed order objects (state = "valid") that responds to GET requests and provides the certificate in the format "x5u" expects. You could even just call the field "x5u" :) Anyway, I realize it's late for a feature request, but this seems like a minor addition, and it seems like fixing this gap would allow the ecosystem to fit together a little more smoothly. --Richard On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com> wrote: > As we agreed at the acme session at IETF 114, this is a limited WGLC for > both: > > https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ > > https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/ > > I've added stir to the to line for good measure (and to broaden the pool > of reviewers a bit). We need to see if we can push these forward again. > > The review deadline is 6 Sep 2022. > > Deb Cooley > acme co-chair > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [stir] Authority Token WGLC Deb Cooley
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Matthew D. Hardeman
- Re: [stir] [Acme] Authority Token WGLC Sean Turner
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt