IETF Logo Mail Archive

Re: [stir] [Acme] Authority Token WGLC

Richard Barnes <rlb@ipv.sx> Mon, 29 August 2022 13:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9EAC182D6B for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2yGiKO9INa-S for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:22:38 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576AAC15EB50 for <stir@ietf.org>; Mon, 29 Aug 2022 06:21:55 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id f14so5983982qkm.0 for <stir@ietf.org>; Mon, 29 Aug 2022 06:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=JPIlFKN7DWf07hWacwBsry0nmJ6Udv4/+ifPr5xeMA8=; b=CgKe3dySNIDegxXWcDJsbHV6lo6qHhY9JchxalrSJaWGUBQpWy4J3NyaawqhG4a39k G2/yHDTg5w5G0htcTFOO5yYQk1xfFuMp5CtZ3+1Vtev+DKg929O63Nq2MSx3xfhl3Kae oUNKDbI/ZeKqK/a3ICmjHrVNNRf5xBA62YwF2m/ymxJUHxe5JH2eLvZ1kAUdLRhXaxPD 5Gv8RR9anzlZuMsTM+yE3MGP6q+BXX8TxFzt5U9MWw0ibHlAUnEkF5HTPVwV9km+UQzE uBGd9T5rolKdLRyoUBGSAS1Kx5+GLvl+pNVfY1HuDlDc2n8M+Rr+NVo6f0nOBPFyBLPm TQPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=JPIlFKN7DWf07hWacwBsry0nmJ6Udv4/+ifPr5xeMA8=; b=kbHmDJPDUxG/lZ47oMnIF1rqVpVbyt9YcEddzvxXCi15ZV7wlO6dSSwY15TnvaC70q Rec4EXFfpKbqJt3bUXGrMihz6afqLW4BJqeINKNgEQymWGSx825y43rDwHG8UHwiysAZ iqKzg/kkURQQTMmLPZHa1yQjc6PFaX1evLAVjMNZH4i/ujc0YXor5hWUtrwhJfklNIAX +QZOl9jkM9ZJLZE1tnNv5qPa9WrqX9aopRizIE9JzK4C8NbfWe/1nMDg94t//zDASoGh CpZV+Dv2QqDcQ7ynkmkn8jPR8BNoa7oYq+1cq+Z5tzfBZwfvKHGjTzQC6w4lPoSUVjwZ 7e2Q==
X-Gm-Message-State: ACgBeo0IpaJV9SbzqL3BmrySD4PavUruIwD7ScLnzEASqqMSa0WMM5P8 BusmVEK6IVg1Wq6wsXZTxCwcSq93mtAdFX8ZnCsaGg==
X-Google-Smtp-Source: AA6agR6Rgg8UUoDJBIdRJ+kipMtOYyFrb6dnblGSUUXq9rJlsy8QXqKnof+7jD6fTyCedlRofJoKyAPg8scj+LoXH1g=
X-Received: by 2002:a05:620a:4511:b0:6be:5a96:786e with SMTP id t17-20020a05620a451100b006be5a96786emr8268695qkp.636.1661779314103; Mon, 29 Aug 2022 06:21:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com> <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com> <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
In-Reply-To: <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 29 Aug 2022 09:21:43 -0400
Message-ID: <CAL02cgQwuEqToOdtcanJ1ZXR+TQ-ddBv-Q7RFHTv1gnqmiXAvg@mail.gmail.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
Cc: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token@ietf.org, draft-ietf-acme-authority-token-tnauthlist@ietf.org, stir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b66a4705e7612551"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/S5ymQfySz_dQhhahWSvE7ljR5tU>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 13:22:42 -0000

Yeah, I was definitely thinking it would be optional.  If the new field is
present, a client could use it as its x5u parameter. If not, the client
knows it has to download and republish the certificate.

—Richard


On Mon, Aug 29, 2022 at 09:19 Chris Wendt <chris-ietf@chriswendt.net> wrote:

> Hi Richard,
>
> Thanks for the review.  So, just to make sure i’m understanding, you are
> saying that we should have a feature where both the POST-as-GET standard
> ACME certificate URL is kept, but we also (maybe optionally or are you
> saying should mandate this?) offer the ability for a CA hosted URL that
> would be used directly in PASSporT for making the certificate available for
> relying party consumption?
>
> The idea that a CA offers direct URL to certificate has always been
> considered optional in SHAKEN, originally the thought was that it would be
> hosted under HTTPS address of the ACME client customer (service provider).
> I think as things have been implemented in the industry where it turns out
> many of the CAs are also hosted by vendors of the entire hosted STIR/SHAKEN
> solutions, as you state that hasn’t been the case and is often hosted under
> vendor/CA URL.
>
> I think if we include it as optional, I have no issue including it, if we
> think it needs to be mandatory would probably want to get more feedback
> from others.
>
> -Chris
>
> On Aug 26, 2022, at 5:02 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> One minor point:
>
> STIR PASSporT objects reference certificates via the JWS "x5u" header,
> which requires that the URL respond to GET, vs. the POST-as-GET that is
> used for the ACME certificate URL.  On the face of it, this would seem to
> require a STIR signer to download their certificate from the CA and
> republish it on a different server, and in fact ATIS-1000074 describes this
> behavior.  However, current STIR CAs already offer GET-friendly URLs for
> their certificates, avoiding the need for such republication.  It would be
> helpful (for STIR, but also more broadly) if this protocol had a field
> where a CA that provides this service could specify an "x5u"-friendly
> certificate URL.
>
> It seems like there's a simple solution here, namely to add a field to
> completed order objects (state = "valid") that responds to GET requests and
> provides the certificate in the format "x5u" expects.  You could even just
> call the field "x5u" :)
>
> Anyway, I realize it's late for a feature request, but this seems like a
> minor addition, and it seems like fixing this gap would allow the ecosystem
> to fit together a little more smoothly.
>
> --Richard
>
> On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com> wrote:
>
>> As we agreed at the acme session at IETF 114, this is a limited WGLC for
>> both:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/
>>
>> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/
>>
>> I've added stir to the to line for good measure (and to broaden the pool
>> of reviewers a bit). We need to see if we can push these forward again.
>>
>> The review deadline is 6 Sep 2022.
>>
>> Deb Cooley
>> acme co-chair
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
>

v2.23.0 | Report a Bug | By Email