Re: [stir] [Acme] Authority Token WGLC
Richard Barnes <rlb@ipv.sx> Mon, 29 August 2022 13:22 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9EAC182D6B for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2yGiKO9INa-S for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:22:38 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576AAC15EB50 for <stir@ietf.org>; Mon, 29 Aug 2022 06:21:55 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id f14so5983982qkm.0 for <stir@ietf.org>; Mon, 29 Aug 2022 06:21:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=JPIlFKN7DWf07hWacwBsry0nmJ6Udv4/+ifPr5xeMA8=; b=CgKe3dySNIDegxXWcDJsbHV6lo6qHhY9JchxalrSJaWGUBQpWy4J3NyaawqhG4a39k G2/yHDTg5w5G0htcTFOO5yYQk1xfFuMp5CtZ3+1Vtev+DKg929O63Nq2MSx3xfhl3Kae oUNKDbI/ZeKqK/a3ICmjHrVNNRf5xBA62YwF2m/ymxJUHxe5JH2eLvZ1kAUdLRhXaxPD 5Gv8RR9anzlZuMsTM+yE3MGP6q+BXX8TxFzt5U9MWw0ibHlAUnEkF5HTPVwV9km+UQzE uBGd9T5rolKdLRyoUBGSAS1Kx5+GLvl+pNVfY1HuDlDc2n8M+Rr+NVo6f0nOBPFyBLPm TQPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=JPIlFKN7DWf07hWacwBsry0nmJ6Udv4/+ifPr5xeMA8=; b=kbHmDJPDUxG/lZ47oMnIF1rqVpVbyt9YcEddzvxXCi15ZV7wlO6dSSwY15TnvaC70q Rec4EXFfpKbqJt3bUXGrMihz6afqLW4BJqeINKNgEQymWGSx825y43rDwHG8UHwiysAZ iqKzg/kkURQQTMmLPZHa1yQjc6PFaX1evLAVjMNZH4i/ujc0YXor5hWUtrwhJfklNIAX +QZOl9jkM9ZJLZE1tnNv5qPa9WrqX9aopRizIE9JzK4C8NbfWe/1nMDg94t//zDASoGh CpZV+Dv2QqDcQ7ynkmkn8jPR8BNoa7oYq+1cq+Z5tzfBZwfvKHGjTzQC6w4lPoSUVjwZ 7e2Q==
X-Gm-Message-State: ACgBeo0IpaJV9SbzqL3BmrySD4PavUruIwD7ScLnzEASqqMSa0WMM5P8 BusmVEK6IVg1Wq6wsXZTxCwcSq93mtAdFX8ZnCsaGg==
X-Google-Smtp-Source: AA6agR6Rgg8UUoDJBIdRJ+kipMtOYyFrb6dnblGSUUXq9rJlsy8QXqKnof+7jD6fTyCedlRofJoKyAPg8scj+LoXH1g=
X-Received: by 2002:a05:620a:4511:b0:6be:5a96:786e with SMTP id t17-20020a05620a451100b006be5a96786emr8268695qkp.636.1661779314103; Mon, 29 Aug 2022 06:21:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com> <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com> <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
In-Reply-To: <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 29 Aug 2022 09:21:43 -0400
Message-ID: <CAL02cgQwuEqToOdtcanJ1ZXR+TQ-ddBv-Q7RFHTv1gnqmiXAvg@mail.gmail.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
Cc: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token@ietf.org, draft-ietf-acme-authority-token-tnauthlist@ietf.org, stir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b66a4705e7612551"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/S5ymQfySz_dQhhahWSvE7ljR5tU>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 13:22:42 -0000
Yeah, I was definitely thinking it would be optional. If the new field is present, a client could use it as its x5u parameter. If not, the client knows it has to download and republish the certificate. —Richard On Mon, Aug 29, 2022 at 09:19 Chris Wendt <chris-ietf@chriswendt.net> wrote: > Hi Richard, > > Thanks for the review. So, just to make sure i’m understanding, you are > saying that we should have a feature where both the POST-as-GET standard > ACME certificate URL is kept, but we also (maybe optionally or are you > saying should mandate this?) offer the ability for a CA hosted URL that > would be used directly in PASSporT for making the certificate available for > relying party consumption? > > The idea that a CA offers direct URL to certificate has always been > considered optional in SHAKEN, originally the thought was that it would be > hosted under HTTPS address of the ACME client customer (service provider). > I think as things have been implemented in the industry where it turns out > many of the CAs are also hosted by vendors of the entire hosted STIR/SHAKEN > solutions, as you state that hasn’t been the case and is often hosted under > vendor/CA URL. > > I think if we include it as optional, I have no issue including it, if we > think it needs to be mandatory would probably want to get more feedback > from others. > > -Chris > > On Aug 26, 2022, at 5:02 PM, Richard Barnes <rlb@ipv.sx> wrote: > > One minor point: > > STIR PASSporT objects reference certificates via the JWS "x5u" header, > which requires that the URL respond to GET, vs. the POST-as-GET that is > used for the ACME certificate URL. On the face of it, this would seem to > require a STIR signer to download their certificate from the CA and > republish it on a different server, and in fact ATIS-1000074 describes this > behavior. However, current STIR CAs already offer GET-friendly URLs for > their certificates, avoiding the need for such republication. It would be > helpful (for STIR, but also more broadly) if this protocol had a field > where a CA that provides this service could specify an "x5u"-friendly > certificate URL. > > It seems like there's a simple solution here, namely to add a field to > completed order objects (state = "valid") that responds to GET requests and > provides the certificate in the format "x5u" expects. You could even just > call the field "x5u" :) > > Anyway, I realize it's late for a feature request, but this seems like a > minor addition, and it seems like fixing this gap would allow the ecosystem > to fit together a little more smoothly. > > --Richard > > On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com> wrote: > >> As we agreed at the acme session at IETF 114, this is a limited WGLC for >> both: >> >> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ >> >> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/ >> >> I've added stir to the to line for good measure (and to broaden the pool >> of reviewers a bit). We need to see if we can push these forward again. >> >> The review deadline is 6 Sep 2022. >> >> Deb Cooley >> acme co-chair >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > >
- [stir] Authority Token WGLC Deb Cooley
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Richard Barnes
- Re: [stir] [Acme] Authority Token WGLC Matthew D. Hardeman
- Re: [stir] [Acme] Authority Token WGLC Sean Turner
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt
- Re: [stir] [Acme] Authority Token WGLC Chris Wendt