IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-cert-delegation-02

Russ Housley <housley@vigilsec.com> Fri, 13 March 2020 20:57 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16EF53A0FBE for <stir@ietfa.amsl.com>; Fri, 13 Mar 2020 13:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVxgw_XyGnvY for <stir@ietfa.amsl.com>; Fri, 13 Mar 2020 13:57:34 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E7443A0FAB for <stir@ietf.org>; Fri, 13 Mar 2020 13:57:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F146F300B27 for <stir@ietf.org>; Fri, 13 Mar 2020 16:57:26 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id aDY0ZhWZcm8G for <stir@ietf.org>; Fri, 13 Mar 2020 16:57:25 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 2C1853004C0 for <stir@ietf.org>; Fri, 13 Mar 2020 16:57:25 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DEF5822F-1111-404A-AE30-FCFE79470F3F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 13 Mar 2020 16:57:26 -0400
References: <bb76518f-3373-1368-d2d2-0959f7894e2b@nostrum.com>
To: IETF STIR Mail List <stir@ietf.org>
In-Reply-To: <bb76518f-3373-1368-d2d2-0959f7894e2b@nostrum.com>
Message-Id: <93A15472-939F-4688-9487-CB9A582105D1@vigilsec.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/aF4GU8LJa7KQ7M7CdewlyhwvwW4>
Subject: Re: [stir] WGLC: draft-ietf-stir-cert-delegation-02
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2020 20:57:37 -0000

Process question:  This is intended to become a Standards-track RFC, and there are a bunch of ACME Internet-Drafts referenced in Section 8.  Do we want to wait for them to get further in the process, or do we want this document to sit in the RFC Editor queue waiting for them to catch up?


Section 4, para 1, says:

  The parent certificate needs to have its CA boolean set to
   "true", indicating that that it can sign certificates.

This is correct, but the enough context.  I suggest:

  The parent certificate needs to contain a basic constraints
  extension with the cA boolean set to "true", indicating that
  the subject can sign certificates.

Also, later in the same paragraph, it says:

   Every STIR delegate certificate identifies its parent
   certificate with a standard [RFC5280] Authority
   Key Identifier.

Please add "extension" to the end of that sentence.


Section 4, para 4, says:

   Delegate certificates may themselves be issued with the CA boolean
   set to "true" so that they can serve as parent certificates to
   further delegates; effectively, this delegate certificate is a cross-
   certificate, as its issuer is not the same as its subject.

I would like to see similar context added here too,  And, I do not see how this create a cross-certificate, which happens when two CAs each issue a certificate to each other:

   +------+             +------+
   |      |------------>|      |
   | CA 1 |             | CA 2 |
   |      |<------------|      |
   +------+             +------+

I suggest:

   Delegate certificates may also contain a basic constraints
   extension with the cA boolean set to "true", indicating that
   they can sign subordinate certificates for further delegates.


Section 4.1, para 4: s/surely sufficient/sufficient/


Section 5, para 1: I am unsure what is meant by "baseline STIR behavior".  Is this [RFC8226]?


Section 6, para 1: s/AKID object/Authority Key Identifier extension/


Section 7, para 1:  s/PEM encoded/PEM-encoded/


Section 7, para 1: I think there is a better way to talk about AKID/SKID order.  I suggest:

   The list begins with the certificate used to sign the PASSporT,
   followed by its parent, and then any subsequent grandparents,
   great-grandparents, and so on.  The key identifier in the Authority
   Key Identifier extension in the first certificate MUST appear in
   the Subject Key Identifier extension in the second certificate.
   The key identifier pairing MUST match in this way throughout the
   entire chain of certificates.  Note that ACME [RFC8555] requires the
   first element in a pem-certificate-chain to be an end-entity
   certificate; however, STIR relaxes this requirement, because CA
   certificates are permitted to sign PASSporTs, so for STIR, the first
   element in a pem-certificate-chain MAY be a CA certificate.


Section 8, para 1: s/may delegate from it as/may delegate resources from it as/


Section 8, para 1: s/the CA boolean set to "true"/a basic constraints extension with the cA boolean set to "true"/


Section 8, para 2: s/CA's root certificate/CA's trust anchor/


Section 8, para 3: s/CPS/CPS [RFC3647]/

v2.23.0 | Report a Bug | By Email