IETF Logo Mail Archive

Re: [stir] [Acme] Authority Token WGLC

Chris Wendt <chris-ietf@chriswendt.net> Mon, 29 August 2022 13:19 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49B5FC152707 for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXzj8IYi4Wkk for <stir@ietfa.amsl.com>; Mon, 29 Aug 2022 06:19:50 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A789C152704 for <stir@ietf.org>; Mon, 29 Aug 2022 06:19:50 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id x5so6036616qtv.9 for <stir@ietf.org>; Mon, 29 Aug 2022 06:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc; bh=6Uk4zHGrPpVQ17GFunLhp6NCUoRDALcdhIOjtEu1Sfo=; b=RKcmOXCGTSPK8wr3YpXzciLHmlFucSmRlIrochWMdpT/kbSKFMxdGUz/r51sa9WD9r mLxCbQG8iDMhmxMkxxg0roB16RLjemSq7RvjPcfNAWr08vspTGE7aWKyqIt0WPLfbGrP y5+CeKwRQWHqSfXIc/+md2+23beuexhdalM+XWOiPDIuukU6QITtAcfpGSTWAHfPZrPM vj/zwB35LK6AwoA2Wz0DTeODcxltNEzmB8XJpXbBkANV8CJJ4XyfJhmkpp4wsyv6Lmjs 6Lj6bBC2FxeNZPe/Y5XajQ49a9dMzMk9bu3UbWpBgjSrKYWYuCvEI9/b7dZ+bmmrIutb tmOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc; bh=6Uk4zHGrPpVQ17GFunLhp6NCUoRDALcdhIOjtEu1Sfo=; b=y3kBzdG/G8Vw89NK+EqSsgasDo7MZC2JGamVqINm1+UIpggimPAn+Osxx45hIrqTpk WJAe69dAaELCKg+i+34MIPogK8Q/QS5K8n5rgTxOH1yqzx8r1l5s5fnqYbBlaZNoUUf/ FXaxnWFJXZdTxpcbLQDxVBt204NB++o/RqneDWynuFcuBiOr+TEvwZvDKqhfCdhuaLQZ J17ST3NiiufWhhJnXWBB342G/GB5gChjitxLMDX8S9o0GHC3X20p43TLYaMObjj8kMzQ ida3CxjDX4q9h3wAZY/w6eQ8bV1oz5eQrZ+OcHIOs1RchxJ6futMRL7txPwlx7xl+rTd NMIQ==
X-Gm-Message-State: ACgBeo2X6C5FmxQR80o83ZDARaD7ORcqmfwodgNJu6xey4zJ9YvIT5Yz ib3g0QfyFOAUk95SLA0PzUna/g==
X-Google-Smtp-Source: AA6agR7LpR+9V0vzb+UG0ZQHZ2iNnT2r4qg0+jamwX4khwA5I055EKjyf+fhqlD7RpC2wwoPglp1MQ==
X-Received: by 2002:ac8:5706:0:b0:342:fdd6:d59d with SMTP id 6-20020ac85706000000b00342fdd6d59dmr10035971qtw.159.1661779189394; Mon, 29 Aug 2022 06:19:49 -0700 (PDT)
Received: from smtpclient.apple ([65.217.203.171]) by smtp.gmail.com with ESMTPSA id y6-20020ae9f406000000b006baef6daa45sm5857821qkl.119.2022.08.29.06.19.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Aug 2022 06:19:48 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <296E664F-0981-444A-96C7-2191986D711F@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_87C0D2CD-80AD-4610-9A21-4CF405867392"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 29 Aug 2022 09:19:49 -0400
In-Reply-To: <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com>
Cc: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>, draft-ietf-acme-authority-token-tnauthlist@ietf.org, stir@ietf.org, draft-ietf-acme-authority-token@ietf.org
To: Richard Barnes <rlb@ipv.sx>
References: <CAGgd1OdkZqqHEsAXL9CpucXop8Qbr5uzknU9Onr5Sj0u_9azzQ@mail.gmail.com> <CAL02cgSKnSq551m45QJdubuYsdyG8DZa4gRFN4G1rr9h04o2kw@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/fLuvnz3MCHMg1QIXl7l7ZS-Lflc>
Subject: Re: [stir] [Acme] Authority Token WGLC
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 13:19:54 -0000

Hi Richard,

Thanks for the review.  So, just to make sure i’m understanding, you are saying that we should have a feature where both the POST-as-GET standard ACME certificate URL is kept, but we also (maybe optionally or are you saying should mandate this?) offer the ability for a CA hosted URL that would be used directly in PASSporT for making the certificate available for relying party consumption?

The idea that a CA offers direct URL to certificate has always been considered optional in SHAKEN, originally the thought was that it would be hosted under HTTPS address of the ACME client customer (service provider). I think as things have been implemented in the industry where it turns out many of the CAs are also hosted by vendors of the entire hosted STIR/SHAKEN solutions, as you state that hasn’t been the case and is often hosted under vendor/CA URL.

I think if we include it as optional, I have no issue including it, if we think it needs to be mandatory would probably want to get more feedback from others.

-Chris

> On Aug 26, 2022, at 5:02 PM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> One minor point:
> 
> STIR PASSporT objects reference certificates via the JWS "x5u" header, which requires that the URL respond to GET, vs. the POST-as-GET that is used for the ACME certificate URL.  On the face of it, this would seem to require a STIR signer to download their certificate from the CA and republish it on a different server, and in fact ATIS-1000074 describes this behavior.  However, current STIR CAs already offer GET-friendly URLs for their certificates, avoiding the need for such republication.  It would be helpful (for STIR, but also more broadly) if this protocol had a field where a CA that provides this service could specify an "x5u"-friendly certificate URL.
> 
> It seems like there's a simple solution here, namely to add a field to completed order objects (state = "valid") that responds to GET requests and provides the certificate in the format "x5u" expects.  You could even just call the field "x5u" :)
> 
> Anyway, I realize it's late for a feature request, but this seems like a minor addition, and it seems like fixing this gap would allow the ecosystem to fit together a little more smoothly.
> 
> --Richard
> 
> On Tue, Aug 23, 2022 at 3:59 PM Deb Cooley <debcooley1@gmail.com <mailto:debcooley1@gmail.com>> wrote:
> As we agreed at the acme session at IETF 114, this is a limited WGLC for both:
> 
> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/>
> https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/ <https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token-tnauthlist/>
> 
> I've added stir to the to line for good measure (and to broaden the pool of reviewers a bit). We need to see if we can push these forward again.  
> 
> The review deadline is 6 Sep 2022.  
> 
> Deb Cooley
> acme co-chair
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org <mailto:Acme@ietf.org>
> https://www.ietf.org/mailman/listinfo/acme <https://www.ietf.org/mailman/listinfo/acme>

v2.23.0 | Report a Bug | By Email