[Acme] (Re)Design sketch
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 03 December 2014 20:32 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB6A41A6F3A for <acme@ietfa.amsl.com>; Wed, 3 Dec 2014 12:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hqxkv6R3N72P for <acme@ietfa.amsl.com>; Wed, 3 Dec 2014 12:32:15 -0800 (PST)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 673AC1A1B4A for <acme@ietf.org>; Wed, 3 Dec 2014 12:31:52 -0800 (PST)
Received: by mail-la0-f41.google.com with SMTP id hv19so8482436lab.14 for <acme@ietf.org>; Wed, 03 Dec 2014 12:31:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=3X0KFftyEFYdHgwaDTTP0guDkptqVqBzPBVkKVvy/Zs=; b=UjUIt93CTTbL3M/8eRpevo3/6vBayyaDOdkodxTVCSwxq791zEeknN9S++qY2iC0DP NBU3Vm9VkTWT7GcgteJTp7JXglTr7/+2Vy5DKXd+HdO1kih7gQR0rnPYkvRFFZHJD761 xHMQqX6Yt6wDWXRRjWil67wM40PXTKN/WmfuRtXyN/UuvSPb829QBBNUjEMkKju/T0oI 3aXeJxlQSu8Sr7BEQVDZm0bDREIpem+JvmjOvTGpS89SO1LWVqHSr9Etfy0FB/MUBTzb 1OBHPefDl1LhmBTnZSLI/UGpYLjvBQGIyELpMxllq5/yB8g08Ra/jwjqTEMytNEexekr LS3Q==
MIME-Version: 1.0
X-Received: by 10.112.27.133 with SMTP id t5mr5968091lbg.45.1417638710841; Wed, 03 Dec 2014 12:31:50 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Wed, 3 Dec 2014 12:31:50 -0800 (PST)
Date: Wed, 03 Dec 2014 15:31:50 -0500
X-Google-Sender-Auth: mnhz59jnKK8jo2YHIrWZL8TqB-4
Message-ID: <CAMm+Lwj8JsCnK8uHfpEbXr-xRC6MO7GFyzegAsw2tFr3fqGXmQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a1133b04ac79666050955bbdd"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/O89RZ8a3_FBchxrf3dZXiclNBfc
Subject: [Acme] (Re)Design sketch
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 20:32:18 -0000
Comodo has an existing API for certificate issue. It is functional and works but it isn't ideal because: 1) It isn't JSON and we have customers that demand JSON. 2) It is proprietary which means we have to support plug ins for a large number of servers which is costly and reduces the utility to larger installations. 3) It is rather crusty as features have been added gradually over the years by a variety of authors in a variety of styles. If we follow the path of only addressing the problems considered important by one CA that has yet to issue a cert then the result is only going to address the first two problems. We will end up with another PKIX situation where the stack is ridiculously complicated BECAUSE of the attempts to 'keep it simple'. Lowballing requirements results in redundancy and unnecessary complexity. A better way to address the problem is to architect the system recognizing that in some circumstances functions will be split across different actors at subscriber site at the start rather than trying to retrofit this capability as an afterthought. It isn't just enterprise firewalls that present corner cases. Managing credentials on a Web service in the cloud presents similar issues. *Architectural Constraints:* * Use the existing CSR format for proof of possession of the private key for X.509v3 issue. * Use JSON encoding for all new structures and protocol messages. * Assume HTTP binding, do not rely on HTTPS for security properties. * Use SRV and CAA records in DNS to enable automation. *Actors:* Subject: The party whose identity is validated Issuer: The party that issues the certificate Host: The machine on which the private key and certificate are installed Recognizing that the Host is not the same as the Subject is important as without that distinction it becomes impossible to talk about failures or attacks in a meaningful way. Note that as far as the protocol interactions are concerned, the Issuer need not be a CA. A CA is a party that is subject to audit and insurance and has actual custody of the signing key. It is not actually necessary for the Subject to have a direct interaction with their CA. In the ideal situation any party with more than a dozen certs is going to channel cert requests through a local issuer which forwards them to a CA (possibly through another intermediary). *Processes:* Validation: Determining that a purported subject meets a set of criteria specified by a certificate policy and in particular has the right to use a specified identity. Key Generation: Generating a public/private key pair Certificate Issue: Signing a Certificate While each process must occur at least once for a certificate to be issued, these are three separate processes. In particular, Validation is an interaction with the certificate subject, Certificate Issue is to the Host holding the corresponding private key. In any deployment that has more than one host it is going to be desirable to amortize a validation process across the multiple hosts. Today Key Generation and Validation might occur once every three years and Certificate Issue once a year. One of the reasons I am interested in automating Cert Management is to change these parameters. My ideal situation would be to perform Key Generation and Certificate Issue every 24 hours with overlapping 72 hour validity intervals of which 24 hours is backdated. I certainly don't want to have to perform OV or EV validation every 24 hours. I am not averse to performing the DV component of validation every 24 hours as well but the most appropriate response to single validation failure after a long stream of successful validations is probably to notify the system admin rather than force their site offline. A somewhat more complicated question is how to deal with the problem of multiple ports, multiple protocols and multiple applications on the same host. We should not limit the use of HTTP validation to certificates that will be used with HTTP. While the requirements appear complicated, it is actually fairly straightforward to support them all if we recognize the distinction between the Subject and the Host. Since there is a relationship between the subject and the issuer that potentially persists across multiple certificate issue transactions, this implies some form of account/credential. Since we are doing PKI we can insist that the credential used to authenticate transactions be a public key. For a free cert provider with a zero touch model, the account identifier might well be simply the public key or a fingerprint thereof. If the account identifier is never seen by a user, it does not need to be particularly human readable. Thoughts? Comments?
- [Acme] (Re)Design sketch Phillip Hallam-Baker
- Re: [Acme] (Re)Design sketch Trevor Freeman