{so, please I'm including [email protected], because I hate CC lists, and I'm
outing the conversation without prior permission. Any minutes from today's
side meeting yet?}
Yoav Nir <[email protected]> wrote:
> Thanks, Toerless. This is interesting.
> One of the operational issues is that you might configure the
> certificates to live for 4 days, and renew after 2 days. If the CA
> fails at the start of the weekend, some certificates will expire by
> Monday and part of the system will stop working. That is unavoidable,
> but a second issue is that when the administrator gets to work on
> Monday and reboots the CA there are still a bunch of certificates that
> have to be re-issued manually.
That's an unfortunate scenario; given that 2-day weekends are common,
it seems like 4+2 is a dumb set of parameters and 5+2 would be better, even
7+2 might be better.
> Doing something like ANIMA is doing with vouchers solves the second
> issue, so the system can come back online as soon as the CA is back up.
Which kind of voucher?
Generally, when we have clocks, we are suggesting things like 20 minute
validities. When we don't have clocks, then we use nonces for freshness.
(But, we permit nonce-less vouchers that last for years for offline
scenaries)
I don't see how a long-lived voucher is better than a long-lived certificate.
So I don't think voucher's help with recovery from your described CA outage.
I am keen that an ANIMA network would operate nicely with STAR, and that the
ACP is a really good platform on which to do the continuous renewal without
having to open up the domain's Registrar to DDoS.
> We’re trying to keep the STAR considerations draft protocol-agnostic,
> so it’s not specific to EST, ACME, or any of the proprietary protocols
> that are deployed, but it looks like a good generic idea to allow
> certificates to be renewed even if they’re expired.
> So yes, text is welcome and I’ll bring this up at the side meeting on
> Thursday.
...
>> On Mon, Nov 13, 2017 at 10:45:18AM +0800, Yoav Nir wrote:
>>> Hi, all
>>>
>>> In recent years there???s been growing interest in short-term
>>> automatically-renewed (STAR) certificates. The idea is to renew
>>> certificates often and forego revocation checking.
>>>
>>> ACME has a draft for such certificate, and STIR has a candidate among
>>> others.
>>>
>>> STAR certificates have somewhat different operational and security
>>> properties compared to regular PKI. I???ve tried to document some of
>>> them in a draft: https://tools.ietf.org/html/draft-nir-saag-star-00
>>> This draft is in a very initial state, and I???m looking for input
>>> about this.
>>>
>>> I???ve reserved the Hullet room on Thursday at 18:00. Anyone who???s
>>> interested is invited.
>>>
>>> Hope to see you there
>>>
>>> Yoav
>>>
>>> _______________________________________________ 100attendees mailing
>>> list [email protected]
>>> https://www.ietf.org/mailman/listinfo/100attendees
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
