Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Job Snijders <job@fastly.com> Wed, 03 February 2021 02:25 UTC

Return-Path: <job@fastly.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30EF83A122B for <opsawg@ietfa.amsl.com>; Tue, 2 Feb 2021 18:25:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Go1dycWYvW-t for <opsawg@ietfa.amsl.com>; Tue, 2 Feb 2021 18:25:49 -0800 (PST)
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26123A1228 for <opsawg@ietf.org>; Tue, 2 Feb 2021 18:25:49 -0800 (PST)
Received: by mail-wr1-x442.google.com with SMTP id 7so22495960wrz.0 for <opsawg@ietf.org>; Tue, 02 Feb 2021 18:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=PiQVYuVo0w11e8IvK7PFIVl8Blcs/DjeJRlctLy2fNs=; b=lLZLYiYrvBHJl8JBiVL46W3Isau4AUrz4J5AhOo3fbItYIC02FotZF1Xif274nsSD1 tkUl4WaRuSVodZC22rqONMD635Q+Z/Lq4rgH4VN4jUC/0K8+8ijUe7wZEuSoMdfG3/yY VzA9+p/1aN/tKKxLPY64l3zZTnJO5juvickkw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=PiQVYuVo0w11e8IvK7PFIVl8Blcs/DjeJRlctLy2fNs=; b=AoVD5YUx6MIakW5XfPSaUjHAl6iyh0FjC0+d5Jt6Fcg9N6Ipg5X4YaBgyWZPjZ7yRv BudU8FD14KBTOGEYifkNH0FtJgr2QbQhv5BNNgb5JttKeUBvsSimkDq0rVLreg6HnxK5 ylvVM7r4p/hoFR/w79bWgbSL0UJ9Uh2VdOwT1ATSm5bnzJibOe80nUgke0OBtAkLn60e hxEf8zyJupNE3HrSNUDLYcO+krpmHxX/yT7U2c7zDOzsBB6QD1ZSmzW6LkxpdcoQIuXH 7uqT2kT5dGUc+yAHWImZFs+CuvFKINGnUF9NOW966q+ObNg1lk6ya5n9oEMQFUarmdmQ ijhA==
X-Gm-Message-State: AOAM532/Ddw0XUo58yJhN+gms1wh69jld3A4Kl9fn7sn3E+jIMSfViQZ Q49bmqoV99n2VvozWeNDj88/i698Zv1k9Gh4D1d5PEWyHcxN4j20cHJ2ch2GwZO+kfjGd6x/9hf ym6MC9A9Edn2zjYAiLSbC02l2zgrW2BL4nTJjQX5fbXAE/igrKwamxR8E
X-Google-Smtp-Source: ABdhPJwnlMdjLgEPbt+KLIdSFDVSH04G92mgt+z0UWJUBkX189sbweZIDBRWkg/gJijEbu74rwMxyw==
X-Received: by 2002:a5d:44cc:: with SMTP id z12mr875446wrr.7.1612319147512; Tue, 02 Feb 2021 18:25:47 -0800 (PST)
Received: from snel (mieli.sobornost.net. [45.138.228.4]) by smtp.gmail.com with ESMTPSA id 62sm568497wmd.34.2021.02.02.18.25.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Feb 2021 18:25:46 -0800 (PST)
Date: Wed, 3 Feb 2021 03:25:45 +0100
From: Job Snijders <job@fastly.com>
To: opsawg@ietf.org
Message-ID: <YBoJqZHROe4k1OPi@snel>
References: <BN6PR11MB1667D4EB91373CCB7F7A3F5AB8A09@BN6PR11MB1667.namprd11.prod.outlook.com> <YBhTmPpaH7d/w9L+@snel> <m2zh0mba1e.wl-randy@psg.com> <YBmgIsAsyhi04MJO@snel> <m21rdyaylp.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m21rdyaylp.wl-randy@psg.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/BulE1eQXK3eYqd9v06i1_NOO7rM>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2021 02:25:51 -0000

Dear Randy, working group,

It appears to me you really wanted to ask 'how the heck did you do it???'

*** warning: operating a CA is real work, do NOT follow the below ***

I declared my signing operation 'proprietary' because I can't recommend
it as a 'recipe'. I prefer to promote man pages over howtos; especially
when signing operators need to walk the path towards production
environment.

My objective in sharing a real-world example @ 2001:67c:208c::/48 is to
facilitate the 'draft-ietf-opsawg-finding-geofeeds' effort. I imagine
publishing a publicly verifable real-world example helps validator
implementers. Validators ofcourse should assume extreme hostile input.

My show case was generated without any assistance or communication with
the authors of the draft. In doing so, hopefully proving (or disproving)
the draft is readable and understandable, so that implementers can
produce similar results.

As you asked how exactly the 'kroket' is made....

On Tue, Feb 02, 2021 at 02:33:54PM -0800, Randy Bush wrote:
> > The signature was produced through proprietary means, but for the
> > purpose of validating the signature & interopability testing that
> > shouldn't matter...  right?
> 
> unless you are a security person and lived through trojans such as
> dual-ec.  extension of kerckhoffs's principle.

I used modern versions of libressl and openssl to generate the EE cert
and the signature.

    $ openssl cms -sign \
        -econtent_type 1.2.840.113549.1.9.16.1.47 \
        -nosmimecap \
        -md sha256 \
        -signer ee.cert \
        -inkey ee.key \
        -in geofeed.csv \
        -outform DER \
        -out signature.der

The EE cert was created with a CSR and a lengthy .cnf file. The
'1.2.840.113549.1.9.16.1.47' string can be replaced with a text string
after OpenSSL merges in https://github.com/openssl/openssl/pull/14050
The 'free, functional, secure, and mostly compatible public-API'
LibreSSL project appears comfortable adding the OID based on just the
IANA registry.

Kind regards,

Job