[OPSAWG] 'inherit' in RFC 9092 Geofeed authenticator End-Entity certs
Job Snijders <job@fastly.com> Sat, 26 November 2022 16:22 UTC
Return-Path: <job@fastly.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CE1C14CE45 for <opsawg@ietfa.amsl.com>; Sat, 26 Nov 2022 08:22:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9b7O1jDF8Zct for <opsawg@ietfa.amsl.com>; Sat, 26 Nov 2022 08:22:12 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5099C14EB1E for <opsawg@ietf.org>; Sat, 26 Nov 2022 08:22:12 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id b2so140907eja.7 for <opsawg@ietf.org>; Sat, 26 Nov 2022 08:22:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=Ie3l5XH9nNavevGj3ek9efSsbHLyRtNAIvXssVTGGWw=; b=OIsTUrzO14cvESY8mBxdjov9yOAuwsBvSsGihHgQ70Ic9OSloUI9af80r6qwRIpEDQ Kl5d4Wd9vaCLv2nolnQDY2HO96D/l6EVZkdpFSzZ68S1f40WMf3ptZ6dm+ZVsrIJYmLf J2t4qu1/7oPho/6fG+eRCD54yLCm74M7Dz/RI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ie3l5XH9nNavevGj3ek9efSsbHLyRtNAIvXssVTGGWw=; b=Jb4Lywp1/k/RARZAqW35BK6zncqe7QG0vphdncFCcXoLfxrqi5KNmJdpF9hRzD8duM QAbfcKNu5pLw+rzbbOl/OsQBb05fJv328FMvo9v+a0iijmzDssCMnm9mq3RkTBYhJtdb VdQcMGcSWzblN0MevUehxr1D5RiKzXau8V4KBRQwLYrs3OtmDVq3E5aaKFm26aTowU48 5kIRnGeVV4TWLZ3Fpw7/6kQeEBfs7D/SZd6ZtWiPjanPGBSYxfHX6JAdvcnA23Q08jKM Dc62VyxBfvdodN8pQ5prxKv0xfQ5hrWBEWULbXjbyFLMwbL7ant3QFwTsHdppkHAsHta WMkg==
X-Gm-Message-State: ANoB5plkVtNFa6SrTzJmQf5EoxoWK54d4eKmBgbcM7x/Ih7YoivSMHJ2 uOlH/CLzITbm40P3zW/9mRkwMmwyzi2+S7HJ7cQvyt+Qxk/XHNKUPWRbY6/UhTM/q9LHhgz9CMY tS+1FPB0b81C3tzS0YyvRJv39EF7sQCrhyAv+ENMykIgXeNHc6PvakA==
X-Google-Smtp-Source: AA0mqf7d9v25C3QEm77MYMekfcNShGjfYGUFteugrWRsk8lvQ9yzfg7imOThCtxJZ6qt6ej+OB099g==
X-Received: by 2002:a17:906:130b:b0:7ad:92c5:637a with SMTP id w11-20020a170906130b00b007ad92c5637amr37149103ejb.87.1669479730132; Sat, 26 Nov 2022 08:22:10 -0800 (PST)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id e16-20020a170906315000b0078d793e7927sm2831430eje.4.2022.11.26.08.22.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Nov 2022 08:22:09 -0800 (PST)
Date: Sat, 26 Nov 2022 17:22:07 +0100
From: Job Snijders <job@fastly.com>
To: opsawg@ietf.org, draft-ietf-opsawg-finding-geofeeds@ietf.org
Message-ID: <Y4I9L1ZYpEVWOAi6@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/JXjxCA14BkW4DWyVoUMwqDvB17I>
Subject: [OPSAWG] 'inherit' in RFC 9092 Geofeed authenticator End-Entity certs
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 16:22:16 -0000
Dear all, While authoring an implementation of the RFC 9092 scheme that uses the Routing Public Key Infrastructure (RPKI) to authenticate the geofeed data CSV files, I stumbled upon a curiosity. RFC 9092 is silent on the matter of whether RFC 3779 'inherit' elements are permitted in the End-Entity certificate or not; however the example certificate in Appendix A uses 'inherit'. I consider the explicit listing of internet number resource identifiers in RFC 3779 extensions very advantagous when debugging. The use of 'inherit' elements literally reduces the information density of the signature. I think by now a pattern has established in the collective body of work related to RPKI: * When the signed payload relates to Internet Number Resources; explicit listing in the RFC 3779 extension is required. Examples are: ROA (RFC 6482), ASPA (draft-ietf-sidrops-aspa-profile), BGPsec (RFC 8209), and RSC (RFC 9323). * When a signed payload relates to the Certificate Authority itself; 'inherit' is used, because there is no appropriate resource to list. Examples are: MFT (RFC 9286), GBR (RFC 6493), and TAK (draft-ietf-sidrops-signed-tal). Because Geofeed authenticators relate to IP prefixes; it seems obvious to me it is a member of the first category; however the RFC's silence on this aspect and the example EE introduce a degree of ambiguity. Additionally, Geofeed implementers might benefit from similarity to other RPKI-based object profiles (such as ROA, ASPA, BGPsec & RSC). Related discussion on the topic of 'inherit' happened in Errata 3166: https://www.rfc-editor.org/rfc/inline-errata/rfc6482.html#eid3166 How do we move forward? Would the working group appreciate a small internet-draft that updates RFC 9092 section 4 along the lines of: ----- Section 4. Authenticating Geofeed Data [snip] Step 4: The IP Address Delegation extension [RFC3779] is present in the end-entity (EE) certificate (contained within the CMS signature) and every IP address prefix(es) in the Geofeed payload is contained within the set of IP addresses specified by the EE certificate's IP Address Delegation extension. The EE certificate MUST NOT use "inherit" elements as described in [RFC3779]. The Autonomous System Identifier Delegation Extension described in [RFC3779] is not used in Geofeed authenticators and MUST NOT be present. ----- Thoughts? Kind regards, Job
- [OPSAWG] 'inherit' in RFC 9092 Geofeed authentica… Job Snijders