Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
Sam Hartman <hartmans-ietf@mit.edu> Thu, 10 March 2011 20:52 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2B1A3A6A1C; Thu, 10 Mar 2011 12:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.084
X-Spam-Level:
X-Spam-Status: No, score=-102.084 tagged_above=-999 required=5 tests=[AWL=-1.359, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, SARE_LWHUGE=1.54, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxI1v174R9M3; Thu, 10 Mar 2011 12:52:58 -0800 (PST)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id EC3113A67F8; Thu, 10 Mar 2011 12:52:57 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9A2CB2010F; Thu, 10 Mar 2011 15:51:31 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8A242432D; Thu, 10 Mar 2011 15:53:44 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <tslhbbag9m1.fsf@mit.edu> <4D791B26.8020001@vpnc.org> <tsl4o7ag5fw.fsf@mit.edu> <4D79271E.6080707@vpnc.org>
Date: Thu, 10 Mar 2011 15:53:44 -0500
In-Reply-To: <4D79271E.6080707@vpnc.org> (Paul Hoffman's message of "Thu, 10 Mar 2011 11:31:42 -0800")
Message-ID: <tslzkp2elyf.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 20:53:00 -0000
>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes: Paul> I don't think either of us is missing something, we just Paul> disagree about what needs to happen if a fix that changes the Paul> semantics of the certs needs to be made to the system as a Paul> whole. For changes that don't change the semantics, you change Paul> an existing extension or other part of the certificate; for Paul> changes that need to change the system's semantics, you change Paul> the certificates in a way that relying parties that don't Paul> understand the change won't accept the certificate. Paul> Maybe you and I are envisioning different choices being made Paul> about those changes. I trust the IETF not to make a change Paul> that will cause a lot of relying parties to fail unless the Paul> IETF really thinks that is necessary; you may have less faith Paul> than I do. (You were on the IESG, so you get to be in the Paul> sausage-making more than I have...) I do trust the IETF, which is why I think the current document is very broken. I want to give the IETF the *future* opportunity to balance breaking RPs against confusing behavior. I hate to get into a specific example, because it's very easy to attack the example without the general point. However in the interests of trying to explore our difference, I'd like to come up with a specific example. I may drop the discussion if I feel that we're focusing on the example rather than the general point. So let's pretend that we'd been much more efficient about SIDR and that the RPKI was done prior to 32-bit ASes being a significant issue. Let's pretend that RFC 3779 managed to specify the AS constraint in such a way that 32-bit ASes were excluded. Perhaps there is an ASN.1 constraint on the size of the AS that happens to be rigorously enforced by widely deployed RPs. Regardless of how it happened, assume that we cannot encode 32-bit ASes in the existing extension. In the current model, we have to come up with a new extension. I think this means you need a new independent CA hierarchy for the 32-bit AS certificates. New RPs can use that hierarchy for 32-bit ASes, all RPs use the old hierarchy for the 16-bit AS certs and to the extent they are combined IP certs. In theory we could some day combine these hierarchies when all the RPs support 32-bit ASes. In practice we probably wouldn't because someone out there would implement an RP that broke when the hierarchies were combined and even though it would simplify things the risk of breakage would not justify combining the hierarchies. I'm not sure if this model works: I'd need to analyze whether you can have multiple signatures on an RPKI object, whether you need to claim both an AS and an IP address in signing a route, etc etc. If we're going to go forward with the current model we need at least convince ourselves that even if we did have to duplicate the RPKI to deploy some feature we could do so and not also duplicate the instances of the protocols signing RPKI objects. However, if we had a relaxed model, we'd give the IETF another option. The IETF could also provide a new version of the AS extension for 32-bit ASes. There are huge tradeoffs here. Only new RPs will validate the 32-bit ASes. So you can get into a situation where an RP who is unaware of 32-bit ASes accepts a certificate that a newer RP would reject. However, the 16-bit ASes in that certificate would validate. The IP addresses in that certificate would validate. An appropriately authorized trust anchor would need to create a certificate with a valid certification path that passed all the checks in the old profile. Such a certificate could only be used by an old-profile RP to validate objects permitted under the old profile. An RP that understood 32-bit ASes would be required to understand the 32-bit AS validation. I don't know what the right choice would be in this situation. However in similar situations I'd prefer to make that choice in the future when the IETF is in a position to evaluate the tradeoffs rather than forcing our hand now. Similarly you could imagine a desire to add information to a certificate for auditing, debugging or the like, where validation rules were not changed. Again, I'd prefer to allow the IETF to decide whether breaking RPs should be required to make such changes in the future rather than now. Again, because of extension criticality, we always have the option to force RPs to reject new things they don't understand. The question is whether we want options beyond that.
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Jeffrey Hutzelman
- [secdir] Secdir review of draft-ietf-sidr-res-cer… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Rob Austein
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Martin Rex
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… John C Klensin
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman