Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00

Stephen Kent <> Tue, 19 July 2016 14:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9A7012DD11 for <>; Tue, 19 Jul 2016 07:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CuENDLmGId4J for <>; Tue, 19 Jul 2016 07:33:13 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 022C612E090 for <>; Tue, 19 Jul 2016 07:00:21 -0700 (PDT)
Received: from ([]:39106 helo=COMSEC.fios-router.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1bPVZM-0009mI-A6 for; Tue, 19 Jul 2016 10:00:20 -0400
References: <> <>
From: Stephen Kent <>
Message-ID: <>
Date: Tue, 19 Jul 2016 10:00:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------91392DE15469DBE4E94F919F"
Archived-At: <>
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jul 2016 14:33:17 -0000


Thanks for taking the time to read and comment on the document.

I will change CA certificate analysis to be section 2.1, and make the 
CRL section b 2.3, as per your request. The Manifest section will remain 
2.2, ROAs will become 2.4, GB will become 2.5, and Router Certificates 
will remain 2.6. This will require a lot of changes to the pointers 
within and between sections, but we aim to please :-).

A-5.4.1: I agree that reducing the set ofresources in a CA certificate 
may be done for legitimate reasons, even if the INR holder does not 
agree with the reduction. Nonetheless, this is an adverse action from 
the perspective of the INR holder. It’s important to note that there are 
cases when this reduction is the result of an attack against or an error 
by the parent CA. Thus I believe it is important to retain this action 
in the list.

A-5.4.2: I’ll delete this action.

A-5.4.5: I agree that this may be hard to distinguish from a legitimate 
key rollover, except that a key rollover would have both old and new CA 
keys present simultaneously. I’ll add a note to this effect.

I disagree with your suggestion that we remove the modification, 
revocation, and injection actions for Manifests, ROAs, and Router 
Certificates. First, remember that adverse actions include errors by 
CAs, and transient attacks against CAs. In the former case the private 
key is clearly available and the CA may also control the repository. In 
the latter case note that an attacker need not need learn the private 
key’s value; he/she needs only the ability to cause an HSM to use the 
key. Also, an attacker need not control the repository to effect these 
actions; an RP might be misdirected to a different set of files via a 
routing system attack (ironic?) or a DNS attack.

Recall that the goal of this document is to document, as best we can, a 
wide range of actions that are adverse, irrespective of whether we can 
prevent or detect such actions. Your message noted that RRDP may make it 
easier for RPs to detect some of these actions; I suggest you add 
references to the relevant sections of this document as further 
motivation for transitioning to RRDP.

Finally, when we revised an earlier version of the document we decided 
to include every action in the same order in each section (except for GB 
records, where it would be trivial), to make it easier for a reader to 
see that we were addressing the same issues for each object.