IETF Logo Mail Archive

Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis

Tim Bruijnzeels <tim@ripe.net> Tue, 11 February 2014 20:37 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F161A072A for <sidr@ietfa.amsl.com>; Tue, 11 Feb 2014 12:37:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opuFNiAoX3hD for <sidr@ietfa.amsl.com>; Tue, 11 Feb 2014 12:37:30 -0800 (PST)
Received: from koko.ripe.net (koko.ripe.net [193.0.19.72]) by ietfa.amsl.com (Postfix) with ESMTP id 42ADD1A0709 for <sidr@ietf.org>; Tue, 11 Feb 2014 12:37:30 -0800 (PST)
Received: from titi.ripe.net ([193.0.23.11]) by koko.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1WDK4z-0000xh-MU; Tue, 11 Feb 2014 21:37:28 +0100
Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-163.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1WDK4z-0006Ov-Gm; Tue, 11 Feb 2014 21:37:17 +0100
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <52FA67FB.9040601@bbn.com>
Date: Tue, 11 Feb 2014 21:37:17 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <m2ha8a8cb1.wl%randy@psg.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1510)
X-RIPE-Spam-Level: ---
X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071997e874b695e54a9b33f65473b00813b7
Cc: sidr@ietf.org
Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 20:37:34 -0000

Hi Steve

On Feb 11, 2014, at 7:12 PM, Stephen Kent <kent@bbn.com> wrote:

> Tim,
>> 
>>> --
>>> 
>>> presuming there is consensus to adopt, i have some some nits we can
>>> discuss when it is a wg item.
>>> 
>>>  o i thought folk wanted a blank line between the URI(s) and the key
>>> 
>> I am not sure that I care too much about this as long as it's well defined.
>> 
>> But if the format is open to change, then I would feel more for a key=value style, or dare I say even json.. this is parsed by the machines after all. And using something like json makes it much more flexible regarding ordering of elements, or extending should that ever be necessary.
> I'm not a fan of switching to JSON at this point.

I noticed I stand alone in the matter. No worries. Note the 'if' and let's move on..

>> 
>>>  o last para of 2.2 says
>>> 
>>>       Where the TAL contains two or more rsync URIs, then the same
>>>       self-signed CA certificate MUST be found at each referenced
>>>       location.
>>> 
>>>    maybe should say what happens when one or more do not have the same
>>>    cert?  does the whole TAL get ignored?
>> I agree, but on top of that having multiple publication points by definition implies that there will be differences, albeit short lived.
>> 
>> I would like to see wording along these lines.
>> = TA MUST increment serial number whenever they re-issue the CA cert
>> = TA SHOULD* publish the CA cert in all locations 'asap', within 1 hour?
>> = TA SHOULD* remove the cert from unmaintained locations
>>   *: They may not be able to if this is hosted at a third party
> I agree with Randy that the references to "TA" above should just be "CA"

Sure. I used to TA rather broadly here, including the CA operated by the Trust Anchor entity.

> I'm puzzled by the references to a "third party" above. Why would an entity acting as
> a TA not want to control all of the locations where it's TAL identifies as places from
> which to acquire the vert?

Actually I think this could be a feature. Call me paranoid, but publishing the cert in places where even your own disgruntled operators can't reach it, and remove it or replace it with an old one, seems to me like an idea to entertain. Such access generally does not require any HSM, card quorum etc. But doing this of course introduces the risk of these third party points going rogue. Hence the "no control" remark. But see below..

>> To handle all this more elegantly I think there should be a mechanism for TAs to publish replacement TALs. To add, or remove URIs, or even to do planned key rolls (for example: TA wants change HSM vendor). What if the TA could optionally publish one (1) signed object containing an updated TAL? And possibly some dates: do-not-use-this-before, and do-not-use-other-after?
> These are desirable, additional features, but I agree with Randy that they merit a new work item.
> The change to allow a TAL to contain pointers to multiple locations for cert retrieval seems to
> be an easy change that we can agree upon.
>> This would allow RPs to use existing TALs to discover updates and process automatically (it is signed by the key that I trust). It could stop re-trying retired URIs, and start using the new ones. And even planned key rolls could be as simple as this on this level (provided the TA re-issues and publishes all the products before the change date, under the new key and in its own repositories).
> As I noted above, this seems like a good, new work item.

Fair enough. I did not want to bring this up as a show stopper for going forward with the bis, but it seemed relevant to talk about this now.

The rogue third party risk could be mitigated by signed TALs. A signed (presumably controlled by an HSM and N out of M cards) statement could remove such a publication point from the list. On top of this RPs could regularly re-check certificates in multiple locations to find the most recent. They could also cache the most recent one they have found and refuse older ones. This re-checking should not be needed every few minutes, but once every 24 hours or something seems quite reasonable to me.

But since I don't think it's feasible to get the signed TAL idea worked out for the bis, it's probably best for now to say that the entity acting as a TA should only publish the CA certificate in locations it has full control over. This would also make zealous re-checking by RPs less relevant at this stage.

Tim

> 
> Steve
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email