Re: [sidr] RPKI: Three questions regarding RFC 6487

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 29 January 2019 09:38 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ECFE1274D0 for <sidr@ietfa.amsl.com>; Tue, 29 Jan 2019 01:38:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-yo-F549Zk2 for <sidr@ietfa.amsl.com>; Tue, 29 Jan 2019 01:38:23 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3AE5130F3C for <sidr@ietf.org>; Tue, 29 Jan 2019 01:38:22 -0800 (PST)
Received: from [192.168.192.27] (dhcp-089-098-091-015.chello.nl [89.98.91.15]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id CAFCD1F209; Tue, 29 Jan 2019 10:38:19 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1548754699; bh=7afa/ywSvyJSXRestlGxrpZWDH0WEXu99unUC+Ov5qQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=doYvfT7btKx7XbEgivuC6C2QJJwal/sXDoS9+x4kL/a0l+cDhyA7hJ5/s5ixGGcG1 zUbc3G3b9W+nt4xlcb/pMrcBPf37W636j547QSxUP0db3N0uO0aicFNBMeF/4TCG2K FArFXVx6rJJhHurStJqfDQ/2lTe0/j/lvKAz69ho=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <CAA0dE=WecNKYx7Pyk+LpqcWEsL7qbVef7=-uCfUQhBjXFaQhYA@mail.gmail.com>
Date: Tue, 29 Jan 2019 10:38:19 +0100
Cc: IETF SIDR <sidr@ietf.org>, Matt Lepinski <mlepinski@bbn.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1925027-2A2E-45C0-8AD3-CCE411692F8A@nlnetlabs.nl>
References: <CAA0dE=WecNKYx7Pyk+LpqcWEsL7qbVef7=-uCfUQhBjXFaQhYA@mail.gmail.com>
To: Alberto Leiva <ydahhrk@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/4ycmff9jEU4VU9gGK5RyhZ7JYsQ>
Subject: Re: [sidr] RPKI: Three questions regarding RFC 6487
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 09:38:26 -0000

Hi Alberto,

[removing the email addresses which I think are no longer valid]

I am not an author of this RFC, but I wanted to share my interpretation as an implementer of CA and RP software.

> On 28 Jan 2019, at 19:46, Alberto Leiva <ydahhrk@gmail.com>; wrote:
> 
> I have three questions:
> 
> ==== 1 ====
> 
> Section 4.8.8.1 has the following paragraph:
> 
>   This extension MUST have an instance of an accessMethod of id-ad-
>   caRepository, with an accessLocation form of a URI that MUST specify
>   an rsync URI [RFC5781]. (...)  Other accessDescription elements with
>   an accessMethod of id-ad-caRepository MAY be present.  In such cases,
>   the accessLocation values describe alternate supported URI access
>   mechanisms for the same directory.  The ordering of URIs in this
>   accessDescription sequence reflect the CA's relative preferences for
>   access methods to be used by RPs, with the first element of the
>   sequence being the most preferred by the CA.
> 
> Those MUSTs confuse me. What is the intent behind them?

I agree that this is somewhat confusing. My interpretation of this is that the text tries to leave the option for future transport protocols, other than rsync, open. However, there are no accepted other transport protocols defined at this time.

> 1. Exactly one of the caRepositories MUST be URI, and MUST be RSYNC:
> 
>    caRepository    URI    RSYNC
>    caRepository    other    whatever
>    caRepository    other    whatever
>    caRepository    other    whatever
> 
> 2. Exactly one of the URI caRepositories MUST be RSYNC:
> 
>    caRepository    URI    RSYNC
>    caRepository    URI    other
>    caRepository    URI    other
>    caRepository    other    whatever
> 
> 3. There MUST be at least one RSYNC URI caRepository:
> 
>    caRepository    URI    RSYNC
>    caRepository    URI    RSYNC
>    caRepository    URI    whatever
>    caRepository    other    whatever
> 
> 4. (Unlikely, I realize) All of the caRepositories which are URIs MUST
>   be RSYNC:
> 
>    caRepository    URI    RSYNC
>    caRepository    URI    RSYNC
>    caRepository    URI    RSYNC
>    caRepository    other    whatever

caRepository MUST be a URI, not other. There MUST be one and only one rsync. There MAY, in future, other URIs for 'alternate URI access mechanisms' - one for each. However, no other such mechanisms are defined.

So, for all intents and purposes you can expect 1 and only 1 SIA of the type caRepository and it MUST use rsync.



> ==== 2 ====
> 
> Is the above verdict supposed to be consistent with the other Access
> Descriptions in the RFC? They generally use somewhat different wording:
> 
> AIA:
> 
>   The preferred
>   URI access mechanisms is "rsync", and an rsync URI [RFC5781] MUST be
>   specified with an accessMethod value of id-ad-caIssuers. (...)
>   Other accessMethod URIs referencing the same object MAY also be
>   included in the value sequence of this extension.

One, rsync. And the value of the AIA is rather limited. It provides a hint to where the parent certificate may be found, but this may be incorrect without invalidating the object. Typically the certificate is found through top-down validation so the parent CA certificate is already known.


> CA SIA.rpkiManifest:
> 
>   This extension MUST have an instance of an AccessDescription with an
>   accessMethod of id-ad-rpkiManifest, (...)
>   with an rsync URI [RFC5781] form of accessLocation. (...)
>   Other accessDescription elements MAY exist for the id-ad-rpkiManifest
>   accessMethod, where the accessLocation value indicates alternate
>   access mechanisms for the same manifest object.

Again my interpretation is that there can be only one SIA of this type in practice, and it MUST be rsync.

> 
> EE SIA:
> 
>   This extension MUST have an instance of an accessMethod of id-ad-
>   signedObject, (...)
>   with an accessLocation form of a URI that MUST include an rsync URI
>   [RFC5781]. (...) Other accessDescription
>   elements may exist for the id-ad-signedObject accessMethod, where the
>   accessLocation value indicates alternate URI access mechanisms for
>   the same object, ordered in terms of the EE's relative preference for
>   supported access mechanisms.
> 
>   Other AccessMethods MUST NOT be used for an EE certificates's SIA.

Same..

Except that in this case I really feel that this is a formality. This SIA points to the object itself. I assume that you won't need this information once you have found the object.

> ==== 3 ====
> 
> Section 4.8.8.2:
> 
>   Other AccessMethods MUST NOT be used for an EE certificates's SIA.
> 
> It seems that this requirement has been superseded by RFC 8182:
> 
>   Certificate Authorities that use RRDP MUST include an instance of an
>   SIA AccessDescription extension in resource certificates they
>   produce, in addition to the ones defined in [RFC6487]:
>   (...)
>   This extension MUST use an accessMethod of id-ad-rpkiNotify (...)
> 
> Has it been superseded? Or does the second quote only apply to CA
> certificates? (which would make the word "produce" seemingly out of
> place.)
> 
> (Aside: 8182 does not appear in the 6487 Updated By list.)

Good point, and I see another omission upon re-reading RFC8182 (RRDP) - of which I am a co-author..

The SIA defined in section 3.2 of RFC8182 is intended as an addition to the existing SIAs defined in RFC6487. Furthermore it is only expected to be present in CA certificates, since these are the only currently defined RPKI objects for which signed products may be found. Including the id-ad-rpkiNotify in an SIA of en EE certificate of e.g. a manifest does not hurt, but it's also pointless. This intent is phrased in the last paragraph of 3.2:

   The accessLocation MUST be an HTTPS URI as defined in [RFC7230] that
   will point to the Update Notification File for the Repository Server that publishes
   the products of this Certificate Authority certificate.
                                 ^^^^^^^^^^^^^^^^^^^^

But this is not phrased as clearly as it could have been.



> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr