IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

Geoff Huston <gih@apnic.net> Thu, 30 October 2014 16:01 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D3B1AD531 for <sidr@ietfa.amsl.com>; Thu, 30 Oct 2014 09:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.801
X-Spam-Level:
X-Spam-Status: No, score=-101.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCldPcG6PRO5 for <sidr@ietfa.amsl.com>; Thu, 30 Oct 2014 09:00:57 -0700 (PDT)
Received: from nx-mailgw.apnic.net (nx-mailgw.apnic.net [IPv6:2001:dd8:9:801::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A52EB1AD53A for <sidr@ietf.org>; Thu, 30 Oct 2014 08:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path; bh=0hK8+pSC/lEf1PQ2zNk6S32tdxbr7NWEfDrXtOeX7pM=; b=UsxM/pziet4JOnO2goNKkpFOrxXgYcEt7uRhvYVkIjaf9+rjz55jyZp3v+J+LY+NJ1uMmaTLET3f4 iMeJgqx8qWUzLv8/5TcpKLCkWgKd+upqKYsTCFqtbgRWTLxIcEBlBzAlMbURDrXBPFcHHrtunE29F/ YQB0LgW7xlfEWuPM=
Received: from NXMDA1.org.apnic.net (unknown [203.119.101.249]) by nx-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Fri, 31 Oct 2014 02:01:45 +1000 (EST)
Received: from [192.168.178.43] (203.119.101.249) by NXMDA1.org.apnic.net (203.119.107.11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Fri, 31 Oct 2014 01:59:45 +1000
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <8B92C382-8F04-4BC5-9419-E106119B8FA1@istaff.org>
Date: Fri, 31 Oct 2014 02:59:34 +1100
Content-Transfer-Encoding: quoted-printable
Message-ID: <D29F072E-E1B5-43B9-9644-74AEC84D4D81@apnic.net>
References: <20140702012717.18291.24295.idtracker@ietfa.amsl.com> <415BB336-1A6C-48DD-BD0F-BC9EB0C3506F@ripe.net> <53CFFF3C.2040406@bbn.com> <BB01407F-A226-4531-9FDD-50E1B0A238F0@ripe.net> <53D151F0.80808@bbn.com> <C838412C-D16C-4C88-B022-85484789444A@ripe.net> <53D178A6.7060502@bbn.com> <CFF7CDF2.4AB4B%bje@apnic.net> <65886423-144A-48B5-A0EF-D35D4A4FE890@ripe.net> <CA+z-_EUXA0TWDqHV-9sFbgS2vyXiKE9EKBae6K0eihuhKTsm2A@mail.gmail.com> <53DAA101.8020305@bbn.com> <53E11912.7050904@gmail.com> <53E1486B.1080604@bbn.com> <53E151C7.1090508@gmail.com> <53E24D68.8020705@bbn.com> <75B90A7B-ED14-4716-A12C-2EDB1AA7851D@arin.net> <m2ha1m25iq.wl%randy@psg.com> <CFA4B932-E694-4CD6-B615-341FBD35CF26@arin.net> <m21tsq1j00.wl%randy@psg.com> <06ECFB67-7928-4860-8E1C-C661258E31DD@ripe.net> <8B92C382-8F04-4BC5-9419-E106119B8FA1@istaff.org>
To: John Curran <jcurran@istaff.org>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/8UCLSpyuXad_ESKdjC8vFMvZnlg
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 16:01:02 -0000

> On 29 Oct 2014, at 10:17 am, John Curran <jcurran@istaff.org> wrote:
> 
> On Aug 11, 2014, at 11:58 AM, Tim Bruijnzeels <tim@ripe.net> wrote:
>> ...
>> The *one* thing I (and I believe we..) challenge is whether the an overclaimed resource should invalidate a complete certificate, instead of invalidating just the resources at hand, but allowing the remainder.
>> ...
>> The following two we may be able to mitigate technically, because we are dealing with co-operating parties:
>> @1 There is a mis-timing in certificate shrinking in a transfer between co-operating parties.
>> @2 There is a mis-timing in the parent publishing a cert with extended resource, and issuing it to the child, and the child using those resources in turn.
>> 
>> But this is the one that has me scared. It is not the issuing CA being sloppy, it’s a problem between them and *their* parent:
>> @1 The *grand*-parent shrinks the *parent* certificate without the parent knowing about this, and some of these resources appear on the, now overclaiming, child certificate. The grand-parent and parent are not involved in an active transfer process. They may not agree that the resource in question should be removed, or the grand-parent may have shrunk these resources in error.
>> 
>> By rejecting the overclaiming child certificate completely I think we are being too harsh, or pedantic even. We know better, so we are just not going to trust this one. But.. there is a very real possibility that we actually *do* know better than the issuing CA at this point. So, what exactly is the problem with accepting the remaining resources? i.e. the intersection between the parent certificate’s resources and this certificate. We know the context, this evaluation is very easy and well-defined. If the CA really intended that the remaining resources should not be tied to the certificate, they would have revoked. If the grand-parent really intended that those resources should not be certified anymore, they would have removed them as well.
> 
> I'm certain there is a simple answer for this question, but it alludes me
> at the present time...
> 
> Given the risks of full resource list invalidation due to overclaiming, why
> aren't distinct certificates used for distinct resources?  If this is not 
> practical in general, wouldn't it at least be prudent to "groom" resources 
> that are going to be transferred into their own certificate so that the rest 
> of the resources held by the original child are not put at validation risk 
> (if a coordination error were to occur in subsequent transfer processing)
> 

If I understand your note here, you are suggesting that the CA issues a new cert for the to-be-transferred resource and revokes and reissues the original "omnibus" cert to have all the resources minus the to-be-transferred resource. Yes? But does not this exacerbate the very problem about over-claiming subordinate certs? Any subordinate certs of the shrunken "omnibus" cert that still include the to-be-transferred resource are now completely invalid. I may not be following your suggestion here, but I just can't see how this makes it "better".

regards,

Geoff

v2.41.0 | Report a Bug | By Email | System Status