Re: [sidr] Validation Reconsidered (again/again) question
Stephen Kent <kent@bbn.com> Thu, 17 December 2015 16:27 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 967081B2F13 for <sidr@ietfa.amsl.com>; Thu, 17 Dec 2015 08:27:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33oB4uNZu_JX for <sidr@ietfa.amsl.com>; Thu, 17 Dec 2015 08:27:31 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48BE31B2F5B for <sidr@ietf.org>; Thu, 17 Dec 2015 08:27:31 -0800 (PST)
Received: from ssh.bbn.com ([192.1.122.15]:48154 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1a9bOr-0003PZ-K5; Thu, 17 Dec 2015 11:27:30 -0500
From: Stephen Kent <kent@bbn.com>
To: Tim Bruijnzeels <tim@ripe.net>
References: <565617E8.4070005@bbn.com> <8FB9C3A7-0799-4CF7-80A5-7669070B3C91@ripe.net>
Message-ID: <5672E271.6080201@bbn.com>
Date: Thu, 17 Dec 2015 11:27:29 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <8FB9C3A7-0799-4CF7-80A5-7669070B3C91@ripe.net>
Content-Type: multipart/alternative; boundary="------------070601000407020007070403"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/D7_OO0kXAuWMR5HRgFZTnzmqFv0>
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] Validation Reconsidered (again/again) question
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 16:27:38 -0000
Tim, > ... > I believe the draft is being precise, but in the process has become difficult to parse. Let me attempt once more to explain the proposal in a different way: > > "When doing top-down validation of resource certificates in the RPKI we propose that rather than rejecting a certificate that has resources not held by the parent (but is valid on all other respects), we would accept the certificate but keep note of the actual resources we believe it can be authoritative for. I.e. the intersection of resources on this certificate and the resources accepted for the parent. The RP SHOULD however issue a warning in case certain resources are excluded because of this, so that the responsible CA can fix the situation. That's a reasonable goal, but it does not match what the revised algorithm says. > Please note that for ROAs there is a requirement that all ROA prefixes are included on the EE certificate of the (ROA) signed object CMS. This proposal does not change this. A ROA that has prefixes that were removed for whatever reason higher in the path would still become invalid using this algorithm. We would therefore RECOMMEND that CAs issue 1 ROA for each prefix, and avoid fate sharing. That way only ROAs for prefixes that were removed will be affected." The recommendation you cite belongs in an updated ROA spec. > Essentially that really is all there is to it. I'm afraid it's not that simple. The statement of what you want to accomplish does not match the algorithm described in Section 5, and that is my point, i.e., the revised algorithm is not correct. > If this is easier to parse, and the co-chairs conclude that work should continue, then I am happy to use this line of explanation in a next version of the document. And no, I have no doubt that it will need more detail than above in an I-D - but it's the basic principle that I am trying to convey here. As I noted above, the algorithm description in Section 5 doesn't match what you say you want to accomplish. Below is my take on what a revised validation algorithm should say to implement what you and your co-authors seem to want to accomplish. You'll note that it is substantially different from the text that appears in the current I-D. Steve ------ 7.2.Resource Certification Path Validation The following algorithm is employed to validate CA and EE resources certificates. It is modeled on the path validation algorithm from [RFC5280], but modified to make use of the IP Address Delegation and AS Identifier Delegation Extensions from [RFC3779]. There are two inputs to the validation algorithm: 1.a trust anchor 2.a certificate to be validated The algorithm is initialized with the following new variables: 1.If an IP Address Delegation extension is present in the trust anchor the address set flag is initialized to TRUE and the address resource working set is initialized to the value of this extension. If the extension is absent, the flag is initialized to FALSE and the address resource working set is initialized to NULL. 2.If an AS Identifier Delegation extension is present in the trust anchor, the AS number flag is initialized to TRUE and the AS number resource working set is initialized to the value of this extension. If the extension is absent, the flag is initialized to FALSE and the AS number working set is initialized to NULL. This path validation algorithm verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions: A.for all 'x' in {1, ..., n-1}, the subject of certificate 'x' is the issuer of certificate ('x' + 1); B.certificate '1' is issued by a trust anchor; C.certificate 'n' is the certificate to be validated; and D.for all 'x' in {1, ..., n}, certificate 'x' is valid. Certificate validation requires verifying that all of the following conditions hold, in addition to the certification path validation criteria specified in Section 6 of [RFC5280]. 1.The signature of certificate x is verified using the public key of the issuer’s certificate (x-1), using the signature algorithm specified for that public key (in certificate x-1). 2.The current time lies within the interval defined by the NotBefore and NotAfter values in the Validity field of certificate x. 3.The Version, Issuer, and Subject fields of certificate x satisfy the constraints established in Section 4.1-4.7 of this specification. 4.Certificate x contains all the extensions that MUST be present, as defined in Section 4.8 of this specification. The value(s) for each of these extensions MUST be satisfy the constraints established for each extension in the respective sections. 5.Any extension not identified in Section 4.8 MUST NOT appear in certificate x. 5.Certificate x MUST NOT have been revoked, i.e., it MUST NOT appear on a CRL issued by the CA represented by certificate x-1 6.Compute the address space and the AS number working sets and flags values for certificate x as follows: If the IP Address Delegation extension is present in certificate x, and the address flag is TRUE, then compute the intersection of the resources between this extension and the current value of the address space working set. If the IP Address Delegation extension is present in certificate x, and the address flag is FALSE, the certificate fails validation. If the IP Address Delegation extension is absent in certificate x, set the address set flag to FALSE. If the AS Identifier Delegation extension is present in certificate x, and the AS number flag is TRUE, then compute the intersection of the resources between this extension and the current value of the address space working set. If the AS Identifier Delegation extension is present in certificate x, and the AS number flag is FALSE, the certificate fails validation. If the AS Identifier Delegation extension is absent in certificate x, set the AS number flag to FALSE. If x = n (i.e., this is the certificate being validated) then the IP address space and AS number working sets are treated as the values for the IP Address and AS Identifier Delegation extensions for this certificate, respectively. If an RP is caching the results of validation, these values SHOULD be stored along with the certificate, to facilitate incremental validation based on cached results. Otherwise, return to step 1 and continue path validation. These rules allow a CA certificate to contain resources that are not present in (all of) the certificates along the path from the trust anchor to the CA certificate. (If none of the resources in the CA certificate are present in all certificates along the path, no subordinate certificates could be valid. However, the certificate is not immediately rejected as this may be a transient condition. Not immediately rejected the certificate does not result in a security problem because the associated working resource sets accurately reflect the resources associated with the certificate in question.) The address and/or AS number resources contained in a valid EE certificate being validated MUST always be encompassed by all certificates along the path to the trust anchor (used to verify that EE certificate). Also note that if any CA certificate along the path has no address space resources, then any subordinate certificate MUST NOT contain address space resources. The same constraint applies to AS number resources.
- [sidr] Validation Reconsidered (again/again) ques… Christopher Morrow
- Re: [sidr] Validation Reconsidered (again/again) … Carlos M. Martinez
- Re: [sidr] Validation Reconsidered (again/again) … Tim Bruijnzeels
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Arturo Servin
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … mcr
- Re: [sidr] Validation Reconsidered (again/again) … Oleg Muravskiy
- Re: [sidr] Validation Reconsidered (again/again) … Samuel Weiler
- Re: [sidr] Validation Reconsidered (again/again) … Samuel Weiler
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … Christopher Morrow
- Re: [sidr] Validation Reconsidered (again/again) … Randy Bush
- Re: [sidr] Validation Reconsidered (again/again) … Christopher Morrow
- Re: [sidr] Validation Reconsidered (again/again) … Montgomery, Douglas
- Re: [sidr] Validation Reconsidered (again/again) … Christopher Morrow
- Re: [sidr] Validation Reconsidered (again/again) … Wes Hardaker
- Re: [sidr] Validation Reconsidered (again/again) … Randy Bush
- Re: [sidr] Validation Reconsidered (again/again) … Tim Bruijnzeels
- Re: [sidr] Validation Reconsidered (again/again) … Robert Kisteleki
- Re: [sidr] Validation Reconsidered (again/again) … Warren Kumari
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Declan Ma
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Randy Bush
- Re: [sidr] Validation Reconsidered (again/again) … Sriram, Kotikalapudi
- Re: [sidr] Validation Reconsidered (again/again) … Sriram, Kotikalapudi
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Christopher Morrow
- Re: [sidr] Validation Reconsidered (again/again) … Sriram, Kotikalapudi
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Andrei Robachevsky
- Re: [sidr] Validation Reconsidered (again/again) … Tim Bruijnzeels
- Re: [sidr] Validation Reconsidered (again/again) … Andrei Robachevsky
- Re: [sidr] Validation Reconsidered (again/again) … Sandra Murphy
- Re: [sidr] Validation Reconsidered (again/again) … Declan Ma
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Sandra Murphy
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Declan Ma
- Re: [sidr] Validation Reconsidered (again/again) … Geoff Huston
- Re: [sidr] Validation Reconsidered (again/again) … Declan Ma
- Re: [sidr] Validation Reconsidered (again/again) … Andrei Robachevsky
- Re: [sidr] Validation Reconsidered (again/again) … Karen Seo
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … Tim Bruijnzeels
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … Stephen Kent
- Re: [sidr] Validation Reconsidered (again/again) … Sriram, Kotikalapudi