Re: [sidr] RPKI validator testing summary

Geoff Huston <gih@apnic.net> Fri, 02 December 2011 21:46 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C1D611E812C for <sidr@ietfa.amsl.com>; Fri, 2 Dec 2011 13:46:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.629
X-Spam-Level:
X-Spam-Status: No, score=-97.629 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_IP_ADDR=1.119, MANGLED_DOSE=2.3, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qXfdCeFu1l5 for <sidr@ietfa.amsl.com>; Fri, 2 Dec 2011 13:46:50 -0800 (PST)
Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3A811E80C9 for <sidr@ietf.org>; Fri, 2 Dec 2011 13:46:50 -0800 (PST)
Received: from [128.54.62.163] (unknown [128.54.62.163]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id A4BBFB6767; Sat, 3 Dec 2011 07:46:48 +1000 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <4ED64E04.7030408@bbn.com>
Date: Sat, 03 Dec 2011 08:46:46 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3871AC3-6960-433A-8A34-7F10087A7EC7@apnic.net>
References: <4ED64E04.7030408@bbn.com>
To: Andrew Chi <achi@bbn.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: sidr wg <sidr@ietf.org>
Subject: Re: [sidr] RPKI validator testing summary
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 21:46:51 -0000

On 01/12/2011, at 2:38 AM, Andrew Chi wrote:

> 
> 2. AIA correctness.  Does res-certs require validators to reject a certificate with a messed up AIA URI, even if top-down traversal is ok?  Having clean AIAs obviously helps bottom-up validators.  But validators capable of bottom-up traversal must already defend against AIA-wild-goose-chase DoS, e.g. by limiting chase depth.  Should we encourage validators to enforce AIA correctness?

res-certs says that there  MUST be an AIA and the text says that it points to the "publication point of the immediate superior certificate". In the case where a local TA is being used (and in other conceivable cases) it is possible for multiple CAs to certify a subject. What the spec does NOT say is that the AIA must point to the publication point of all such CAs. So it appears to be within the bounds of the res-cert profile for a certificate hierarchy of the form

CA A      CA B
  |         |
  V         V
      CA C

Now if the AIA of certificates issued by CA C points to the publication point of CA A, then if you are performing a validation along the path A to C then this is NOT "messed up", and things look fine. If you are performing a validation along the path from B to C then it IS "messed up", and things look good.

So "messed up" in AIA appears to be a little bit in the eyes of the beholder rather than an objective condition.

On what grounds would a validator reject certificates issued by CA C in this example?

regards,

  Geoff