IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)

Sandra Murphy <sandy@tislabs.com> Wed, 18 May 2016 21:12 UTC

Return-Path: <sandy@tislabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D61C12D6FA; Wed, 18 May 2016 14:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Level:
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyHYqbti8uUp; Wed, 18 May 2016 14:12:40 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8546712D746; Wed, 18 May 2016 14:12:40 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id B502A28B003D; Wed, 18 May 2016 17:12:39 -0400 (EDT)
Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id A7A831F8056; Wed, 18 May 2016 17:12:39 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_33DADD0E-DA1E-40E0-B624-44E2448304B7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.2
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <2e4e9c39-06a9-43ea-eee7-1c0a0a67ad22@innovationslab.net>
Date: Wed, 18 May 2016 17:12:28 -0400
Message-Id: <18A984F0-BEAE-4B5D-99EB-90BA79249C49@tislabs.com>
References: <20160518155109.14693.29705.idtracker@ietfa.amsl.com> <7398a12b-5f01-275f-7dc6-178c6b611891@innovationslab.net> <573C93CD.4040901@cs.tcd.ie> <2e4e9c39-06a9-43ea-eee7-1c0a0a67ad22@innovationslab.net>
To: Brian Haberman <brian@innovationslab.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/L5IDJ9tJ6WBQs_LuAyDDlLLLkzE>
Cc: draft-ietf-sidr-rpsl-sig@ietf.org, Sandra Murphy <sandy@tislabs.com>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, sidr@ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 21:12:42 -0000

comments inline.  speaking as a regular ol’ wg member

On May 18, 2016, at 12:20 PM, Brian Haberman <brian@innovationslab.net> wrote:

> Hiya Stephen,
> 
> On 5/18/16 12:09 PM, Stephen Farrell wrote:
>> 
>> Hiya,
>> 
>> On 18/05/16 17:06, Brian Haberman wrote:
>>> Hiya Stephen,
>>> 
>>> On 5/18/16 11:51 AM, Stephen Farrell wrote:
>>>> Stephen Farrell has entered the following ballot position for
>>>> draft-ietf-sidr-rpsl-sig-11: Discuss
>>>> 
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>> 
>>>> 
>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>> 
>>>> 
>>>> The document, along with other ballot positions, can be found here:
>>>> https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/
>>>> 
>>>> 
>>>> 
>>>> ----------------------------------------------------------------------
>>>> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>> 
>>>> 
>>>> I'd like to check one thing - this may be needed for strict
>>>> compliance with RPKI thing but it seems kinda weird to also
>>>> impose that here, but anyway...
>>>> 
>>>> Is 3.2 step 1 needed?  That seems like useless complexity
>>>> here.  If it is needed, how does the verifier check that
>>>> it's really a single-use? I don't see the point TBH.
>>>> 
>>> 
>>> This text was driven by the statement in RFC 6487 (Section 3) that says:
>>> 
>>>   The private key associated with an EE certificate is used to sign a
>>>   single RPKI signed object, i.e., the EE certificate is used to
>>>   validate only one object.
>>> 
>>> Step 1 in 3.2 is there so that this approach follows the above directive
>>> on the use of the RPKI infrastructure/certificates.
>> 
>> Well... sure. But what is the benefit here? IIRC that was
> 
> I *think* the benefit is supposed to be compliance with the RPKI approach...
> 
>> something related to making more fine-grained revocation
>> possible or something which doesn't seem that useful here
>> since a verifier will likely already have processed stuff
>> already or am I mixed up?
> 
> I don't think you are mixed up, but I will let others in SIDR chime in…

There was at one point in the history of resource certificates the idea that EE certs could be used multiple times.  (EE certs even had their own manifests!)

The signed object definition encapsulated the EE cert used to verify the signature.  That revocation of the signed object could be accomplished by revoking the EE cert.  Which meant that the EE cert should be used just to sign that one object, as Stephen says. (otherwise chaos ensues)

As the only defined use of EE certs at the time of the publication of 6487 was the use to verify signed objects, the text about EE certs was reduced to just that necessary to support the single-use.

This is different.  The validity of the rpsl object is not tied to the validity of the EE cert.  The comments from the wg were that this draft should talk about the syntax of the new attribute, not the authorization/semantics.  So revocation of the EE cert in this case would/might not have the effect of revoking the rpsl object.  I personally don’t think it likely that it ever will, but that’s IMHO only.

So it is a moot question as to whether the single-use is a part of “the RPKI approach” for this rpsl-sig use.

> 
>> 
>> If there's no benefit, it seems like that adds a bunch of
>> CA code just for fun (or "compliance" maybe;-)

curious: how would this single-use requirement add anything to the CA code?  If the requirement is in 6487, the CA code would already have the checks.  I ask only because I might be missing something.

> 
> I could very easily see dropping step 1 from 3.2 and simply augmenting
> the intro sentence with something about certs/keys generated per 3487.

I think you mean 6487?

You have already suggested removing the SIA requirement from 6487 for the EE certs rpsl-sig uses, so these EE certs are already a different sort of EE cert. Other special  requirements as necessary.

—Sandy, speaking as a regular ol’ wg member

v2.23.0 | Report a Bug | By Email