Re: [sidr] [Technical Errata Reported] RFC8182 (7239)

Tom Harrison <tomh@apnic.net> Wed, 07 December 2022 05:22 UTC

Return-Path: <tomh@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B73C14CF02 for <sidr@ietfa.amsl.com>; Tue, 6 Dec 2022 21:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68DtBI7Bik9R for <sidr@ietfa.amsl.com>; Tue, 6 Dec 2022 21:22:43 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on20615.outbound.protection.outlook.com [IPv6:2a01:111:f403:7004::615]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DBCBC14CE21 for <sidr@ietf.org>; Tue, 6 Dec 2022 21:22:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YciMTL5kzN//sfTZWgHika+fKLiDIhmUGZXUJVsGZ/FfyKcRVRy8CXER7VVNFb7rK3c3UrsxGSIEzTVOa25wRTDG6jsTsYgaub0AzeTIku4065C/YbslFSyP8yeQYH7UnK4NfJYrqjMrfPmdhSvy+T6HpZZ8WjFBqT+HYDrzhdICEfULHRveY7EU6rUJeakWpGO6ysmurhgWHzNeiw7ZLOu2UUQBmzYtZZhnVGBMYVSspdYnd/AQf1mYwZ52RkfnyJahYUHzGnfR5BfLof4JpiYLdZu3ZR7Glfp8830dTrcf1HmbT//ZivbTyXbAq25xjebO4xQNWAfGpd3x+qVjzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=J84CVA9hd7MXrZZ3ABm4kyr8/PHmARiOroWEoKSZWeY=; b=QOOBZ36VxUKkCU1toHP64J5ALmegbLVNDff4APlg3ch56E4kjcuPUkh+yfQqeOau6RqkvdfXbBc7Rw2/6PtvhpI1FGVgoQccq2N1OrPfgElAwC0WSIZbbeWurPLBQc9RYpCSyXCDynI5P1ZdF1Wgg31nPL2BD2pL/R9qtweLfhWAlVBgbnaDrXX5u+O1dooZk9QOHc5Ikb15ODWiA4kmD2LVzCI8pCwyQQuVaO0g7PUrceCTPtIVK2PrNO6/xt1G2JDMfLWFwKb2jshe1Ey8UK9ICjHOfMDLPLoxn1wK8BQicPUlB7QNQTk+AXMlyf1nS0Hmf+FGuAoRPIAYEiua1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J84CVA9hd7MXrZZ3ABm4kyr8/PHmARiOroWEoKSZWeY=; b=f3Yqj8l16h9+IxwDdV2HT3+WehtGDSSYXVEPj3QIrP1fMGaV5PanIH3gYPZcPBuxQGsAfLDcFv0MDJk5MPZP+LrnhupnUfx5PYPHcrfDH2F8SheNrF+H1o3JX+fbcXRMt6sbLyLa+XFgGAMQ/RUtPlDOJK1zjnulZcrdGZ7mm3c=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
Received: from SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:68::12) by SYCP282MB1422.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:83::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 05:22:36 +0000
Received: from SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM ([fe80::d7d8:f371:c5f2:9848]) by SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM ([fe80::d7d8:f371:c5f2:9848%6]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 05:22:36 +0000
Date: Wed, 07 Dec 2022 15:22:35 +1000
From: Tom Harrison <tomh@apnic.net>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: tim@ripe.net, oleg@ripe.net, bryan@cobenian.com, sra@hactrn.net, aretana.ietf@gmail.com, jgs@juniper.net, andrew-ietf@liquid.tech, morrowc@ops-netman.net, sandy@tislabs.com, job@fastly.com, sidr@ietf.org
Message-ID: <Y5AjG3AJjHaFIRdv@TomH-802418>
Mail-Followup-To: RFC Errata System <rfc-editor@rfc-editor.org>, tim@ripe.net, oleg@ripe.net, bryan@cobenian.com, sra@hactrn.net, aretana.ietf@gmail.com, jgs@juniper.net, andrew-ietf@liquid.tech, morrowc@ops-netman.net, sandy@tislabs.com, job@fastly.com, sidr@ietf.org
References: <20221104113812.3303455F68@rfcpa.amsl.com>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20221104113812.3303455F68@rfcpa.amsl.com>
X-ClientProxiedBy: SYYP282CA0006.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:b4::16) To SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:68::12)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SYBP282MB0553:EE_|SYCP282MB1422:EE_
X-MS-Office365-Filtering-Correlation-Id: b4276e5c-8ee8-4276-456a-08dad8130d63
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: K3h8YqFOHOBR5zwKU0i5lMO1DwxeGoe0STyZal/f8JbMpl+W9fVrId3ueSiYTvAyDOmQ/u6p9CMNfcYoziG1lUFaX3CLRtIoYhGxhBN1i0bNEN9ocjWWI37mfJHZg2Diqfj1joiU45+7XnXOKS9AwOm/PCnPM3uYHc7SDu3Kx26MhGhpTqyPFhayiZDgvSewJDJuNdIS/eo7y5ibSXY4y8sRkJG5A9hUN9iXBuEyG1gUK8r96oqg7X3/V30+hkzWGhsm5ZvYvGLNfrgKVMowLaYpjaQ9I7S9jcMiN4AKmdrvC+XY8mLvaLqpbZ0uuYIeBnbtPhyQOfWnE7NSG4uckOMN0OR2amqtA0Op/k1J0dWDkVcJ93rcPzDsn3YCABOrOuX95kQJuilFFQSMd7WcJeAyIobMmntJRThP5Xe0Dq2TCPDAffdEQ2wZR2t8C9MqQr23Oj8fVcY9SMZi2b/yw+gjZAQ+icNtDnxWD0v4INHgkLtDgfTDC9JrxVoHTnEICzw+WewhlAwt907Iu7l3R4NJ27n1WgWJCwVYRwBwxgRHikS4hp4T95887LV1ReigLXIv3q0UHOl7Wix63DVBWv6Enfx6h0H54E490aWTGKvbhMrk8QG0pfHPHl2KSOy1hSz0KkPq4XcK45XzWMoXGn7CvhomWwHGsTuj9H7SFrA=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(7916004)(366004)(39840400004)(396003)(136003)(376002)(346002)(451199015)(6486002)(86362001)(316002)(966005)(41300700001)(2906002)(478600001)(33716001)(66946007)(66556008)(66476007)(8676002)(4326008)(38100700002)(6506007)(26005)(6512007)(5660300002)(7416002)(186003)(83380400001)(6916009)(8936002)(9686003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: VBqauq/79wgvi2YEF4rChXOszjdzUErBVMZUGru7l1NilbMMv1Vq66M1p0k2ko6I44INmf3Uck+CboF7vaIcvgPGzSwALi0Mw0YrOrfWRBTB084kJQzYNmFfnK45ML0VOP9Z02Tke/WSAcDRJS1sD5d5wt5VcPc+qira4ZmSPgtUFToJgHmepzvzfP1fHnhZnV0m3pyvPyJLSyVBZfjLjaruYaXOkDFW0jfznfSO/qylaNM6claj9fwszH+u1ryBt23X93VXZLiBhTHbH4jds0wK4NfE6qk4+ntyocNjmNwWr9JPzLAIMj8TmuOA/VtFvS0yCfbABnoRkKO+kmqDDfLOAdHMlZnuEGnV9S14ecB4jto6UDWkN8tme7XAfDl3PF0Ld+bpBt/6e9t8uaJTPRl5xkChfjJoh/lZyLEu+2RsYxxnZsybvLPVC+gmt9R6wiawOvEPESjangSjyWQNG4Gmg2RoUQOw6LcxyYTOWYa/m8DwRKmqSShuUpX6P4Qe7BnB9R84QoQpoAb4XwRYhqQTeM6+fPp5wfaAf1i1JJOuARJo8rSiENGSzj847MOAXaPGKjb5RrY397xLUUw67VGqvhqkRxFrmZMVDVdq8Il7W1wHQHA++etQUxMyqKZxr6EXEwKa8dCGalRQjNgBduBhoL/NINRXvQDnULiyDZBZTOueqBShA4m3OF/I3EMgkJT91oUM4cuY+sjMcFdT/ivoQOQns1ESLhpZP3u6oM8CueK5vnszxCG1Yu7FDI3tGChnlSCDkm0GAFaAgUQ5E/8mESkQc9zibDDSAwuckbefKZW8pfc5NJIJZ1aAjiL2qNaVtzQ8UeNOiwRR5clh9OblBpouUlpY1wwp3zYPVH3fc+3OvKKQ/OKNLekePV0ObezVxy2JyI1SWD4f8YYhz1sw4zh8Y9JUARbLyUGszp/4/X3L++oOVNlKuCfJhao9w8tGFmzJf+K2Lay664NAd0DHM14gBqCftPEpbwKqoWyD+JDYCcI7B3UwZdukiJiEi+vKtU7tFu8/a+vLl2nihWk5ZNaZwNroeH+4iFjVkGIEnSbt9F4xCmwE0UDN18C4ZkMpJY1b3cxqFiVWYyfw8TVB5ND+JKrUMf/WXJs5wf+Q++s/YFDP0i1prn8iItIoh0M3nOGcb8WE+Q2ODupJha2OD7ItNmgl9ISJoBQw0qldasF8pKspFZJjqSRGPN6QZEh05IRYmhGSQnTu67pCne8oWUybLoYEIYQbe30xkoNZp70hwZ1Dz3mwDVT9BKImP6fZMHpTc2ZVMqvHrCuRztWMKH9i5PuTb+5kajumvAKWAGWIssK6ce/JtHexC0VjzAl3Zi+CkoBlQG5NUzJ6av2qPHhkE/OI8EEtLJcfknFUt6STk6ZbO0pLxUeOB6mzG0ByvozplodutFObgW0M+NwVWWcYKfc0xtu9//lpB1buNQFb5TyVJliczsseKxncSM+kiTGUf/51bYpgC1ltl/4W0tV+AAOSWHpVxk0lYXGHp0Ugeo66LFp4KqOipnmpnN83yGicrgovTtg/SqtKMTh68cb6MiIMWQmeEvfDQHKbiyHLxOc6eM1kLS9GXxBh
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b4276e5c-8ee8-4276-456a-08dad8130d63
X-MS-Exchange-CrossTenant-AuthSource: SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 05:22:36.8028 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: SvvZ+SAMcMXeyYml78VRUwpZ+svn60qyBZci1TdJersbAjECn+nvfAP7tbg33wGY
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCP282MB1422
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Mbb2GhCVfOp2Q0Hd-iMGU3qdYm4>
Subject: Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2022 05:22:48 -0000

On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote:
> The following errata report has been submitted for RFC8182,
> "The RPKI Repository Delta Protocol (RRDP)".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7239
> 
> --------------------------------------
> Type: Technical
> Reported by: Job Snijders <job@fastly.com>
> 
> Section: 3.2
> 
> Original Text
> -------------
> Certificate Authorities that use RRDP MUST include an instance of an
> SIA AccessDescription extension in resource certificates they
> produce, in addition to the ones defined in [RFC6487]:
> 
> Corrected Text
> --------------
> Certificate Authorities that use RRDP MUST include an instance of an
> SIA AccessDescription extension in CA resource certificates they
> produce, in addition to the ones defined in [RFC6487]:
> 
> Notes
> -----
> Between draft-ietf-sidr-delta-protocol-04 and
> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps
> because it was considered redundant). But, unfortunately that
> snippet helped establish important context as to what types of
> certificates are expected to contain the id-ad-rpkiNotify
> accessMethod inside the Subject Information Access extension. The
> text that was removed:
> 
> """
> Relying Parties that do not support this delta protocol MUST MUST NOT
> reject a CA certificate merely because it has an SIA extension
> containing this new kind of AccessDescription.
> """
> 
>> From the removed text is is clear that id-ad-rpkiNotify was only
>> expected to show up on CA certificates. However, without the above
>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether
>> 'resource certificates' is inclusive of EE certificates or not.
> 
> RFC 6487 Section 4.8.8.2 sets expectations that only
> id-ad-signedObject is expected to show up in the SIA of EE
> certificates "Other AccessMethods MUST NOT be used for an EE
> certificates's SIA."
> 
> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify
> in the SIA of the EE certificate of all signed objects they produce
> (such as ROAs). The RIR indicated they'll work to remove
> id-ad-rpkiNotify from all EE certificates their CA implementation
> produces.

I agree with this report.  (APNIC is the RIR referred to in this
paragraph, and we also found the text to be unclear when we were
implementing this specification.)

-Tom