Re: [sidr] [IANA #1266244] [Errata Verified] RFC8182 (7239)
Job Snijders <job@fastly.com> Thu, 09 February 2023 08:18 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40358C15270B for <sidr@ietfa.amsl.com>; Thu, 9 Feb 2023 00:18:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trfL7DJKmMAc for <sidr@ietfa.amsl.com>; Thu, 9 Feb 2023 00:18:44 -0800 (PST)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43A92C14F738 for <sidr@ietf.org>; Thu, 9 Feb 2023 00:18:44 -0800 (PST)
Received: by mail-ej1-x632.google.com with SMTP id ud5so4013658ejc.4 for <sidr@ietf.org>; Thu, 09 Feb 2023 00:18:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xTo0KxrBNZFxJYfAKcTE1vtXM9SjafT7J/NL+r7o0cI=; b=M39wi2KgZ2/HD4pH/uqB6/IdrwK5TfQYVKnqeAHpY717ey/nUQKxPakSTH8C5uwlfv qkOPu2BmjhASoo40FzVNrJDg762i7yDq/6RgjnH4Q7Bm45bGJkmL8n/kSLAnmxgjVHTB jeOdvKIa8u38Y3zcTcHWUTHEkkJD1cb7wPTwI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xTo0KxrBNZFxJYfAKcTE1vtXM9SjafT7J/NL+r7o0cI=; b=Q+S2RwzC+z1rlqDCeWcqc94f82eixtqoMSALKqDfHF8zKCaB5HuGYnc6b38G4nRzRW ozaMi4oHsxSQodKkIq9nhtBPQm3p68b2eIOCI8kjOimaFPMyZiTiIlDrb538M2mYVYcD Z4ns/NMghUtBawA+jd5chkkNIyorDRP+S3GOqB6rNsnqgeJ6/au/sC33ExaUXrdFCbu3 81r/QdXgZxUkiULHUvpHCpaLDFVh8nusq0zRoIgawNpDSjpfZitHhqoyPkl8bwpkmBWF hn8jsI9y4KvJ0T0k0a90a81tSM01LTKDEkIWQx7uSFcQpOP2mRnHjrw/Fnf67v82HT6K ux0g==
X-Gm-Message-State: AO0yUKU4co8g67wI+R3r9txG/pfSmeBWdIZpJvVopqWSjCxRNHfvKYfk eP8DfwvkM6Gl4Xh7C2SAIfqdUg==
X-Google-Smtp-Source: AK7set/GG8zoPpTSfGK91766KRCXrWCLyjAVoDgWvtg2r1E6bnIQDAuizeE3gTvHBlfp+SIoa9UYqQ==
X-Received: by 2002:a17:906:17d2:b0:87f:a197:5666 with SMTP id u18-20020a17090617d200b0087fa1975666mr10322515eje.5.1675930722308; Thu, 09 Feb 2023 00:18:42 -0800 (PST)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id d11-20020a50f68b000000b004ab1f16d111sm238262edn.91.2023.02.09.00.18.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Feb 2023 00:18:41 -0800 (PST)
Date: Thu, 09 Feb 2023 09:18:40 +0100
From: Job Snijders <job@fastly.com>
To: Amanda Baber via RT <iana-matrix@iana.org>
Cc: rfc-editor@rfc-editor.org, tim@ripe.net, sra@hactrn.net, sidr@ietf.org, oleg@ripe.net, jgs@juniper.net, bryan@cobenian.com
Message-ID: <Y+SsYAEOCTyU2ejO@snel>
References: <RT-Ticket-1266244@icann.org> <20230208173143.D7FE74C099@rfcpa.amsl.com> <rt-5.0.3-3135562-1675914973-537.1266244-37-0@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <rt-5.0.3-3135562-1675914973-537.1266244-37-0@icann.org>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Sd7-HCD31mcGCLQiw-sdsJBounM>
Subject: Re: [sidr] [IANA #1266244] [Errata Verified] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 08:18:48 -0000
Dear Amanda, I don't think that is necessary. Kind regards, Job On Thu, Feb 09, 2023 at 03:56:13AM +0000, Amanda Baber via RT wrote: > Hi, > > Does this errata report need to be listed as an additional reference for the id-ad-rpkiNotify registration? See > > https://www.iana.org/assignments/smi-numbers > > thanks, > > Amanda Baber > IANA Operations Manager > > On Wed Feb 08 17:32:05 2023, rfc-editor@rfc-editor.org wrote: > > The following errata report has been verified for RFC8182, > > "The RPKI Repository Delta Protocol (RRDP)". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid7239 > > > > -------------------------------------- > > Status: Verified > > Type: Technical > > > > Reported by: Job Snijders <job@fastly.com> > > Date Reported: 2022-11-04 > > Verified by: John Scudder (IESG) > > > > Section: 3.2 > > > > Original Text > > ------------- > > Certificate Authorities that use RRDP MUST include an instance of an > > SIA AccessDescription extension in resource certificates they > > produce, in addition to the ones defined in [RFC6487]: > > > > Corrected Text > > -------------- > > Certificate Authorities that use RRDP MUST include an instance of an > > SIA AccessDescription extension in CA resource certificates they > > produce, in addition to the ones defined in [RFC6487]: > > > > Notes > > ----- > > Between draft-ietf-sidr-delta-protocol-04 and draft-ietf-sidr-delta- > > protocol-05 a bit of text was removed (perhaps because it was > > considered redundant). But, unfortunately that snippet helped > > establish important context as to what types of certificates are > > expected to contain the id-ad-rpkiNotify accessMethod inside the > > Subject Information Access extension. The text that was removed: > > > > """ > > Relying Parties that do not support this delta protocol MUST MUST NOT > > reject a CA certificate merely because it has an SIA extension > > containing this new kind of AccessDescription. > > """ > > > > From the removed text is is clear that id-ad-rpkiNotify was only > > expected to show up on CA certificates. However, without the above > > text, Section 3.2 of RFC 8182 is somewhat ambiguous whether 'resource > > certificates' is inclusive of EE certificates or not. > > > > RFC 6487 Section 4.8.8.2 sets expectations that only id-ad- > > signedObject is expected to show up in the SIA of EE certificates > > "Other AccessMethods MUST NOT be used for an EE certificates's SIA." > > > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify in > > the SIA of the EE certificate of all signed objects they produce (such > > as ROAs). The RIR indicated they'll work to remove id-ad-rpkiNotify > > from all EE certificates their CA implementation produces. > > > > It should be noted that the presence of id-ad-rpkiNotify in EE > > certificates is superfluous; Relying Parties can't use the rpkiNotify > > accessMethod in EE certificates for any purpose in the validation > > decision tree. > > > > (Verifying this Errata does not block a future transition from rsync > > to https; as RFC6487 Section 4.8.8.2 leaves room for additional > > instances of id-ad-signedObject with non-rsync URIs) > > > > -------------------------------------- > > RFC8182 (draft-ietf-sidr-delta-protocol-08) > > -------------------------------------- > > Title : The RPKI Repository Delta Protocol (RRDP) > > Publication Date : July 2017 > > Author(s) : T. Bruijnzeels, O. Muravskiy, B. Weber, R. > > Austein > > Category : PROPOSED STANDARD > > Source : Secure Inter-Domain Routing > > Area : Routing > > Stream : IETF > > Verifying Party : IESG >
- [sidr] [Errata Verified] RFC8182 (7239) RFC Errata System
- [sidr] [IANA #1266244] [Errata Verified] RFC8182 … Amanda Baber via RT
- Re: [sidr] [IANA #1266244] [Errata Verified] RFC8… Job Snijders