IETF Logo Mail Archive

Re: [sidr] Erratum for RFC6486? (manifests)

Stephen Kent <kent@bbn.com> Wed, 17 July 2013 17:36 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B5521F9E5C for <sidr@ietfa.amsl.com>; Wed, 17 Jul 2013 10:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvz2oIQotF6k for <sidr@ietfa.amsl.com>; Wed, 17 Jul 2013 10:36:03 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8A77521F9D01 for <sidr@ietf.org>; Wed, 17 Jul 2013 10:36:03 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:56907) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UzVdv-000OFY-JL; Wed, 17 Jul 2013 13:35:59 -0400
Message-ID: <51E6D5FF.6030802@bbn.com>
Date: Wed, 17 Jul 2013 13:35:59 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Tim Bruijnzeels <tim@ripe.net>
References: <A4234F86-EC27-4EB5-B988-D61019E80A7B@ripe.net>
In-Reply-To: <A4234F86-EC27-4EB5-B988-D61019E80A7B@ripe.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Erratum for RFC6486? (manifests)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 17:36:09 -0000

Tim,

Section 5.1 of RFC 6486 is titled "Manifest Generation Procedure." This 
it is a set of directions to the CA creating the manifest, not 
directions to an RP verifying a
manifest. Section 6 is the discussion of what a relying party is 
supposed to do with a manifest. My quick re-read of Section 6 does not 
call for an RP to check that the validity time is consistent with the 
single-use vs. sequential-use EE cert criteria in 5.1. So, the primary 
concern you cited, i.e., that an RP cannot know which test to apply, is 
not a valid
reason to change this text.

I agree that the invalid vs. stale disparity that arises because of the 
directions to
CAs on manifest EE cert generation is an awkward one. Your example of a 
manifest with
a planned daily update, but a cert that is valid for a week, is an 
reasonable operational
model. If RPs continue to fetch data based on what has changed, then a 
manifest that is
slated to change, but doesn't, doesn't impose an addition sync load. If 
an RP were to
fetch data based on when it says it will expire, then this might be less 
desirable. So
we might take that into consideration when suggesting this model.

If we had guidelines for best practices for pub point management, with 
suggested
rates of change, we might better understand the possible impact of this 
operational
model. For example, if the recommended frequency of CRL issuance is 
daily, then the
manifest ought to change daily as well, the there's a decent chance that 
the CRL and
the manifest are either both stale or current.

So, while I believe that there is no need to change the 5.1 text based 
on the
RP concern you cited, I support a change to that text to allow CAs more
flexibility in managing the EE cert validity in manifests, and to remove the
single-use vs. sequential-use EE cert distinction.

Would you like to propose and share text for the suggested change? We 
may have to
issue a new RFC, updating 6486, since this does represent a technical 
change to
how we say a CA should behave.

Steve

v2.23.0 | Report a Bug | By Email