Re: [sidr] Erratum for RFC6486? (manifests)
Stephen Kent <kent@bbn.com> Wed, 17 July 2013 17:36 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B5521F9E5C for <sidr@ietfa.amsl.com>; Wed, 17 Jul 2013 10:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvz2oIQotF6k for <sidr@ietfa.amsl.com>; Wed, 17 Jul 2013 10:36:03 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8A77521F9D01 for <sidr@ietf.org>; Wed, 17 Jul 2013 10:36:03 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:56907) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UzVdv-000OFY-JL; Wed, 17 Jul 2013 13:35:59 -0400
Message-ID: <51E6D5FF.6030802@bbn.com>
Date: Wed, 17 Jul 2013 13:35:59 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Tim Bruijnzeels <tim@ripe.net>
References: <A4234F86-EC27-4EB5-B988-D61019E80A7B@ripe.net>
In-Reply-To: <A4234F86-EC27-4EB5-B988-D61019E80A7B@ripe.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] Erratum for RFC6486? (manifests)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 17:36:09 -0000
Tim, Section 5.1 of RFC 6486 is titled "Manifest Generation Procedure." This it is a set of directions to the CA creating the manifest, not directions to an RP verifying a manifest. Section 6 is the discussion of what a relying party is supposed to do with a manifest. My quick re-read of Section 6 does not call for an RP to check that the validity time is consistent with the single-use vs. sequential-use EE cert criteria in 5.1. So, the primary concern you cited, i.e., that an RP cannot know which test to apply, is not a valid reason to change this text. I agree that the invalid vs. stale disparity that arises because of the directions to CAs on manifest EE cert generation is an awkward one. Your example of a manifest with a planned daily update, but a cert that is valid for a week, is an reasonable operational model. If RPs continue to fetch data based on what has changed, then a manifest that is slated to change, but doesn't, doesn't impose an addition sync load. If an RP were to fetch data based on when it says it will expire, then this might be less desirable. So we might take that into consideration when suggesting this model. If we had guidelines for best practices for pub point management, with suggested rates of change, we might better understand the possible impact of this operational model. For example, if the recommended frequency of CRL issuance is daily, then the manifest ought to change daily as well, the there's a decent chance that the CRL and the manifest are either both stale or current. So, while I believe that there is no need to change the 5.1 text based on the RP concern you cited, I support a change to that text to allow CAs more flexibility in managing the EE cert validity in manifests, and to remove the single-use vs. sequential-use EE cert distinction. Would you like to propose and share text for the suggested change? We may have to issue a new RFC, updating 6486, since this does represent a technical change to how we say a CA should behave. Steve
- [sidr] Erratum for RFC6486? (manifests) Tim Bruijnzeels
- Re: [sidr] Erratum for RFC6486? (manifests) Rob Austein
- Re: [sidr] Erratum for RFC6486? (manifests) Stephen Kent
- Re: [sidr] Erratum for RFC6486? (manifests) Tim Bruijnzeels
- Re: [sidr] Erratum for RFC6486? (manifests) Murphy, Sandra
- Re: [sidr] Erratum for RFC6486? (manifests) Stephen Kent