Re: [sidr] The question about https certificates and frequency of mft/crl re-issuance

Stephen Kent <> Mon, 13 June 2016 20:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A771D12D614 for <>; Mon, 13 Jun 2016 13:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.627
X-Spam-Status: No, score=-4.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N4ShQ5lTzutI for <>; Mon, 13 Jun 2016 13:10:45 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B009A12D62D for <>; Mon, 13 Jun 2016 13:10:40 -0700 (PDT)
Received: from ([]:51682 helo=COMSEC.fios-router.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1bCYBz-000PQW-Fx for; Mon, 13 Jun 2016 16:10:39 -0400
References: <>
From: Stephen Kent <>
Message-ID: <>
Date: Mon, 13 Jun 2016 16:10:39 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [sidr] The question about https certificates and frequency of mft/crl re-issuance
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jun 2016 20:10:47 -0000


Sorry to have not replied sooner.

> Hi all,
> I promised to take this to list.
> So, as presented today, the volume of updates of MFTs and CRLs in the RIPE NCC repository vs updates of ROAs is about 1000:1. This is a bad signal -to-noise ratio that causes waste of cycles and bandwidth.
> = Why this noisy? MITM..
> We get this, because we use a 'next update time' of 24 hours, but we actually republish every 8 hours to make sure that we can fix issues before things go stale. In my understanding we need this because of man-in-the-middle attacks involving replay or withhold. And rsync is vulnerable to this (clear text, and no authentication of server). If an RP is being fed old data, they would notice that something is wrong within 24 hours. A longer period seems scary.. If this understanding is wrong I would love to be educated.
I think an 8-hour cycle is very much overkill, despite the good 
intentions that motivated it.

An RP should detect when a manifest is stale, since the manifest carries 
a next publication date. It's a local matter as to how stale a Manifest 
can be before an RP sounds an alarm. The actions an RP MAY take in the 
face of a stale Manifest are also largely a local matter, as per RFC 
6486. So, I don't think an 8-hour re-pub rate is warranted given these 
local policy aspects of Manifest processing.

Similarly, daily CRL publication strikes me as overkill as well. Yes, 
it's nice to be able to say that IF there were a need to revoke a cert, 
everyone could know about that in 24 hours. BUT, revocations in many 
PKIs are fairly rare, and in the RPKI they seem very infrequent as well, 

I'd suggest a default next update frequency for both CRLs and Manifests 
of 1 week.
This should be shortened if a resource is about to be transferred, or 
there is a planned key rollover, etc. If we adopt 1 week as the default, 
then pushing out
new versions every 3-4 days would be reasonable, IMHO.

These changes would reduce churn by a factor of 10 or so.
> = Solved by https?
> But assuming this does make sense, I wondered whether RRDP with httpS offers a way out of this. With RRDP a CA signs a certificate with an https URL like: https// We can trust this because it's on a signed certificate. Now, if we can also exclude mitm, because we can trust the httpS certificate, this would allow for a much longer period 'next update time'. And in the meantime the RP would still learn about updates before this, because the notification.xml is checked regularly and would include any changes ahead of this.
I'm not sure I understand the analysis above. In the current scheme, the 
next update times for CRLs and Manifests are signed objects too. yes, an 
RP could learn about an earlier update IF there is no attack that 
prevents timely dissemination of the notification file. But, what 
prevents an attacker from delaying such notifications?

I'll have to think about your TA questions some more before replying.