Re: [sidr] RPKI validator testing summary

Tim Bruijnzeels <> Fri, 02 December 2011 10:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E75A21F9309 for <>; Fri, 2 Dec 2011 02:23:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CvwiWKMFUlzg for <>; Fri, 2 Dec 2011 02:23:27 -0800 (PST)
Received: from ( [IPv6:2001:67c:2e8:11::c100:1342]) by (Postfix) with ESMTP id 8C5B821F930E for <>; Fri, 2 Dec 2011 02:23:27 -0800 (PST)
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <>) id 1RWQH4-0003tb-AU; Fri, 02 Dec 2011 11:23:23 +0100
Received: from ([]) by with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <>) id 1RWQH3-0005dv-UC; Fri, 02 Dec 2011 11:23:21 +0100
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Fri, 02 Dec 2011 11:23:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Danny McPherson <>
X-Mailer: Apple Mail (2.1084)
X-RIPE-Spam-Level: ----
X-RIPE-Spam-Report: Spam Total Points: -4.1 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.2 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071994dc1eb4342b3d2eaccccb23e79f6b5d
Cc: sidr wg <>
Subject: Re: [sidr] RPKI validator testing summary
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Dec 2011 10:23:28 -0000

On Dec 2, 2011, at 2:51 AM, Danny McPherson wrote:

> On Nov 30, 2011, at 10:38 AM, Andrew Chi wrote:
>> The specs leave room for the relying party to decide what to do with imperfect but not completely invalid objects. 
> Thanks for sharing Andrew.  One question and one comment...
> Is an expired object "completely invalid" or just "imperfect"?  Can you 
> explain the difference?

I think that here, the term 'stale' is preferred over 'expired'. This is not about any object type, but manifests and crls in particular..

A manifest is stale "if the current time is after the nextUpdate time":

When a one-time-use EE cert is used in the manifest CMS the validity time MUST match the 'thisUpdate' and 'nextUpdate' of the manifest contents:

So note that in this case the 'expired' EE cert should be considered 'stale' instead as well..

CRLs also have a 'nextUpdate' field, that's typically the same as the manifest's. Again, these are considered 'stale' not 'expired' after this time.

The reasoning is that an RP may only have old data for some reason: eg. no updates occurred due to some technical issue, or there is some problem retrieving new info. In this case it would be a bit rash to *reject* the manifests and CRLs and all objects that depend on them. This is the text in

  "All signed objects at the publication point issued by the entity that
   has published the stale manifest, and all descendant signed objects
   that are validated using a certificate issued by the entity that has
   published the stale manifest at this publication point SHOULD be
   viewed as somewhat suspect, but MAY be used by the RP as per local

Current validator implementations differ in how they treat this case:

rsynic			accepts for indefinite(?) time (warns?)*
BBN validator	accepts for indefinite(?) time (warns?)*
RIPE NCC val.	rejects

*: Andrew, Rob please comment..

We are now changing our validator to do the same as the other implementations and accept stale manifests and crls for an indefinite time, but warn about it. 

There still is something to say for not accepting 'stale' for too long. It makes an RP vulnerable to replays and defeats the idea of why the manifests and crls are there in the first place, in my opinion. So, we are thinking of adding a configuration setting at some point that allows the user to indicate something like: "accept stale for a maximum of X times the intended validity period" -- with a default of 3(?).. so: if a manifest/crl was issued with an intended 24 hour life time, accept it for another 72 hours. As a compromise between security and resilience.. I am open to better suggestions..

Note that if other objects such as CA certificates, or ROAs (by their EEs) are expired they must be rejected. The validator implementations agree on this.

> In general, I agree with you that this needs to be codified before we proceed
> and I agree with Randy that "I see no reason to tolerate useless incorrectness" 
> in a brand new security system expressly aimed at bringing integrity to the mix, 
> integrity that is especially important in times of instability and uncertainty.

I think corner cases exist where a publisher doesn't follow the standards strictly, but the offense is not so serious that a publication point and its descendants should be rejected altogether. For example the AIA pointer is not really needed to validate the child certificate. Incorrect key usage bits in an EE cert is another (our old code had this bug). Other current example: illegal characters in subject names. It's all incorrect, but none of these case actually make it impossible to validate a child cert. The AIA pointer is not needed when you're walking top-down, the key usage bits are an indication of allowed use, but not used to determine validity (esp. in EEs an entity issued themselves, it's not their parent allowing/disallowing some use), the subject still parses in the BBN, openssl (rsynic) and bouncy castle (our validator uses this) libraries.

So.. I would actually prefer to warn instead in cases like this.

As an implementer of publishing software I want to fix my code to not raise any of these warnings. But resource competition means that this may take time.. Therefore I think that at the very least validators should *warn* for new corner cases for some time before they start to reject. There are a number of different implementations out there and not all corner cases are covered. If validators start checking for more and more corner cases now, and reject, that would result in very flaky availability (in terms of acceptance) of the current repositories.

Having a list of all these corner cases and their agreed severity can help prevent nasty surprises.