IETF Logo Mail Archive

Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis

Stephen Kent <kent@bbn.com> Wed, 12 February 2014 15:17 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727B21A0398 for <sidr@ietfa.amsl.com>; Wed, 12 Feb 2014 07:17:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.749
X-Spam-Level:
X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqL6qCCWJXSE for <sidr@ietfa.amsl.com>; Wed, 12 Feb 2014 07:17:50 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2CFEB1A0320 for <sidr@ietf.org>; Wed, 12 Feb 2014 07:17:50 -0800 (PST)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:52944) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WDbZM-0007U6-Mc; Wed, 12 Feb 2014 10:17:48 -0500
Message-ID: <52FB9098.9000509@bbn.com>
Date: Wed, 12 Feb 2014 10:17:44 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Tim Bruijnzeels <tim@ripe.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <m2ha8a8cb1.wl%randy@psg.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net>
In-Reply-To: <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: sidr@ietf.org
Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 15:17:52 -0000

Tim,

>>> ...
>>>
>> I'm puzzled by the references to a "third party" above. Why would an entity acting as
>> a TA not want to control all of the locations where it's TAL identifies as places from
>> which to acquire the vert?
> Actually I think this could be a feature. Call me paranoid, but publishing the cert in places where even your own disgruntled operators can't reach it, and remove it or replace it with an old one, seems to me like an idea to entertain. Such access generally does not require any HSM, card quorum etc. But doing this of course introduces the risk of these third party points going rogue. Hence the "no control" remark. But see below..
I don't see the tradeoff as being a positive one, but at least I now 
understand the motivation for your statement.
>> ...
>> As I noted above, this seems like a good, new work item.
> Fair enough. I did not want to bring this up as a show stopper for going forward with the bis, but it seemed relevant to talk about this now.
sure.
> The rogue third party risk could be mitigated by signed TALs. A signed (presumably controlled by an HSM and N out of M cards) statement could remove such a publication point from the list. On top of this RPs could regularly re-check certificates in multiple locations to find the most recent. They could also cache the most recent one they have found and refuse older ones. This re-checking should not be needed every few minutes, but once every 24 hours or something seems quite reasonable to me.
a once per day retrieval seems quite reasonable to me too.
> But since I don't think it's feasible to get the signed TAL idea worked out for the bis, it's probably best for now to say that the entity acting as a TA should only publish the CA certificate in locations it has full control over. This would also make zealous re-checking by RPs less relevant at this stage.
agreed.

I'm happy to work with you on a new doc that explores added security 
functions for TALs.

Steve

v2.23.0 | Report a Bug | By Email