[sidr] Validation reconsidered and X.509v3 extension OIDs

Rob Austein <sra@hactrn.net> Tue, 19 July 2016 11:18 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7CB12B02B for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2016 04:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fupu3W6WzUiY for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2016 04:18:29 -0700 (PDT)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4CEA12B057 for <sidr@ietf.org>; Tue, 19 Jul 2016 04:18:29 -0700 (PDT)
Received: from minas-ithil.hactrn.net (dhcp-b3d9.meeting.ietf.org [31.133.179.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id 95BF31398E for <sidr@ietf.org>; Tue, 19 Jul 2016 11:18:28 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 12A97412B25E for <sidr@ietf.org>; Tue, 19 Jul 2016 13:18:30 +0200 (CEST)
Date: Tue, 19 Jul 2016 13:18:29 +0200
From: Rob Austein <sra@hactrn.net>
To: sidr@ietf.org
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/gHl6g_u1Wm1SVmgEq5ZczIJA5XA>
Subject: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2016 11:18:35 -0000

Reminding the WG of an old issue I raised years ago for validation
reconsidered which, as far as I know, has not yet been addressed.

If we change the validation algorithm, we really should also change
the object identifiers used in the X.509v3 extensions used to convey
the resources.

The reason for this is simple: the RFC 3779 validation algorithm has
shipped, long since.  My implementation has been part of OpenSSL for
the last decade, and while it's not enabled by default on all
platforms, it is on some, and is available as a configuration option
on others.  It is far too late to change this, that ship has sailed.

So if we're talking about changing the validation algorithm now, we
need to label the algorithm we're using, so that validation code knows
which algorithm it's supposed to follow.  Otherwise, we'll get
different validation results at different sites depending on which
algorithm they're using this week, different routing decisions as a
consequence, dogs and cats living together, mass hysteria.

The solution to this is simple: change the extension OIDs.  X.509's
"critical extension" mechanism will take care of the rest.

This will require some kind of phase-in/phase-out process during which
the new OIDs appear and the old OIDs vanish, and will require RP code
to implement the new OIDs, but these are trivial issues given that the
RP behavior has to change in any case, that being the point of the
entire validation reconsidered exercise.

Yes, this will be a bit painful, but I view it as in essence exposing
a problem that already exists, rather than sweeping it under the rug.

Sorry for reminding the WG of this yet again at what some may consider
a late date, but I have raised this issue before, I just haven't
(re)raised it in the last few months.