IETF Logo Mail Archive

Re: [sidr] [Technical Errata Reported] RFC8182 (7239)

Russ Housley <housley@vigilsec.com> Thu, 08 December 2022 15:21 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FEA7C14CE2E for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 07:21:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWk7q0EEE9vm for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 07:20:56 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8A2C14CE22 for <sidr@ietf.org>; Thu, 8 Dec 2022 07:20:56 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 66AAC140876; Thu, 8 Dec 2022 10:20:55 -0500 (EST)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 35EC714064B; Thu, 8 Dec 2022 10:20:55 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <Y5AjG3AJjHaFIRdv@TomH-802418>
Date: Thu, 08 Dec 2022 10:20:54 -0500
Cc: Job Snijders <job@fastly.com>, Rob Austein <sra@hactrn.net>, IETF SIDR <sidr@ietf.org>, bryan@cobenian.com, Chris Morrow <morrowc@ops-netman.net>, andrew-ietf@liquid.tech, John Scudder <jgs@juniper.net>, tim@ripe.net
Content-Transfer-Encoding: quoted-printable
Message-Id: <44A83A72-1873-4AC6-B27D-F9F50DAF7CEE@vigilsec.com>
References: <20221104113812.3303455F68@rfcpa.amsl.com> <Y5AjG3AJjHaFIRdv@TomH-802418>
To: Tom Harrison <tomh@apnic.net>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.10 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/iDT-6oeWsCSKVypQt1HV1dlGZuM>
Subject: Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 15:21:00 -0000

RFC 5280 defines the SAI extension, and it says:

   This profile defines one access method to be used when the subject is
   a CA and one access method to be used when the subject is an end
   entity.  Additional access methods may be defined in the future in
   the protocol specifications for other services.

I think it is pretty clear that new access methods are expected to com along over time.

Russ


> On Dec 7, 2022, at 12:22 AM, Tom Harrison <tomh@apnic.net> wrote:
> 
> On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote:
>> The following errata report has been submitted for RFC8182,
>> "The RPKI Repository Delta Protocol (RRDP)".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid7239
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Job Snijders <job@fastly.com>
>> 
>> Section: 3.2
>> 
>> Original Text
>> -------------
>> Certificate Authorities that use RRDP MUST include an instance of an
>> SIA AccessDescription extension in resource certificates they
>> produce, in addition to the ones defined in [RFC6487]:
>> 
>> Corrected Text
>> --------------
>> Certificate Authorities that use RRDP MUST include an instance of an
>> SIA AccessDescription extension in CA resource certificates they
>> produce, in addition to the ones defined in [RFC6487]:
>> 
>> Notes
>> -----
>> Between draft-ietf-sidr-delta-protocol-04 and
>> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps
>> because it was considered redundant). But, unfortunately that
>> snippet helped establish important context as to what types of
>> certificates are expected to contain the id-ad-rpkiNotify
>> accessMethod inside the Subject Information Access extension. The
>> text that was removed:
>> 
>> """
>> Relying Parties that do not support this delta protocol MUST MUST NOT
>> reject a CA certificate merely because it has an SIA extension
>> containing this new kind of AccessDescription.
>> """
>> 
>>> From the removed text is is clear that id-ad-rpkiNotify was only
>>> expected to show up on CA certificates. However, without the above
>>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether
>>> 'resource certificates' is inclusive of EE certificates or not.
>> 
>> RFC 6487 Section 4.8.8.2 sets expectations that only
>> id-ad-signedObject is expected to show up in the SIA of EE
>> certificates "Other AccessMethods MUST NOT be used for an EE
>> certificates's SIA."
>> 
>> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify
>> in the SIA of the EE certificate of all signed objects they produce
>> (such as ROAs). The RIR indicated they'll work to remove
>> id-ad-rpkiNotify from all EE certificates their CA implementation
>> produces.
> 
> I agree with this report.  (APNIC is the RIR referred to in this
> paragraph, and we also found the text to be unclear when we were
> implementing this specification.)
> 
> -Tom
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email