Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
Russ Housley <housley@vigilsec.com> Thu, 08 December 2022 15:21 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FEA7C14CE2E for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 07:21:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWk7q0EEE9vm for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 07:20:56 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8A2C14CE22 for <sidr@ietf.org>; Thu, 8 Dec 2022 07:20:56 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 66AAC140876; Thu, 8 Dec 2022 10:20:55 -0500 (EST)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 35EC714064B; Thu, 8 Dec 2022 10:20:55 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <Y5AjG3AJjHaFIRdv@TomH-802418>
Date: Thu, 08 Dec 2022 10:20:54 -0500
Cc: Job Snijders <job@fastly.com>, Rob Austein <sra@hactrn.net>, IETF SIDR <sidr@ietf.org>, bryan@cobenian.com, Chris Morrow <morrowc@ops-netman.net>, andrew-ietf@liquid.tech, John Scudder <jgs@juniper.net>, tim@ripe.net
Content-Transfer-Encoding: quoted-printable
Message-Id: <44A83A72-1873-4AC6-B27D-F9F50DAF7CEE@vigilsec.com>
References: <20221104113812.3303455F68@rfcpa.amsl.com> <Y5AjG3AJjHaFIRdv@TomH-802418>
To: Tom Harrison <tomh@apnic.net>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.10 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/iDT-6oeWsCSKVypQt1HV1dlGZuM>
Subject: Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 15:21:00 -0000
RFC 5280 defines the SAI extension, and it says: This profile defines one access method to be used when the subject is a CA and one access method to be used when the subject is an end entity. Additional access methods may be defined in the future in the protocol specifications for other services. I think it is pretty clear that new access methods are expected to com along over time. Russ > On Dec 7, 2022, at 12:22 AM, Tom Harrison <tomh@apnic.net> wrote: > > On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >> The following errata report has been submitted for RFC8182, >> "The RPKI Repository Delta Protocol (RRDP)". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7239 >> >> -------------------------------------- >> Type: Technical >> Reported by: Job Snijders <job@fastly.com> >> >> Section: 3.2 >> >> Original Text >> ------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Corrected Text >> -------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in CA resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Notes >> ----- >> Between draft-ietf-sidr-delta-protocol-04 and >> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >> because it was considered redundant). But, unfortunately that >> snippet helped establish important context as to what types of >> certificates are expected to contain the id-ad-rpkiNotify >> accessMethod inside the Subject Information Access extension. The >> text that was removed: >> >> """ >> Relying Parties that do not support this delta protocol MUST MUST NOT >> reject a CA certificate merely because it has an SIA extension >> containing this new kind of AccessDescription. >> """ >> >>> From the removed text is is clear that id-ad-rpkiNotify was only >>> expected to show up on CA certificates. However, without the above >>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >>> 'resource certificates' is inclusive of EE certificates or not. >> >> RFC 6487 Section 4.8.8.2 sets expectations that only >> id-ad-signedObject is expected to show up in the SIA of EE >> certificates "Other AccessMethods MUST NOT be used for an EE >> certificates's SIA." >> >> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >> in the SIA of the EE certificate of all signed objects they produce >> (such as ROAs). The RIR indicated they'll work to remove >> id-ad-rpkiNotify from all EE certificates their CA implementation >> produces. > > I agree with this report. (APNIC is the RIR referred to in this > paragraph, and we also found the text to be unclear when we were > implementing this specification.) > > -Tom > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] [Technical Errata Reported] RFC8182 (7239) RFC Errata System
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Tom Harrison
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Cobenian
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Tim Bruijnzeels
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Oleg Muravskiy
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Russ Housley
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… Job Snijders
- Re: [sidr] [Technical Errata Reported] RFC8182 (7… John Scudder