IETF Logo Mail Archive

Re: [sidr] [Technical Errata Reported] RFC8182 (7239)

Job Snijders <job@fastly.com> Thu, 08 December 2022 22:40 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2C1C1524C8 for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 14:40:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bfy9TXYE6lxy for <sidr@ietfa.amsl.com>; Thu, 8 Dec 2022 14:40:36 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB619C1524BE for <sidr@ietf.org>; Thu, 8 Dec 2022 14:40:36 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id gh17so7423684ejb.6 for <sidr@ietf.org>; Thu, 08 Dec 2022 14:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=+5jqzQSago0IMOMYRFRgp7FU0G/yxxaYWKaMzsujFls=; b=dCjGdWLyJ+Fw36xtoNrMqMNgxePjVywfWHS4YatLBemf1Q3XB/sbArIcVCpTDSdklr ckKOwIvpEZIIBzh00qTYUrxtMgQXOAAQv2mooPFBNHwP5aGaPb8PIdjnCSIXKx4DRdP7 m/XMZp2+rRJ3Y+yha2hlysvBpOjlDMGafVA0g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+5jqzQSago0IMOMYRFRgp7FU0G/yxxaYWKaMzsujFls=; b=Xf9VfDIxOR+CMrlG4SLlT4rnFW6F3bINzSa/AcIUQNX/EiPXwDPPXp1oNaN3KcDKCe ZX5yWwLXezcCUg65E2rcK5jhakWa5YMg3OhUqmQJmpt/w9K4iGp/BcRTInih/03k1XJZ f3bZHkTB6xT8y8+MR0zbznNmmI/thjCeqF/pmF/qybXETJ2cekx8E6abHU/xtMNT725L TRlh9Tb2YvsnpgNCpjld0R6Uwt48H/x43EVj1ByKgnDsnCSOnwP0roE9xNhagv/IerkS 5lxy0ra/IUzjvGluwJJrEI/i/HaHIfjI4tsAhU3m6J63Bk1XYbPyMA9YKewuu1krSkgk wc0Q==
X-Gm-Message-State: ANoB5pk0u1aa+v2qeS3MV9/S3q+2/MJotodwCwizFSKorWZn+2+ceKr0 mFAGZQBzy934Kg8alEVloLsP9A==
X-Google-Smtp-Source: AA0mqf5mHNU4Eitp5XNSejkwGaRMMSqZccI2ouKwLBj7lCe86bKi/X7rDPN6vUBpKKtRvzdZU1O+dA==
X-Received: by 2002:a17:907:bd8:b0:7c1:706:d5bb with SMTP id ez24-20020a1709070bd800b007c10706d5bbmr3631113ejc.12.1670539234759; Thu, 08 Dec 2022 14:40:34 -0800 (PST)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id 13-20020a170906328d00b007c0abe46deasm9356416ejw.81.2022.12.08.14.40.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Dec 2022 14:40:34 -0800 (PST)
Date: Thu, 08 Dec 2022 23:40:32 +0100
From: Job Snijders <job@fastly.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Tom Harrison <tomh@apnic.net>, Rob Austein <sra@hactrn.net>, IETF SIDR <sidr@ietf.org>, bryan@cobenian.com, Chris Morrow <morrowc@ops-netman.net>, andrew-ietf@liquid.tech, John Scudder <jgs@juniper.net>, tim@ripe.net
Message-ID: <Y5Jn4FREUw04NljO@snel>
References: <20221104113812.3303455F68@rfcpa.amsl.com> <Y5AjG3AJjHaFIRdv@TomH-802418> <44A83A72-1873-4AC6-B27D-F9F50DAF7CEE@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <44A83A72-1873-4AC6-B27D-F9F50DAF7CEE@vigilsec.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/kK2nEvNmwL8Kxq0UdbiEJIbeVSc>
Subject: Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 22:40:40 -0000

In response to Russ:

On Thu, Dec 08, 2022 at 10:20:54AM -0500, Russ Housley wrote:
> RFC 5280 defines the SAI extension, and it says:
> 
>    This profile defines one access method to be used when the subject is
>    a CA and one access method to be used when the subject is an end
>    entity.  Additional access methods may be defined in the future in
>    the protocol specifications for other services.
> 
> I think it is pretty clear that new access methods are expected to com
> along over time.

Sure, but that's not what RFC 8182 intended to accomplish in context of
RPKI EE certificates. RFC 8182 did not update RFC 6487 section 4.8.8.2.
RPKI EE certificates only contain one or more instances of
id-ad-signedObject in their SIA extension.

The point of this Errata is to clarify that only CA certificates are
expected to (optionally) contain an instance of the rpkiNotify
AccessDescription; EE certificates are not expected to contain an
instance of rpkiNotify.

Preparing for future extensibility is easier in a tidy house.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email