Re: [sidr] RPKI: Are relying parties really supposed to validate DER encoding?
Russ Housley <housley@vigilsec.com> Thu, 10 January 2019 22:39 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851241312B8 for <sidr@ietfa.amsl.com>; Thu, 10 Jan 2019 14:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6cCzaLZjG8r for <sidr@ietfa.amsl.com>; Thu, 10 Jan 2019 14:39:03 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297D91312B1 for <sidr@ietf.org>; Thu, 10 Jan 2019 14:39:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 83DD9300546 for <sidr@ietf.org>; Thu, 10 Jan 2019 17:20:45 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TcMc8oEO59D7 for <sidr@ietf.org>; Thu, 10 Jan 2019 17:20:44 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 2368A300064; Thu, 10 Jan 2019 17:20:44 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAA0dE=X-hjb8UY6Gm_QJP+Vwqp5d8ho6rjYxZ4vSVF9SctAN_g@mail.gmail.com>
Date: Thu, 10 Jan 2019 17:39:00 -0500
Cc: IETF SIDR <sidr@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <C6527D42-1457-4F51-A345-4242B78E3535@vigilsec.com>
References: <CAA0dE=X-hjb8UY6Gm_QJP+Vwqp5d8ho6rjYxZ4vSVF9SctAN_g@mail.gmail.com>
To: Alberto Leiva <ydahhrk@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/n8cq2UFxfEuID4MQogpKDdKUQz4>
Subject: Re: [sidr] RPKI: Are relying parties really supposed to validate DER encoding?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 22:39:06 -0000
See the Section on DER encoding at https://en.wikipedia.org/wiki/X.690. > On Jan 10, 2019, at 5:26 PM, Alberto Leiva <ydahhrk@gmail.com> wrote: > > Hello. > > I have a question: > > RFC 6488 section 3.1.l (https://tools.ietf.org/html/rfc6488#section-3) > wants relying parties (RPs) to validate that all RPKI signed objects > are DER-encoded, which (I think) means that they must be BER-encoded > with minimal and unique representations. > > But I have found at least one other requirement that seems to > contradict this: RFC 6482 section 3.3, fourth paragraph, second half, > claims that a ROA (which is a signed object) is allowed to contain > redundant ROAIPAddress elements. > > Furthermore, RFC 3779 (which is meaningfully referenced by the ROA and > RPKI certificate (6487) RFCs) states the following: > > relying parties do > not need to sort the information, or to implement extra code in the > subset checking algorithms to handle several boundary cases > (adjacent, overlapping, or subsumed ranges). > > Which seems to be paraphraseable as "RPs can parse signed objects as > if they were BER-encoded, without worrying about DER." > > In fact, my reading of it is that the entirety of RFC 3779 seems to be > of the mind that IP and AS extension writers are intended to strictly > adhere to DER specifically for the sake of simplifying the task of > RPs. RFC 6488, on the other hand, wants both to be strict. > > So what's the consensus? > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] RPKI: Are relying parties really supposed … Alberto Leiva
- Re: [sidr] RPKI: Are relying parties really suppo… Russ Housley
- Re: [sidr] RPKI: Are relying parties really suppo… Alberto Leiva
- Re: [sidr] RPKI: Are relying parties really suppo… Martin Hoffmann