Re: [sidr] Requesting comments on multiple publication points
Tim Bruijnzeels <tim@ripe.net> Fri, 02 August 2013 07:24 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1229111E8253 for <sidr@ietfa.amsl.com>; Fri, 2 Aug 2013 00:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dK72beMDA7qR for <sidr@ietfa.amsl.com>; Fri, 2 Aug 2013 00:24:24 -0700 (PDT)
Received: from postgirl.ripe.net (postgirl.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1342]) by ietfa.amsl.com (Postfix) with ESMTP id 1C57D11E828F for <sidr@ietf.org>; Fri, 2 Aug 2013 00:24:22 -0700 (PDT)
Received: from dodo.ripe.net ([193.0.23.4]) by postgirl.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1V59iY-0003Cm-W8; Fri, 02 Aug 2013 09:24:10 +0200
Received: from puppy.ripe.net ([193.0.1.230] helo=[IPv6:::1]) by dodo.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1V59iY-0004vz-Po; Fri, 02 Aug 2013 09:24:06 +0200
Content-Type: multipart/alternative; boundary="Apple-Mail=_A1B14E69-7540-4B7D-AB06-A27F93D51D1C"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <CA+z-_EWRjFEsv0t_2Lo5NHFUd41oq-KP_XEp0VRf1x9DEkustg@mail.gmail.com>
Date: Fri, 02 Aug 2013 09:24:08 +0200
Message-Id: <57B9068E-B105-490F-9390-7EF3A3C2F1CC@ripe.net>
References: <CA+z-_EWRjFEsv0t_2Lo5NHFUd41oq-KP_XEp0VRf1x9DEkustg@mail.gmail.com>
To: carlos@lacnic.net
X-Mailer: Apple Mail (2.1508)
X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.48/RELEASE, bases: 20120425 #7816575, check: 20130802 clean
X-RIPE-Spam-Level: ----
X-RIPE-Spam-Report: Spam Total Points: -4.4 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07192800aeeebc28a15165a47e55648d29e7
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Requesting comments on multiple publication points
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 07:24:29 -0000
On Aug 1, 2013, at 5:50 PM, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote: > thanks for all your input on this draft. I encourage all to send their comments and discuss the draft on the list. I have some ideas I would like to share with the authors and working group after the presentation on multiple publication points. = I support the idea of having multiple publication points in general I think it addresses a need for increased redundancy, even if it adds complexity. = I agree that two documents instead of one would be useful The problem of finding different out-of-sync information is different when retrieving TAs, and published objects of certificates. = Instructions to TAs listing multiple publication point I believe the TA SHOULD make sure that TA certificates published in different locations are kept up to date. I think a maximum of 24 hour delay between updating the first location and the last location is the right order of magnitude. If TAs can no longer maintain a publication point I believe they MUST remove the TA certificate from that publication point. = Instructions to RPs looking at TAs I believe it should be local policy whether an RP fetches just one, or several TA certificates. I think it should be recommended to download all TA certificates, validate them (including self signed signature) and compare them. The certificate with the highest serial number should be used. = Allowing changes to TALs Obviously a more detailed document would be needed to describe this, but one way to achieve this could be to let the current TA to publish a signed object containing the new TAL, and some other information like: date when new TAL becomes operational and date when the current TAL will be withdrawn. I believe this is useful here because it would allow TAs to change the list of URIs they include on the TAL. This can also give us a useful way to do planned rolls of TA keys, and with some other meta-info this might be useful for algorithm roll as well. = Instructions to CAs using multiple publication points I believe SIA fields can be used to list more than one publication point, irrespective of protocol. I believe that CAs MUST maintain all their publication points. As a rule I think that a "MUST send updates to all publication points with one hour is appropriate". Furthermore I believe that a CA that is planning to remove a publication point MUST request a new certificate minus the corresponding SIA pointers before withdrawing. And conversely, if CAs want to add publication point I believe they MUST start publishing there first, and only then request a new certificate with the additional SIA pointers. = Instructions to RPs when using multiple publication points I think local policy applies. I would recommend that multiple sources are checked, but if an RP will only use e.g. the first publication point I think that should be allowed. The CA has a responsibility to keep all those publication points up to date, or withdraw them if they can't, or just won't.. I believe that separating the object discovery and retrieval from validation can help to deal with inconsistencies between repositories. Described here: http://tools.ietf.org/id/draft-tbruijnzeels-sidr-validation-local-cache-01.txt In a nutshell the idea is to do validation using manifests as authoritative sources to find the current objects published by for a CA certificate. The latest *valid* manifest is used for this. The objects are retrieved by hash rather than their name. So it does not matter where the RP got this from, or how often. That said this needs pilot work. I hope to do proof-of-concept code. I don't believe this is the only way for RPs to deal with this, but I think it would help to show a possible way to achieve this. Cheers Tim
- [sidr] Requesting comments on multiple publicatio… Carlos Martinez-Cagnazzo
- Re: [sidr] Requesting comments on multiple public… Tim Bruijnzeels
- Re: [sidr] Requesting comments on multiple public… Stephen Kent
- Re: [sidr] Requesting comments on multiple public… Murphy, Sandra