Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track

Terry Manderson <terry.manderson@icann.org> Tue, 19 July 2011 12:51 UTC

Return-Path: <terry.manderson@icann.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB3E721F854C for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2011 05:51:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.535
X-Spam-Level:
X-Spam-Status: No, score=-106.535 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6xRhZ+IcC+O for <sidr@ietfa.amsl.com>; Tue, 19 Jul 2011 05:51:53 -0700 (PDT)
Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 5583821F851F for <sidr@ietf.org>; Tue, 19 Jul 2011 05:51:53 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 05:51:52 -0700
From: Terry Manderson <terry.manderson@icann.org>
To: Randy Bush <randy@psg.com>
Date: Tue, 19 Jul 2011 05:51:50 -0700
Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track
Thread-Index: AcxGBU0CyMKBu47zQmiYld9ZLl+qowADVNRv
Message-ID: <CA4BBB06.17F28%terry.manderson@icann.org>
In-Reply-To: <m239i2pllp.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" <draft-ietf-sidr-repos-struct@tools.ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 12:51:53 -0000

On 19/07/11 9:15 PM, "Randy Bush" <randy@psg.com> wrote:

>> I think there is an easier way, as already suggested. Add the object
>> type to the manifest in FileandHash.
>> 
>> 1) the rescert points to the publication point and manifest
>> 2) the manifest is mandatory
>> 3) the manifest is signed
>> 4) the manifest is nicely(?) readable ASN.1
> 
> so move the deck chairs from coding the type in a directory maintained
> by the operating system to one the spec and the programmers write and
> maintain?  big win there, eh?

The win is to eliminate a threat that has already been identified on the
list.

Is that not worthwhile?

Perhaps consider it from a view of security requirement, than coding ease.

> 
>> Really its a much nicer and more robust solution than either throwing the
>> entire structure out or using filename extensions to 'mandate' file/object
>> content.
> 
> we've a long tradition of using the file name extensions, formalities
> for registering them, ...  do we really need to reinvent the wheel?
> where is the win?
>

In the case of a repository system that may over time represent some worth,
and looking at this from a point of eventually operating such a repository
high up in the tree I have a concern of injecting 2 more paragraphs of text
into a organisational risk analysis that could raise eyebrows given a simple
solution to an identified threat has been proposed.

I can tell now I'll be answering "What the!?!" type questions from people
with significantly more influence than I for weeks, if not months. :(

>>> i suspect no one else wants to go there, at least no one with code in
>>> the game.
>> Really... that is a shame. I always thought that coders wanted to make
>> their code less susceptible to adverse external influence.
> 
> luckily for me, i do not have to think.  they already supported the move
> from bcp to ps on this very list.

And I can only hope they rethink their position.

> 
> for this to be changed now is not impossible.  it just needs some really
> solid reasoning and really solid documentation of how and why it should
> be changed.
> 

So both Steve and Rob identified that mapping is required to remove a mini
DoS threat (and I'm fine with that). Geoff and I have the belief that a
mapping based on the extension exposes a CA/Repository related threat given
the objects are supposed to be secure in nature. The suggestion of adding
the mapping/type into the Manifest (while awkward in ietf processing) gives
both the mapping result, and removes the CA/Repository threat identified.

What other documentation are you looking for?

If it helps, I can also propose the ASN.1 substitution for the manifest and
the necessary paragraph for the IANA considerations section.

Cheers
Terry