Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
Tim Bruijnzeels <tim@ripe.net> Thu, 19 May 2016 07:43 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B28B812B074; Thu, 19 May 2016 00:43:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Level:
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCUTryx5u93p; Thu, 19 May 2016 00:43:36 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9DB12B03E; Thu, 19 May 2016 00:43:35 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <tim@ripe.net>) id 1b3IcD-0007VF-1c; Thu, 19 May 2016 09:43:31 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-195.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1b3IcC-0008NN-NQ; Thu, 19 May 2016 09:43:28 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
Date: Thu, 19 May 2016 09:43:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A50029AB-E12B-4945-8DB9-A4A0C937FE8C@ripe.net>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net> <35AEF9F7-FFAD-470B-9D0D-1D7BE7C7FE90@ripe.net> <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net> <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points: -10.8 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07197aaf9822b651c7f2bffab93391130d73
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/uBINbahy6kUBlIxMrbNltO2VFUE>
Cc: "sidr@ietf.org" <sidr@ietf.org>, sidr chairs <sidr-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-sidr-rpsl-sig@ietf.org, "Sandra L. Murphy" <sandy@tislabs.com>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 07:43:38 -0000
Hi all, Actually, yes, I agree with George on in-line. In-line would have my preference. Include the entire EE certificate in the signature field. This way it does not need to be fetched separately, and it does not need to appear in a repository or a manifest. Mandate that the EE certificate is signed by CA certificate in the RPKI (i.e. no longer chain possible). The EE certificate should have an AIA and AKI that can then be easily referenced against known CA certificates that a validator found. So in short: a validator can do its normal top-down validation for a TA. And to perform bottom-up validation of a signed RPSL object the process of validating the EE cert would be fairly simple -> find a CA cert with SKI matching the AKI of the EE, verify the signature of the EE (proof of possession), verify the CRL. Omitting the other checks here - would be good to specify this explicitly in the document, but for the discussion here seems excessive. I think there was some discussion around this earlier and back then the thought was that we wouldn't want to make the RPSL objects bigger. However, I don't know if that should be a concern. The way I see it looking at our own whois implementation I imagine that this field could actually only be shown to RPs when they supply an additional flag, if size is a concern. And in our web UI (ad-hoc queries by humans) we would not show the signature field as is, but process it and highlight signed fields somehow. Tim > On 19 May 2016, at 00:39, George Michaelson <ggm@algebras.org> wrote: > > I would rather the sigs were signed by ee certs which were in the > blob, than have to make an external reference and I would rather we > varied the compliance needs to remove a pointless external ref. > > If there has to be a ref, I think making it mandated to a specific > scheme is over specifying, especially in a context where we might > begin to understand *where you get cryptographic materials from is > less important than proving who said them*. > > Rsync is a bad fit. for the actual signing cert, Inline is better. It > can refer to whatever chain it likes. > > -G > > On Thu, May 19, 2016 at 1:02 AM, Brian Haberman > <brian@innovationslab.net> wrote: >> Hi Tim, >> >> On 5/18/16 10:32 AM, Tim Bruijnzeels wrote: >>> Hi, >>> >>>> On 18 May 2016, at 15:08, Brian Haberman <brian@innovationslab.net> >>>> wrote: >>>> >>>> Hi Terry, >>>> >>>> On 5/17/16 11:37 PM, Terry Manderson wrote: >>>>> Terry Manderson has entered the following ballot position for >>>>> draft-ietf-sidr-rpsl-sig-11: Discuss >>>>> >>>>> When responding, please keep the subject line intact and reply to >>>>> all email addresses included in the To and CC lines. (Feel free >>>>> to cut this introductory paragraph, however.) >>>>> >>>>> >>>>> Please refer to >>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>>> more information about IESG DISCUSS and COMMENT positions. >>>>> >>>>> >>>>> The document, along with other ballot positions, can be found >>>>> here: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/ >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------------- >>>>> >>>>> >> DISCUSS: >>>>> ---------------------------------------------------------------------- >>>>> >>>>> >>>>> >> Thank you for putting substantial effort into this document. >>>>> >>>>> I have a few discusses. I hope they can be resolved quickly. >>>>> >>>>> In Section 2.1. The reference to the aligned certificate which >>>>> has the same private key that signed the RPSL object is >>>>> mandatory, and defined by a RSYNC URL or a HTTP(S) URL. My >>>>> question surrounds the "or". The architecture of RPKI (IIRC) is >>>>> centered around RSYNC, and thus SIA/AIA values MUST have a RSYNC >>>>> URL, and MAY have other types. By this are you leaving it to the >>>>> issuing party to control the RPKI Distribution mechanisms of the >>>>> Replying Party? I am quite comfortable with "or" personally, >>>>> however this facet of fetching the RPSL Certificate to validate >>>>> the private key usage is seemingly orthogonal to the RPKI >>>>> architecture of RSYNC preferred and should be called out if 'or' >>>>> is the clear intention. Or, has the consensus of the WG moved on >>>>> from being wedded to RSYNC? >>>> >>>> I am not aware of the WG moving away from their rsync leanings... >>> >>> My take on this: for the moment I would stick to rsync as it's >>> required and EE certificates appearing in the rsync repository, and >>> leave out http(s). >>> >> >> If the consensus is to remove mention of an http(s) URI, I can live with >> that. The current state of affairs within the SIDR documentation is such >> that only an rsync URI will be feasible in the near future. I don't >> believe that the mention of an http(s) URI in this context affects that >> one way or the other. >> >> Regards, >> Brian >> >> >> >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >> > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] Terry Manderson's Discuss on draft-ietf-si… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… George Michaelson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Robert Kisteleki
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Kent
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels