IETF Logo Mail Archive

Re: [sidr] [Technical Errata Reported] RFC8182 (7239)

John Scudder <jgs@juniper.net> Mon, 23 January 2023 14:38 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7041CC140670; Mon, 23 Jan 2023 06:38:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="n01mVLXZ"; dkim=pass (1024-bit key) header.d=juniper.net header.b="GP0JFNYM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLU8scb986n5; Mon, 23 Jan 2023 06:38:30 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D65DC14066D; Mon, 23 Jan 2023 06:37:38 -0800 (PST)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30NASDwk009944; Mon, 23 Jan 2023 06:37:34 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=tyzNYId7iAcouA9OFjRruzP5qZS0kvHA1B0ahIQeU74=; b=n01mVLXZTApU8LeqA85ttWJ1267otS21m8/2vd02SNLcp6F08CHhLuY3+0UTBkhDrtNg Vkzn95yBUw2tdwJ/4CyiGtvFQ9lgUQnEzUTUWVXo6T9rl+1HTQlAtfLAsvQy5Vf0VmyY vXxiLLGT4b/styrqEHqG1ETfuJ4IJ/Kmjt6UBK7Mgbfz9fleLw8TtAz7sFu0Iu4UgbxQ 8/1J26KDBFaqCv2o1jvjg/qOruQFMwzeig7L1wEsuZl5gEcr3ZpLkbzpLDqF+WOheSpy ZSdP+dw+bf4QFH3D0ZxYvUxztcQENRrUgPKDfQsXdCrKV0d3FlM7XoVeFlG60tw0Id0H ag==
Received: from mw2pr02cu002-vft-obe.outbound.protection.outlook.com (mail-westus2azlp17013038.outbound.protection.outlook.com [40.93.10.38]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3n9rgwghf5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 23 Jan 2023 06:37:34 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KP5pv+Ak/je1A50q/wgy00lRchx3WcttsjoI6SSjULALj8hIcj/k5P39jSZJnlqEHWvESyijHs0vTwq3jAv2BrtF/jm14i9elEmtFMB0HtNdVogMX5SywPfJ+V6Aam0wAFr5DJc0uknpSTA1g13bcBC7z8jFEFKvM6vT8ZeUKnn0OShMpulGpKO4ifXlYoyP4eCTsRe+PMq3Fod9hh+3uOGlhUP7YSi3RORItmKYSbzHnWRZ1yyjVEkfFxELFGMfNTwH/RvrPz+JSTUuV7z0tWI+KQnC2d0xKt2pfhkpbQyi7PY7YbBoxUryVpEHESPqAQuJ4Wp/d1u+q7YQ6m4QzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tyzNYId7iAcouA9OFjRruzP5qZS0kvHA1B0ahIQeU74=; b=LoX/8ntC+VDRlvO+ZMVttq2jsp5Z7slk0jHj4UfSoQZepAXx256KKToWCGUSP72oHLaiHZNl64MLCfolWecTWH+q1prtRDZs8OprJNRfvvR516q0gBBnchMLby9ZiaOcjGPIet0cmKfBsGfk2mLPY/VzzPTiGdH53dBzS+YvtXuO/02CcY+pRPOIs7OsmKmCG+tMm6brjS/+jjIArdgsX2cx+irVyjX6ypa/0uaLOSYU4Do2w0iyQaBfMmAqu+U9GOX+V17RhpxRgl7oeLKD05rrGeVHVpjcnlRJREkOrCZ9Q0Z1iDIF7aIzkNRZUTAfeTty/xRrenWlFh18lMVH4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tyzNYId7iAcouA9OFjRruzP5qZS0kvHA1B0ahIQeU74=; b=GP0JFNYMCe6osxtDgRcAKmx4ixWVE5rVStYgVm4YlMMJqLijFYjPqiqSPMLR0gYA8YW5h4VdzR09XZbNIOZhHpU+3cMPAjGNWaGmrpyqkje+76y3enHY7NMbUW6E9lKg+b9m10NKEMXsYjcWZN87m9io/gM+X/y2Alyjd92uNNo=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by CY4PR05MB2934.namprd05.prod.outlook.com (2603:10b6:903:a::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Mon, 23 Jan 2023 14:37:31 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::df3b:c72d:3939:d355]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::df3b:c72d:3939:d355%7]) with mapi id 15.20.6002.033; Mon, 23 Jan 2023 14:37:31 +0000
From: John Scudder <jgs@juniper.net>
To: SIDR Operations WG <sidrops@ietf.org>
CC: "tim@ripe.net" <tim@ripe.net>, "oleg@ripe.net" <oleg@ripe.net>, "bryan@cobenian.com" <bryan@cobenian.com>, Rob Austein <sra@hactrn.net>, Alvaro Retana <aretana.ietf@gmail.com>, Andrew Alston <andrew-ietf@liquid.tech>, "morrowc@ops-netman.net" <morrowc@ops-netman.net>, "sandy@tislabs.com" <sandy@tislabs.com>, Job Snijders <job@fastly.com>, "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [Technical Errata Reported] RFC8182 (7239)
Thread-Index: AQHY8EHveCUxkmxcWUmp+c+iGoOvJ66sj+0A
Date: Mon, 23 Jan 2023 14:37:31 +0000
Message-ID: <348757D6-D9B3-4E1E-B4A1-A0750DB8CA19@juniper.net>
References: <20221104113812.3303455F68@rfcpa.amsl.com>
In-Reply-To: <20221104113812.3303455F68@rfcpa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR05MB6109:EE_|CY4PR05MB2934:EE_
x-ms-office365-filtering-correlation-id: 5e655b7b-9cb8-4ffb-b5a1-08dafd4f5c3c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WuAhoQSiCXF56uJiUi/W/OsSZRYKjdvODB7K4vgjgKfDiR3ZVzBJLxOMBnY8NWwPOTsILCqp/MgEI4UvaPKEQMmf7BoIWVxA7YrS3Mj7GC6pnPrx6DX9NyOFGRPNSSk/l+fAWcmUep17ju+MV5GeUaolqRzqLDBiWoPFzjjt/LILiAAyYXyK6MHsGx41J8SkHoR2CTD538mfDzZPKjtWfTfwY7DAdnHiFsgNhu+KdwnjiGyauWYLCukEzQLc/+IHcuJmX2MNwb9KCcuNp0OLBUUYHP7zyLqMzpT3wXlqtk61ZNu2zVHEAYDtBDh+G5akP6cw6LYrXsS5qNe0GzfurXuo6pb4PaGRgpzgUkD6wY6pO+8Fyai/Rbu7apUhsYaBb5nXAU9EvnAQHua6R5Oq0EAHisNSaOYQp8OMhAjt3y4PV4DF0F0MhaFu/Hcfw9oez1wKtRvZZCNpE3T9AVgLnqw0du3eYF171+8jRC1TjdOeNDTFDkR3N1XEYJWFvwoZy0IN79BDF9VGokdBFTjUMJpsapUgNfkEBr86/c6kpLQY0Mm5fkTt6vTpv7/44BUm0jlXlDSk+eF2Rmq8f7SfVzrxFd7B9p7pqiqi9a5GK3YZHIUumwcdWM475O6gdwix+912PEjUGNW6lNLHTH+49l8gPuLu3cYaYFzn2N9a68fL3RieJyJlqfH5tHIAsQIcf5/D46224bwVovZ6RbdUK6Cn0VdgcPKmzTIFslkaQyKNlFy3dHa1lgdFxAHlJWne
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(346002)(366004)(376002)(136003)(396003)(451199015)(36756003)(86362001)(38070700005)(2906002)(38100700002)(8936002)(7416002)(4326008)(41300700001)(5660300002)(122000001)(83380400001)(33656002)(966005)(478600001)(71200400001)(6486002)(91956017)(186003)(6916009)(8676002)(6506007)(26005)(53546011)(6512007)(66946007)(76116006)(54906003)(66556008)(66476007)(66446008)(64756008)(2616005)(316002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rKeyr1P132Yr/MsZYAKUSk+JXVhLBY5DL1gqRo38kRzfc/JfpEIfDJ1QywJlAxpX7r+RvYLlrcQZdHcMsPQWnMFH6DUDpKoobArks3PB7f9+GqfJVZcTWo2s2/QDjVgSgpXsxR/Pif5yv2yjYS7DP6PhOXNxu/tvVhMEzZyHgGdN5djql060Hfox85MzfC3sPMKR08wE1wMC2gGb/vdCjTDmjYZjLxHGNEMGcbyX72kFQ1EwDTBwtOUy8F0uLQE2Rkwrfl9U8vnXYlKq8XuD9FMFqLF1t/ABFdKUdfp+GsAFSKYjRDNEWTsVn/Jk2X984cIvN58yxnd4PM80vKhlJDbmbs/mPDQRtZGCFITwtNmsznc2z2sGj7ph6sXf5Ohi74lv0dyINbqmgutf3c9fIakI+Tps2ilXrnj2eLy5ffYImJpX4MgsvA4XkLJXuSt1qM+QbQW3AQiyQIWAPCY6dMSpzjXs/EBonwb0b2BaPgXAnVOJnaeRbSulOpfrPFohJMeyv+qtyfrt4/frKhfYJpYxUgGUsCXf31tnDVBBIcjXfKULVir5YjId6n7oGy3v3fRBMoeIBrxP/4TnpeiFoySmCpaeXCNKzX8PuHm1ycADXDUIrttRPVzR+ErUYYnUAicFSECJPB7fCtUjwjdcnKRm347T5eGUQoUjVpXkW3pcJlxSWQu0UzFWh0H5/LpOPRabCTQ34fiGJYSjM8ufLz8TPAmInanSXOzs9kpvYrxrGFOkiKKywQKMeF5r+/Q2BYHQZShU+hSrxXtJzhVP+WK03mJ2+m7RML2/ufq87J4JNw1AODP7ZEUSsLOHAQ8GkYF6HLK1lEIUqDShCnXbpD+0/Uparuny7ksoBH6Hm7S5uO/Hvc259HXokOvnmtS3Nqy38UI56Y6apl/Nw61q2e8pgknnEEKQdt0fDiVCE5CdQi1SbmpDEEPBnX+cEkCTtk8QO1HVTjWq+LPYjvyqNeUp1rYq/ofbU7XDrVmpjr8cVef/LyzxtussWjASMmqjneZrAURhRLUEC+JK2iV5Q6CFDnAQkB77m3fSM+wKHg8MhuaHZIwk4h959QNd+eGNvNw7M4ejdUynVNI3K6rBbJ6rtWBIVwfozGWWRYkHZ725fwE4RgpCD4TAWkoF3Oc7p5jwdPgSzzNWL18uHtBKvZteUkrSsVciRxcYHtz8utHOmJY5Bnrtcx2tuWxuFVsUn60FxH/2RCggE6XDlprwLYQFrKed+mlShHfIJTVe30gMFlAbvigQA5zZMtgAhlrZLKdfyMKpSSK3BA2IZYvcKcyukjNOKqCvLxvuDDrxBZ8/Bic5eUDFaopnskqUjYJVDMNs13WxwVwmTS1WaZU0K3HwWIAG2/ebXqPya7Y7OClBtcVlNQoQzYWHTUTLgbUiivlvMNeVH/5DfYWCHMSUQwiqpW8VotLoduvH2yCj8yocpULUL14sVtXr6eBl5dBjqqOZrjydS/SLxF5Uh55nUCc/xfgjqFJd5ZdV5iVa7NYcLd0sT0OCfzPe8Agoo8HK5FaCgXiKkYjci9FxlyxJfV4cMNG7Lh7rcOugSJpu7oFQzat2YPVii+aczS2rWQqX
Content-Type: text/plain; charset="utf-8"
Content-ID: <562EE580F618CE4AAF6C2F78164EC0B2@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e655b7b-9cb8-4ffb-b5a1-08dafd4f5c3c
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2023 14:37:31.7604 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pfDUefzg/NgEQjYpgu5aX+O5cBiPbrtaoOfy58lZshPwXbiA9zSvwtMRD33RFGfO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR05MB2934
X-Proofpoint-GUID: 07QIGpEtZx3q784-lemMjGaMv_0LCsPW
X-Proofpoint-ORIG-GUID: 07QIGpEtZx3q784-lemMjGaMv_0LCsPW
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-23_10,2023-01-23_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1011 malwarescore=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 phishscore=0 adultscore=0 mlxscore=0 impostorscore=0 priorityscore=1501 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301230140
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/z0fy-eFzbtlMfIGXh9jS1Zi2A1k>
Subject: Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2023 14:38:34 -0000

Hi All,

I see this erratum went to sidr@ but not sidrops@. I suspect there is considerable overlap between the two lists, but just in case, I thought I’d add sidrops before any disposition is decided for the erratum. The discussion so far is at https://mailarchive.ietf.org/arch/msg/sidr/7ZwQsV9gsqEgZurkf1nAtCvlZes/ 

If you do have an opinion and haven’t chimed in yet, now would be a good time. 

Thanks,

—John


> On Nov 4, 2022, at 7:38 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC8182,
> "The RPKI Repository Delta Protocol (RRDP)".
> 
> --------------------------------------
> You may review the report below and at:
> https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid7239__;!!NEt6yMaO-gk!Hmh7ECsx8QBjyj3iaVOY12TDeyhe2F4SPyvBI49N5TT_-a7Coy9Z9a_jFJ4nat5SkUTodPX9IcgXbnT_H_fC5A$
> 
> --------------------------------------
> Type: Technical
> Reported by: Job Snijders <job@fastly.com>
> 
> Section: 3.2
> 
> Original Text
> -------------
> Certificate Authorities that use RRDP MUST include an instance of an
> SIA AccessDescription extension in resource certificates they
> produce, in addition to the ones defined in [RFC6487]:
> 
> Corrected Text
> --------------
> Certificate Authorities that use RRDP MUST include an instance of an
> SIA AccessDescription extension in CA resource certificates they
> produce, in addition to the ones defined in [RFC6487]:
> 
> Notes
> -----
> Between draft-ietf-sidr-delta-protocol-04 and draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps because it was considered redundant). But, unfortunately that snippet helped establish important context as to what types of certificates are expected to contain the id-ad-rpkiNotify accessMethod inside the Subject Information Access extension. The text that was removed:
> 
> """
> Relying Parties that do not support this delta protocol MUST MUST NOT
> reject a CA certificate merely because it has an SIA extension
> containing this new kind of AccessDescription.
> """
> 
> From the removed text is is clear that id-ad-rpkiNotify was only expected to show up on CA certificates. However, without the above text, Section 3.2 of RFC 8182 is somewhat ambiguous whether 'resource certificates' is inclusive of EE certificates or not.
> 
> RFC 6487 Section 4.8.8.2 sets expectations that only id-ad-signedObject is expected to show up in the SIA of EE certificates "Other AccessMethods MUST NOT be used for an EE certificates's SIA."
> 
> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify in the SIA of the EE certificate of all signed objects they produce (such as ROAs). The RIR indicated they'll work to remove id-ad-rpkiNotify from all EE certificates their CA implementation produces.
> 
> It should be noted that the presence of id-ad-rpkiNotify in EE certificates is superfluous; Relying Parties can't use the rpkiNotify accessMethod in EE certificates for any purpose in the validation decision tree.
> 
> (Verifying this Errata does not block a future transition from rsync to https; as RFC6487 Section 4.8.8.2 leaves room for additional instances of id-ad-signedObject with non-rsync URIs)
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
> 
> --------------------------------------
> RFC8182 (draft-ietf-sidr-delta-protocol-08)
> --------------------------------------
> Title               : The RPKI Repository Delta Protocol (RRDP)
> Publication Date    : July 2017
> Author(s)           : T. Bruijnzeels, O. Muravskiy, B. Weber, R. Austein
> Category            : PROPOSED STANDARD
> Source              : Secure Inter-Domain Routing
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email