IETF Logo Mail Archive

Re: [Sidrops] Manifest entry filename validation

Stephen Kent <stkent@verizon.net> Tue, 24 November 2020 14:42 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80E073A0F4A for <sidrops@ietfa.amsl.com>; Tue, 24 Nov 2020 06:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-gHU4eit6ih for <sidrops@ietfa.amsl.com>; Tue, 24 Nov 2020 06:42:53 -0800 (PST)
Received: from sonic306-2.consmr.mail.bf2.yahoo.com (sonic306-2.consmr.mail.bf2.yahoo.com [74.6.132.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CCFA3A0EF6 for <sidrops@ietf.org>; Tue, 24 Nov 2020 06:42:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1606228968; bh=z0AGKseTr5egVn/zzetyA4mKc8eH79pxaUzUeOUWWO4=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=FI5W+LLKbSxmjl2txyPAWM1z/Uzor10Po431I7n4dVkx8MPhffPQlkdIe/NPwWhM6gDErtOPBoS02Dsd/q5Wog1ZwFfb++1Y80gSCNlcUgpzL56EfGi7f9uZfq2dRUYZD7+iWnPKaSB4wkX4v0uC1xpnAouwTnrJJQzlHvp2NPaHBQs1KU9azz9W32FaiG2wwYynH9uUO5fhQjlnpTLki6uaau/jGFSubmdwBWCTw1y0e6286voAOzhSWnDmypukan7BpRnxNDVkK5UQi6umkkCVtlqD4aTC/BsElqzp3wKiRN6SFzqno+/ekSbZNlLxTX8iclEf8/BR6dGQdJpr8w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1606228968; bh=MJZf6+2XA/6Wo1NbhRYjTxu4U4QF2FiZHBkD1Z4ps5i=; h=Subject:To:From:Date:From:Subject; b=Rz1ZL7PNkCyKWwu+Qst/cKsmKWgGakYY1Pz8VvhUPFEbbN+Sfvfz2qe9LIT9fTH39uvcDpSk8e1buKk69tnJ4FyEvbbipbjEYDzYSkLDjuc3dB4uCpUy7KHArbceklGv7vagNPwJj39Xx2McShi8AZc6SSWjF7zHsF/ZbIlfqjUpC3A/lVRZPLkek2w+MWPpbdw/23ALH1jgxqUVMpJp186X4kT/KOE77bDGDyx9tg8Ustr0AWLoRsO/1bAmm4hHZ88XOpt5YeE6CshU77awBrQF/N962IZJQpwqyPvrk6ErmXQA2WwRsPC/yDfP7Po5Ly3bU4f3eDEAdkOEsBKX5w==
X-YMail-OSG: sUiPk4sVM1mLnlaloy8eBb7KhODdd_.BTMQp_9ZYrwB6G8thde1d9ftam146N_r G1U.IPlANB7EqHXpuPSZ_JY01TLcxpP4GgQGjrs2VkgP9WpXZcYjTEf.8OvfSMHd1glmSC8Swb.U mzAr30G4XvVfYiEaCofmkqr1CCTWRYkNvHSAxpNQsYY34rYnLRBUXNY1d.PerjUoKAbzH0ymnHln M13_3yDV1EqS1L5wW3.Jg7znUpsOzCYbznVFpp3GFdI_dk5OFAjBQvb3M1kiEqmhl4LsUQiw01kl PisVpsNvB.pQFdtVGdS8GbJP364oEno4jHT83ehPyPcMhsuOASsoXhoO0HYlGsb4.lRGGTEpA2tO IBgO.lce.qwQaA.i3wEFcoLunXn5wyqOx3raqW9Votk7k5T.PIbzaMH8u1YgybvdIlTsZsMoC85s TWequa6Fjqm4CJi50unYf.ii0PsY_t0Xpi.VeCKCloXkUvan9eaFB9M9o1zvpH2egpKnUTmOmuD7 6tCQAsHnlFSSf839V8R3365_n0Qc7OsTrmLRoPMs9.u5TZtdpDqf8qYrbLuAq.yk3T_mgR.xLubV HbqKj0Nf54I.AJQ7hDkuX9fB1DbVVbFM7huvY_cb63QENRRfQn15g03Zy3nl.rgQ6997pH1MrLAn Cd9RYxjD8WnAshJPF0MOksvhdbv9KaGLucAUos4En3BNbsU14r5MdxBeIfvlJleFJE5IlhRwWKWc ufb8aOmHP1PzwcUYwJVUGmTkZkoLMwTNRtczll7.rs3mLQWffuLLa09fS47wmOLoU_CH84fyUTH_ 113TipfEvz8.XSK1K3jKh73xc3uVYR9cGNy.1P.QkLW9a2odFiJdHl7RFNIG5qxTqyG3eaFNSbVp JW6d2MXXQt10KDsll0Fb6NXxwZvrHvEarLcMItO83liHc4KS3VaS8_1foEoEOaIOWjYOwy66_Rio LsrJ3Qfusoi48JTdKD7AQShhDZc74bKaslzaZ6l2Ti6cOEVvzW6cpXu0Ddojo_cFiTUDH5L5Kmi6 A2ZI80sLOE0gKBKgjTyYBUnvyJIxOwM8gfIfcwMC7YVbUmyw.lIU9LQ_V9BKnzj.A1cQbrX761Iw V.ETNaxL5ZXMf3182zeH6atbeLx3NsUO6FVRf3MdCpPpx9O5GA3ApdAvUr_iA9Y_7HSVf8zY8Sm0 B2JIUhNQ4obJo3UTgP99XbTyHWNWRP0Zw8a0PcqJdKmmQD4P9hZN7rQ4O8EbPx5m5dbHDajp7w3a YlikybSlRE0RB.sTwdL891KSs2pcE9A8Av2x53t4mYCmDZ.DJK240LZpdLrhZqwK0RAICLJqLaHI GExT0DR6ZlFao_nUafF8nARQqkmjFfdxuJ2B9M5QmQ9UPaoM434BK6FSXjz1dCvMi.OyUzTd_8hi EAiZbBjBUHxJX5JXUbL5xsYV1IYFMMZN3u1je1.0l9sV98hE7p4G1XcSMqDY00vSvUHe5fIjVxZk LGNP3mv9Uo4jxnezpRpxPGblez5zbOlGx9b5tVWhgNp_WrIjd0EqHO2hv0WgOm.f_8Fam5kAVdou geYO4WsR8adKIkSjniXtHcStNG_RhJotns4.XTzmfRViB.XOCDNyM25mCa1e6eFIZUaosE_cjEzW 7qVWiGuR8c6PJsZ7HSkeM1X2jY74WrAaU7DxdqTyQbNWV.0XA_YYa2oavi6rnbCD2EroLipApjKQ SjGo7L6WkgfYopv37ziquEzfp3mwLOmyxgKaxw2le61rB9bOzrGJhWh1SRvDIfpDnpjk_04xr7gO 0rUsWtFiJmJs1jz_KeyDSlj7opilsXbQVCGo_iEE6CUVltjANh3cKRGb_pVX5hSDEtNJCwfv3WAz xkmuLBwxl4Xu8_.2Vb7NVeiHGZJKKraJhDqHMgwDwgFSQCouNnJtVQ.BvV7BnhVhwGRlv7YM4zkT _N5swPmKZWSeWH_iI_zH9VC_8ZEVXer6MvCmQ20FctpAIDPsmLs971gSgfRVpZmZesKHs.QMzq00 AgbCZ776g_5bnkEwIuLSozjGsnF4h.dFQXKyJ6Svmt3trg1EF7sZGy8_7Vme.LUM96.oINVpsLwa H9ItnVWptiL.n5BBD_D8QGSz1rGgnyqM.c6KLi4_lIpjgfxBJueID_3g4fiPTATRfr3F2dUN8sgg MgPk5sLK46tJWc_x0g_V7nbzVG15GIz8IgzpXKnCWrQsjraUs3uA64IgatX_QaahPhENs60LS19n Kp85xylgzwRjbrwbFIqz1qKWz6Pw5ALhmp1lPyO9kiMKQPBiOwqJF7lmoDMF6fR1wIh_ZRE95GA9 nyqxb1tTvPYFk9FzkMS3i5XyNg0CPQteWVD6GW6CaIOZN23f5mQvQnLimaezGBEUu3aWoQpcGZcM Plx.0awh1dKmPHn94jskq_QKbSZdcNNlB6dHknEJjPwvp_o_QMDfKLYsMGXRPmw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Tue, 24 Nov 2020 14:42:48 +0000
Received: by smtp416.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID f8286e597b081bbd3cec7168966b128f; Tue, 24 Nov 2020 14:42:47 +0000 (UTC)
To: sidrops@ietf.org
References: <18CC986C-97FA-41F6-A530-F782D3104A31@ripe.net> <73eae8a5-a400-cb45-7fbc-9cc7f79be804@verizon.net> <X7aywnRgq3ubVUBu@bench.sobornost.net> <X7bVOm2uzffEWbMY@bench.sobornost.net> <DB542A6C-A0CB-4F0A-9D15-B06AA3B98875@ripe.net> <X7vQ+ff7yAHYuF3e@bench.sobornost.net> <47A14E7B-89DA-4C9D-AFEF-41F1C1CDC607@ripe.net>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <1a26db25-a898-2a19-77c1-70e620def269@verizon.net>
Date: Tue, 24 Nov 2020 09:42:46 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <47A14E7B-89DA-4C9D-AFEF-41F1C1CDC607@ripe.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Mailer: WebService/1.1.17111 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/-05M8Z_mK92EUuyo_fKpTWvX0Bk>
Subject: Re: [Sidrops] Manifest entry filename validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 14:43:01 -0000

Ties,

I think we're getting closer to a rigorous description. I like your 
concise text, but it doesn't cite the relevant list of allowed 
extensions, as suggested by Tim.  Also, the requirement that extensions 
be lowercase is redundant - RFC 6481
already dictates this for manifests, ROAs, CRLs, GB records, and  (all 
types of) certs.

Thus I suggest the following:

Section 4.2.2 "Names in FileAndHash objects"

Names that appear in the fileList MUST consist of one or more characters chosen
from the set a-z, A-Z, 0-9, - (HYPHEN), or _ (UNDERSCORE), followed by a single .
(DOT), followed by a three-letter extension. The extension MUST be one of those
enumerated in the "RPKI Repository Naming Scheme" registry maintained by IANA [IANA]

As an example, 'vixxBTS_TVXQ-2pmGOT7.cer' is a valid filename.


add the following Normative Reference entry:

[IANA] https://www.iana.org/assignments/rpki/rpki.xhtml#name-schemes

v2.10.0 | Report a Bug | By Email