IETF Logo Mail Archive

Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt

Job Snijders <job@fastly.com> Fri, 09 July 2021 10:59 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D83F63A1CD5 for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 03:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FlsMKRnnz7R2 for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 03:59:42 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD0C3A1CCF for <sidrops@ietf.org>; Fri, 9 Jul 2021 03:59:42 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id hc16so15425536ejc.12 for <sidrops@ietf.org>; Fri, 09 Jul 2021 03:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ZRA85bioLvZShgzccVoNuvSbv8t2VuCnBBtWFNlirmU=; b=SsroScqjlbm9zjGmYiwimw0UFVuBHBFAGv7olL5V83odh2axEydD2sHmYFJP5YPNCd AcjHgf9ebTleib7/b3EQ3KpY4tEjWTzHgW3K9X4HG+dvt5EdKKjAwt3mmEmjb+W74hY8 GSEugMSyHytthUEsinPF0S2ERCGWxO5cknWvU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ZRA85bioLvZShgzccVoNuvSbv8t2VuCnBBtWFNlirmU=; b=olz2NtOwxiBovzae7XH/vbs41cMU3mGYJsyhaTmkEt/iNqOWpOYOfAFEQqAX3T7eeA L26q2gMov8PDAEXrkLGeAKAMdWby/z10GHPsFq0C2qKSqoSWtMCG+8ZoBbAgn5GqRcj+ GYe5RUy9Em7rPk6Uxste0Jn6tigh8OxOF0mhhFqK2LqewREEX4802sJm7hymncdkfYac ty2ToGR6PLwYO+Q51RhTRBPMRkeIdiR5xIMHVhADR2v1AQy7VZgiytXtBQlYGB15S+tt 3yx2rMPbAMIySqXGVWsu8JyC9cznQ1CU50MvIOiTQ8o39vbZGa8udsxTe0NtmMIcKXab Um/Q==
X-Gm-Message-State: AOAM533LwNtnUnGqmcpHpyKm19T60NToBzZIvJa6GWPiojEh6zUVpkv6 zav9F/ZVBz6RG+KiIsC5ir4Ni4iu/DhOnQ==
X-Google-Smtp-Source: ABdhPJygTEwcwBYpeQbewus7YRWf19wyDSgl0uuxIWRaSNXw3cHhjJgyg4epEBuYjCsWqUWjP1wKhw==
X-Received: by 2002:a17:906:6d09:: with SMTP id m9mr36626764ejr.3.1625828380142; Fri, 09 Jul 2021 03:59:40 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:21e:c2ff:fefb:f388]) by smtp.gmail.com with ESMTPSA id d22sm2279874ejj.47.2021.07.09.03.59.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jul 2021 03:59:39 -0700 (PDT)
Date: Fri, 09 Jul 2021 12:59:37 +0200
From: Job Snijders <job@fastly.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: sidrops@ietf.org
Message-ID: <YOgsGYWF/E/s2Dwq@snel>
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/02fpVM-PIrsthg1zJIQbpidb41c>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 10:59:47 -0000

Hi,

On Fri, Jul 09, 2021 at 12:39:48PM +0200, Tim Bruijnzeels wrote:
> > On 8 Jul 2021, at 20:09, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> > I think the latest changes looked great on paper (and indeed simplify
> > the text significantly), but are not operationally feasible.
> > 
> > Quoting from draft-ietf-sidrops-6486bis-05 section 4.2.1 "Manifest":
> >> Because a "one-time-use" EE certificate is employed to verify a
> >> manifest, the EE certificate MUST have a validity period that
> >> coincides with the interval from thisUpdate to nextUpdate in the
> >> manifest, to prevent needless growth of the CA's CRL.
> > 
> > It appears there are quite some CAs out there where 'nextUpdate' and
> > 'notAfter' are not equivalent, I estimate it would reduce the global VRP
> > count from ~ 263,175 down to ~ 209,931.
> 
> Indeed, I mentioned that Krill is doing it wrong (or well following
> earlier discussions but let's not dwell).
> 
> The fix is in the 0.9.1-dev branch but will take time to be deployed.
> There may also be other CA implementations which are affected by this.
> Though generally speaking hosted CA services could re-issue all their
> objects without the need for users of the service to upgrade.

Other CA implementations also appear impacted. What I meant with 'not
operationally feasible' is that we'd have to wait for all CAs to be
upgraded, then to upgrade all RPs to add the '-05 check', and all this
work would take place merely to decrease CRL traffic.

If we are looking to decrease traffic, I'd first remove XML from RRDP as
that appears a 50% bloat compared to using DER as container :-)

Given the sheer amount of upgrade work, and the particular order 'first
CA' -> 'then RP', I just don't see the current text as feasible.

> > I suspect the best we can do is demand that the EE certificate validity
> > window fully encompasses the Manifest validity window described in the
> > eContent, and merely recommend to align the two...
> 
> It may be appropriate to differentiate between what a CA MUST or
> SHOULD do and what an RP MUST reject.
> 
> What I am after is that I think:
> - a CA SHOULD (not MUST) have a validity period that coincides with the interval from thisUpdate to nextUpdate
> - an RP MUST reject a manifest if:
>     - thisUpdate is after now
>     - nextUpdate is before now
>     - EE not-before is after now
>     - EE not-after is before now

You'll also want to check if nextUpdate is not before thisUpdate!

The below link shows how rpki-client validates thisUpdate and
nextUpdate:

https://github.com/openbsd/src/blob/01ae73c5eb2d059ceb1d1734f72282cefb78d440/usr.sbin/rpki-client/mft.c#L82-L120

> One other note. NTP not being as perfect as we would like, I would
> advise backdating the 'thisUpdate' and not before a tiny bit, say 5
> minutes. 

Can you elaborate on your concern related to NTP and the need for
backdating?

I suspect that in this context it might not be needed to document such a
recommendation given that the WG appears to have agreed that polling
more frequently than once every ten minutes shouldn't happen, and the
publication server usually has some delays here and there in the
pipeline anyway (such as copying newly issued objects into a spool
directory).

Promoting the concept of backdating will probably bite us when we get a
proper Certificate Transparency project on the road. I expect that the
log operators and the certificate issuers will have their clocks synced
well within 5 minutes of slack.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email