IETF Logo Mail Archive

Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt

Stephen Kent <stkent@verizon.net> Mon, 14 June 2021 23:58 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A464E3A1439 for <sidrops@ietfa.amsl.com>; Mon, 14 Jun 2021 16:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpEOuCR9HBB3 for <sidrops@ietfa.amsl.com>; Mon, 14 Jun 2021 16:57:56 -0700 (PDT)
Received: from sonic304-10.consmr.mail.bf2.yahoo.com (sonic304-10.consmr.mail.bf2.yahoo.com [74.6.128.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 952DC3A143D for <sidrops@ietf.org>; Mon, 14 Jun 2021 16:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1623715075; bh=oWgBE404GdVt+mFcYLQMQmEjnZDA03fqYK9snf2iUFM=; h=From:Subject:To:Cc:References:Date:In-Reply-To:From:Subject:Reply-To; b=mwODe5iBBewwfVrKKUKBG1VOxSVaU7F7ouOqlzWiVPduM/GQT0yTZskzmc6YJcvrfyvhnLdcj6QCOqjxNe+l0qCaTp2dRk8XpPWVi+wH3wTo9cxCgXYhHjWMU9q5aHmPm028xVNf3BkLIaH5zxW6L3GfuVQZfQHONSQrC4qjdTHDj754eGWXoKXv2y+7eMuO+Hq21mlDbqyPIUBOMLNPSorFWblCFThihRg6UU0/6namfDQlAD3wHGI7lTtRMd0SvV7f4DOHq0Az2hE43bKjMoVu/ulJ0Hk9aXguuxLHVCpO5B27Bxp28ROTx+JzQqxje/8ElBns6ufcHV7DaCpD+g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623715075; bh=+x0iezh+p59nyG37bjH/BdrLA7uUB4Pq4Ae6HU8MLvF=; h=X-Sonic-MF:From:Subject:To:Date:From:Subject; b=YkYRVcrdZmJxrtRx6o0ppSZRg6nmXM29OONBvajLQPvND8R0mC7qRRykT7Gu2tMc8Jq3jXo7CNxtGv87SDNg+Fr/vlLjSXLQW5SDXo7QVaKMDYGCbEltYCv2vl/Hve0GzauPH8fGmAenqAnoGIEJpTaV6FbN7+4GqfH/ooN+vle2t36hcCJdjll9AMDJn1SQKNSUBoDYzuJvSFcLG50NGde9KYespfrVoO1pblrmsZNbxVVpAwLpVV0+N3Sj0wlWG4s1fCFBVvi0Uu8QdJjjLKPWPKSG0fSnBtzCqsucS/E6y0L8wVIypzjwRui+ZmvwVFHEdUqVLQ5rTcm5zKMf4Q==
X-YMail-OSG: 5MxN9JQVM1nm.rKtqtqZuXP7ZtsCPivsGuVpdkQ_tWQIwPFaSvuet4kunK2YPaU XrfkNwCT1Xlh4noh6ES5q5jGiH3MPnSYs4nWkrrTRODKqnU84j0p3lE13DGhCoGpivDh7oYdTNqO VrXd4qXOzhBjXI76GwUVhDI0QDzaex_x0EKBxTBjaWtO2thf8XfjPL9tzRNgxqU8290Q5z2dV8Rm h.l8Zgu2ZvUHNVMhqzQA6qwOLkUBjYLW8GPJJcmQtZ0W9NHNLTqhuXyoO_0UQQgiHHDogMx5Lfxu IyOoClQxWMcYyUObXTJT8mUzLA4lShsytZeYWYkYz6q3KYPDIU6c04aYux5k78nWkGeRetFp_uGh P42I2qvmWb.KytjiXMqpUAlAol0Y0PthMhaM_mVQq0qN5Nnc78Nqs2HFBqfeJeGezuEAfj49yF9y WDQ4DgAG7jVDyO1UKaXYkSYYTr4qGLKnC40wpKjOZi9ag_sQctUgtARnywV9hhaGWza6P4.pcCuI 1duPJFgPTLqvQHTVsuDpeQ8.wtNtXSWLEn5koj8PlNAEBbD.SWK292qDDY7FiD0kE1ivdjQDL1KR Ti9LjCfud9t6vI7vyaiX7G7F0xNIjMdeEQoASkPez7lPHB1O.bV7egg_pDCc3dsocHWewLG0q7MQ Nq6BXkKl3m5okJy.Z79AlxXHBAxgkJeG2S_ejKKbPFQi31EgbuQyUCDUR4dpTt8M2MQvQG_u.Mim qvpqFbSKd5u26Xeb7rU73Rq5UNQhoQM9UjF5zRlvF6R8jXgaAJxNq7ksMBqINl6X_RORiT._UrXO qNQpsjsoaZZau7b_iQ6M9pmVFiV91KDTqfH1rV9xx.7ysFy.YqRRsRUZDuPoVTpj7nwcndGrM9NJ vkvD.RKavqDjUwa8hqpNHKF71W2uwCfuyzXuM7voXm0NHMeGTiZu.fArK4lxnZzrxJZM3eIujQOy i2wCeivwPvbP9hRvH_UsfSa7PLcRwWyKeJXOoffj5fnHxP0xc0mdiHo9bDXfsO0IXvBaW6pyFPKt DPU16YXvDiazdvAdHft_FYaRjBNJZH9t4Q54BQbhE7hHlhfGv3YtR1zfjkOS5Rgp7akKGp_2RbFt lWvncY.hK_XVpGFKnHnKZojKzOB1aIMYIJk0ghGJ5.Mv6crFJX6_830aoCq2XfYxoPk0c4Qe0LmF g_HzXlddgFHUoj5puVLgduzw2kRpA5yN0opJoKFnKG7cFo6LIFRNbQbqzBbobywhMKi59fUZ2Ejp YYUigKS0b6s7hlbWVYw05FZ62t.insjEUVQUH2ueo2i3YWHKCJUm1FwFUGtCbBa7fELOcVyFA6Lq X24pWWtZd.c_2NU6rvAAIgCmRePyZRLdgknJunlTYnlrisH6Evzzd0WsPmN9CX1tUcXmNVgXuoVM R9FwH5uzyDO_3rlXI2F.dj.G2XR3gBmy2PHZolODeif9isXt9XD.UmrjnqkEwTSkWTEInyZck2Yx rDgSFJfKk1HZ1tJFP3mY2gOAVZzro2hYgIjSt3WtD7c_0IPFOIDG4_KxCwF9TFfhHFTrsjZGxNUO EOgh2ERYI43T90Yw.ZfHtOIhfUeeRjLav36vkLHS_BeEQgYYs7uGgVr8XRhV84_Z5M0hgNsSi2uO in7671eQj4u74etXFo3T8bpGKfrQrAPO9lWA.7eemC9ma1mOcNt0pxzTbtLC5ERrL2M9G6kLSWHA djGTUPyehpq1Wq5Cg92Cn7.itOEQkZGg5kNTNt4kLB.3L9NYxeu0yr_ZdOginLUGaFKAXJNfhIWr jvA4lKQYKikq0mEluJHl8A30rsZpEUWF1vskiIzSfI_OIT6Ao5pEt6pOC.OzPeW2inCeCgbtRHJF Pan4CTNjhMubpHp_VlDfjzKIZsxX1gggAm0TceGQhS9etswSsL1wb_6hIXANjFmei1GufKSfwEid vzLRJuEoUydVOz9rz7yA0L311vMH.4QHNRPCAPyxFi5Kj.KflhY_g7x0AkqM1AQ8N0GYs_kZFWtk vosKYVLd0XHhwN8Q6xAY7UYdQ_vEUHZanb_44kVmRdAgHvAbhnlYVbZEhDu0w60VOioMbVz4iRUZ 39F.dUYta2K9X2bD8cvtnOttrNtSWIXSKqsrXp82ANaDGDyndo_Fd53yG3YJUT4QuU0PKSe125w2 PIVstkm.j4s38SA3TPaleXtHzdmqjZ6WSIqIrC1g7713dFWTxUP77Hey9dqOJaMtwHwCF.tgY9ku oj.Hn_r.2WTVJVgTkiw9vkh2TlN0ZnV6J1DjQFrdNHy51vgaTYYkPqCXdtm5IcaLG43U1O6ne4Q1 WpXnwQUs_DQYcGHesfwsugYcG1CRkQ7uBszeOhwb3Da3hjUAh7yzEq6Yd6aBkdOeG_cII8HM6osh Xa2PHD_Hdjk34HLAOJedF9eHe9aKKSlkscGdpllggubAMXhnA6b1JEcKlnNGfr6zNmO8ExNA-
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Mon, 14 Jun 2021 23:57:55 +0000
Received: by kubenode516.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 1cc354b82348c3e43e79a0f48de35c6a; Mon, 14 Jun 2021 23:57:52 +0000 (UTC)
From: Stephen Kent <stkent@verizon.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: sidrops@ietf.org
References: <4576a83c-4118-9e4e-aec1-e8e9b0a1a069.ref@verizon.net> <4576a83c-4118-9e4e-aec1-e8e9b0a1a069@verizon.net> <1EF06618-5BF8-46CE-A25C-37D98867EADF@nlnetlabs.nl> <9dcd34e6-3b07-c8fc-99b3-df9365cb19f1@verizon.net> <44CDF8B7-B099-499F-94A5-914238FAFA51@nlnetlabs.nl>
Message-ID: <914036da-a5d0-060b-b5f3-2693d204c1e2@verizon.net>
Date: Mon, 14 Jun 2021 19:57:51 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <44CDF8B7-B099-499F-94A5-914238FAFA51@nlnetlabs.nl>
Content-Type: multipart/alternative; boundary="------------A1C4BD3FE532CE59079C28BB"
Content-Language: en-US
X-Mailer: WebService/1.1.18469 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2LdLgUl1HSimzI-qEETumsXYNEI>
Subject: Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 23:58:01 -0000

Tim,
> Krill defaults to 24 hours for the next update time on CRLs and 
> Manifests. The not-after time on the manifest EE currently still 
> defaults to 7 days following discussions we had about this in sidr 
> many years ago. I am quite happy to change this match the next update 
> time instead as this document now instructs. 

So, to be clear, a new CRL and manifest are issued every 24 hours, but 
the manifest EE cert has a 7-day lifespan, right? Since you say that the 
manifest EE cert is a one-time use, this clearly contradicts the text in 
the manifest spec. Please do change the validity interval.

> But in any case a new Manifest and CRL are issued by default 8 hours before they would go stale. I don't dare to leave this much longer, I think a CA operator needs this window to be able to deal with unforeseen outages.
>
> When a manifest is replaced the previous EE cert is revoked - and its not-after (expire) time is remembered. When that time has passed the entry is removed.
>
> All these values are configurable. I don't know for sure how other CA implementations do this. It would be good to hear from them. Based on memory at least the RIPE NCC managed CA uses a similar strategy.

It would seem that each old manifest cert lives on a CRL for about 6 
days, so there might be 5 or 6 of them on the CRL at any time, 
needlessly. That's not awful, but it's not pretty either.


>>> ...
>>>
>>> One could therefore argue that rather than revoking previous manifest, the 'thisUpdate' or possibly 'manifestNumber' should be leading in selecting an eligible manifest - should an RP have multiple validly signed and current manifests for the same CA somehow. Not revoking previous manifests would help to avoid the "chicken and egg" issue raised in section 6. It is not clear to me that this would really be less safe.
>>>
>>> But look, really, rather than trying to pick an argument over this, I raise this because I would like to see explicit text in the document that says what's expected here :)
>>>
>> as I said, unless a CA issues a new manifest before the next scheduled issue time, this ought not be an issue.
> As above, I don't dare to leave this to the last moment.
>
> Furthermore, there could be other changes like a change in ROAs that require a new manifest to be issued.

I am curious- do you track how often a new manifest needs to be issued 
because a ROA has changed? It would be useful to know if manifests are 
being reissued frequently only because a timer dictates it, not because 
any object covered by the manifest has actually changed.

> Which reminds me.. I am not sure now if or where this is required, but in order to keep things simple to reason about I always issue a new manifest and CRL together.

I don't think any text requires that a new CRL MUST be issued with every 
new manifest, although the opposite is obviously true if the old 
manifest EE cert is revoked. If a new manifest is issued 8 hours before 
the old one expires, and if there are no changes in the objects covered 
by the manifest, other than a new CRL, and if that CRL is also unchanged 
in terms of the revoked certs being listed, then there seems to be a lot 
of churn for no obvious reason.

> It's not that the CRLs get huge, because revocations for expired EE certificates get removed as well. But, then again, I still think these manifest EE revocations are most likely not needed at all because with this -bis because RPs would only accept a new CRL with a changed hash, when they have already seen the replacement manifest.
>
>> ... 
> I am not vested in the text I proposed.
>
> I believe that for normal top-down validation RPs need not consider any objects not found on manifests. This seems to align with what you are saying.
cert path validation is always top-down, as per 5280 and its predecessors.
> But what I am after is the following. RTA as proposed supports the idea of out-of-band exchanges of RTA objects, where those objects may NOT appear in RPKI. I believe RSC supports this option as well (but I need to re-read). So, in short, they may or may not appear on manifests. So, I would prefer that RPs can still do ad-hoc validation of RTA objects which they received out-of-band. Typically the RTA EE certificate would refer to a CRL and parent CA certificate which can be found in the RPKI (and manifests).

Well, we've been reminded by Job that RSC doesn't assume distribution 
via the RPKI, so ...

I propose the following text to begin Section 6:

Each RP MUST use the current manifest of a CA to control addition of listed

files to the set of signed objects the RP employs for validating basic RPKI

objects: certificates, ROAs, and CRLs. Any files not

listed on the manifest MUST NOT be used for validation of these objects.

However, files not listed on a manifest MAY be employed to validate other

signed objects, if the profile of the object type explicitly states that

such behavior is allowed. Note that relying on files not listed in a

manifest may allow an attacker to effect substitution attacks against such

objects.

Steve

v2.23.0 | Report a Bug | By Email