Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
Ties de Kock <tdekock@ripe.net> Fri, 09 July 2021 11:14 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379CF3A1D96 for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 04:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8it5TBF1tJ6r for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 04:14:21 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBEAB3A1D6C for <sidrops@ietf.org>; Fri, 9 Jul 2021 04:14:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=MqBsd2flXYpbf+Z7vDSD6hHgtSd1Na8emM0ghJux7xE=; b=sOxP26guYtVrDGICUNKgJXIF NcwDzhKk8RxPS8YslWIVxScc5BG/cuo4XrnZxxPaZEop/O1kaPWjlke5Teg/orfXoh/dz27r/Vkn6 c1cR3zwbiUThS0fuOPkyisHpdnp3jP93t7i4vkPnmvh9rBjgGcHSSGRH+sGOgO6ansh93XkAFYN/h NVj5p8nZ2O5dcnESRBLQGAhfjO5xpiQC1fO2E6mSZWuOzYhIcW139Y+dncSGOdwglsSKDJMg6GVsG E5PosYp93YeEfXGMrmdcWbZ6yUCy0RiqhyeyJRbfIiS7WKMCSvycgqczjFAFG7EIqnGS9pCNOW+qe RKkDOXo+rA==;
Received: from bufobufo.ripe.net ([2001:67c:2e8:23::c100:170d]:42422) by mahimahi.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1m1oSW-0000FP-G2; Fri, 09 Jul 2021 13:14:16 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1m1oSW-0008KS-D6; Fri, 09 Jul 2021 13:14:16 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <YOgsGYWF/E/s2Dwq@snel>
Date: Fri, 09 Jul 2021 13:14:15 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D89D1B55-66CD-4D85-9C31-B94AADB6C43E@ripe.net>
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl> <YOgsGYWF/E/s2Dwq@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e16abb3015d72b7f38b2038a2e48aad008
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2VFzp1-cdoQn9pIUwXvuSdZUumM>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 11:14:33 -0000
Hi Job, > On 9 Jul 2021, at 12:59, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: > > Hi, > > On Fri, Jul 09, 2021 at 12:39:48PM +0200, Tim Bruijnzeels wrote: >>> On 8 Jul 2021, at 20:09, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: >>> I think the latest changes looked great on paper (and indeed simplify >>> the text significantly), but are not operationally feasible. >>> >>> Quoting from draft-ietf-sidrops-6486bis-05 section 4.2.1 "Manifest": >>>> Because a "one-time-use" EE certificate is employed to verify a >>>> manifest, the EE certificate MUST have a validity period that >>>> coincides with the interval from thisUpdate to nextUpdate in the >>>> manifest, to prevent needless growth of the CA's CRL. >>> >>> It appears there are quite some CAs out there where 'nextUpdate' and >>> 'notAfter' are not equivalent, I estimate it would reduce the global VRP >>> count from ~ 263,175 down to ~ 209,931. >> >> Indeed, I mentioned that Krill is doing it wrong (or well following >> earlier discussions but let's not dwell). >> >> The fix is in the 0.9.1-dev branch but will take time to be deployed. >> There may also be other CA implementations which are affected by this. >> Though generally speaking hosted CA services could re-issue all their >> objects without the need for users of the service to upgrade. > > Other CA implementations also appear impacted. What I meant with 'not > operationally feasible' is that we'd have to wait for all CAs to be > upgraded, then to upgrade all RPs to add the '-05 check', and all this > work would take place merely to decrease CRL traffic. > > If we are looking to decrease traffic, I'd first remove XML from RRDP as > that appears a 50% bloat compared to using DER as container :-) > > Given the sheer amount of upgrade work, and the particular order 'first > CA' -> 'then RP', I just don't see the current text as feasible. > >>> I suspect the best we can do is demand that the EE certificate validity >>> window fully encompasses the Manifest validity window described in the >>> eContent, and merely recommend to align the two... >> >> It may be appropriate to differentiate between what a CA MUST or >> SHOULD do and what an RP MUST reject. >> >> What I am after is that I think: >> - a CA SHOULD (not MUST) have a validity period that coincides with the interval from thisUpdate to nextUpdate >> - an RP MUST reject a manifest if: >> - thisUpdate is after now >> - nextUpdate is before now >> - EE not-before is after now >> - EE not-after is before now > > You'll also want to check if nextUpdate is not before thisUpdate! > > The below link shows how rpki-client validates thisUpdate and > nextUpdate: > > https://github.com/openbsd/src/blob/01ae73c5eb2d059ceb1d1734f72282cefb78d440/usr.sbin/rpki-client/mft.c#L82-L120 > >> One other note. NTP not being as perfect as we would like, I would >> advise backdating the 'thisUpdate' and not before a tiny bit, say 5 >> minutes. > > Can you elaborate on your concern related to NTP and the need for > backdating? I would suspect that Tim’s concern is that a certificate is effectively published and read by an RP before its validity period starts according to the local clock of the RP. I have encountered this when using a VM where the clock had drifted. I would expect that there is a fair amount of clock drift between RPs and issuing at the ‘current’ time gives a risk of objects being rejected by (a few) RPs. > > I suspect that in this context it might not be needed to document such a > recommendation given that the WG appears to have agreed that polling > more frequently than once every ten minutes shouldn't happen, and the > publication server usually has some delays here and there in the > pipeline anyway (such as copying newly issued objects into a spool > directory). > > Promoting the concept of backdating will probably bite us when we get a > proper Certificate Transparency project on the road. I expect that the > log operators and the certificate issuers will have their clocks synced > well within 5 minutes of slack. As far as I know backdating a tiny bit is common for web CAs (where CT is common). I could not quickly find a statement on “notBefore < now” in the CAB forum guidelines, but backdating is on the list of problematic practices of Mozilla [0] except for technical compatibility reasons - which this five minute window is in my opinion. When CT is used. I would encourage CT logs to only issue a SCT for a pre-certificate that has a “reasonable” validity period - I could see, and would encourage, both limitations on notBefore and validity period being enforced there. Kind regards, Ties [0]: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-… internet-drafts
- [Sidrops] mft/ee validity time window alignment i… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Ties de Kock
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Julian Reschke
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Russ Housley
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels