IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-07.txt

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 29 July 2021 08:59 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D206F3A19F3 for <sidrops@ietfa.amsl.com>; Thu, 29 Jul 2021 01:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNZki9I1_mN5 for <sidrops@ietfa.amsl.com>; Thu, 29 Jul 2021 01:59:01 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D80B3A19ED for <sidrops@ietf.org>; Thu, 29 Jul 2021 01:59:01 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id BB8A4A1; Thu, 29 Jul 2021 08:58:57 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1627549137; bh=5EMw2NgvYkbwMa22NCTcOREkCGL+rHFRcEm74TNGpLQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=gV84zm5g+tdCBQ1ccdS5hThnDIF80vrT2LVRC3sKWVWtyjNdY3LNt0aomRh6/Vqey 7AAD9xqbswlR34WaI8v/h4cvaYWv791l1me+bAGIQy0o9HZiPG9bObwaXlrnmJmRdc c874sQ6dJ2iTUC+vD1JKiIIP4XmxwzJ8bAUp14mOigxHC9m7gkBt1Si5J3ab9gufAI 1xTTce/SZa2Q4DGAxsWm9B9ilcleEi1xh2gEl3jhIc2EzH3Dj/FNmuLAUStLVw6FEl HuGc8Z0Tu2S04Hk68ifKBhGSoEIsVAdzjwwB/WCqlfFvO/6p7wzHIHULJyQ36dyXvB j9S7QPnOzwKtA==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <2CFB0083-BCD3-4B7B-A55F-B0C7439C281C@vigilsec.com>
Date: Thu, 29 Jul 2021 10:58:54 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B868D5D0-C8B4-466F-9923-579365E45DD9@nlnetlabs.nl>
References: <162397132033.32149.10121553443259737639@ietfa.amsl.com> <20210728214216.vuyds2blfjoqyjcw@benm-laptop> <2CFB0083-BCD3-4B7B-A55F-B0C7439C281C@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4gWjzT8IDQx9PrKVwyLAsQPdKcs>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 08:59:07 -0000

Hi all,

> On 29 Jul 2021, at 00:44, Russ Housley <housley@vigilsec.com> wrote:
> 
> 
> 
>> On 29 Jul 2021, at 7:42 am, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org> wrote:
>> 
>> Hi all,
>> 
>> Re-iterating the comment that I made during the meeting, as requested...
>> 
>> Including the "revoked" flag *only* in the TAK object published by the
>> "revoked" TA effectively gives anyone with access to that TA's private
>> the key the ability to resurrect it and/or point RPs to a malicious
>> successor TA.
>> 
>> Given that a prime motivation for a performing a key roll is a suspected
>> key compromise, it is troubling that the key roll can be reversed by the
>> compromised key!
>> 
>> Perhaps I am overlooking something?
> 
> I think we need to consider graceful transition from one trust anchor key to another separately from recovery from key compromise.

Indeed recovering from a key compromise (theft) is a different ball game altogether.

The primary motivation for starting this (when I was still at RIPE NCC and operating a TA) was to deal with the migration from one HSM vendor to another. So the intent is not to be able to deal with a *compromised* TA key (which hopefully would have been kept in an HSM) - but to allow that key A in HSM A can sign the transition to key B in HSM B and then be destroyed.

I believe this is addressed in the security considerations section. Pasting for convenience:

9.  Security Considerations

   Because a TA key can mark itself as revoked and require clients to
   start using a new key, an adversary that gains access to a TA's
   current key and its associated publication servers can essentially
   take over the TA.

   This risk can be mitigated by the use of Hardware Security Modules
   (HSMs) by TAs, which will guard against theft of a private key, as
   well as operational processes to guard against (accidental) misuse of
   the keys in an HSM by operators.

   An example where planned rolls are useful is when a TA is using an
   HSM from vendor X, and they want to migrate to an HSM from vendor Y.

   Alternate models of TAL update exist and can be complementary to this
   mechanism.  For example, TAs can liaise directly with validation
   software developers to include updated and reissued TAL files in new
   code releases, and use existing code update mechanisms in the RP
   community to distribute the changes.



> RFC 4210 has a discussion on graceful transition that uses old-in-new and new-in-old so that not all relying parties need to transition at the same time.  The validity period in the old-with-new and new-with-old provide bounds on the transition time period.

I should probably put RFC 4210 on my reading list. Still, this document (signed-tal) as written is trying to define graceful transitions from A to B where relying parties do not need to migrate at the same time. Did you find any specific issues with the proposal in this regard?

Sections 6 and 7 talk about maintaining multiple TA keys in parallel and performing key rolls. The TAK object is introduced to automate this transition for RPs which support this. The document also talks about distributing TAL files for RPs which do not support TAK files. See section 7.3:

   The TA must also release a new TAL file for key 'B', as the intended
   key to be used by RP software.  As described above, it SHOULD use a
   different set of URIs in the TAL compared to the TAK file, so that
   the TA can learn the proportion of RPs that can successfully validate
   and use the updated TAK objects.

   To support RPs that do not take account of TAK objects, the TA should
   continue operating key 'A' for a period of time after it has been
   marked as revoked.  The length of that period of time is a local
   policy matter for that TA: it might operate the key until no clients
   are attempting to validate using it, for example.


(Rereading this I believe that it would be best to s/must/MUST/ in the first sentence above.)

I guess that what I am trying to say here is that I believe this document already includes a mechanism for doing a graceful transition for RPs which do NOT support this. I.e. even if the working group were to conclude that automated transitions using TAK files are not desired, then sections 6 and 7 are imo still relevant.

Tim





> 
> Russ
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email