Re: [Sidrops] Roman Danyliw's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
Job Snijders <job@fastly.com> Thu, 03 February 2022 16:37 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E74763A0D61 for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 08:37:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqKOmcneGfnG for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 08:37:28 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAA773A0B80 for <sidrops@ietf.org>; Thu, 3 Feb 2022 08:37:27 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id s13so10587825ejy.3 for <sidrops@ietf.org>; Thu, 03 Feb 2022 08:37:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=5Yzu6yJbRUMmdunDnygqAMWnhUF88tHtBiKUFLp5blw=; b=I28ban2DEQtJ+hkRmAmTKKOP1nl/AP9QQEsI/6PU/jOZ5McpmzVvhuqiJUOm+QP9Yl HLDD2tyZWl4SMxT1ewMkAduUHckIVwMEPzKA7+ReI47U9Lww4g5YhMqxMcbdOB353WMs nJlvg1AybFnn6HizQceT8JGH0LhQ8AXBbF35Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=5Yzu6yJbRUMmdunDnygqAMWnhUF88tHtBiKUFLp5blw=; b=DyXvD0dIHKt+J9l01p76BIi09aeDBEhg5nN298we2sDVO/N/SKgOHxRlUcEMmWkha/ AknNDlwFRCRvZ2ya/DJ0wRiJVSbkrpdcmndjUsJINyzDJZ/U/zjRiPJSQRmlkMLJuZtV JJvy+CeBuFVr+gC1e3YOjra+Z2h2DDAYvdI9hBzjbFhkrLzuDktfe5qUB6wrFa/d7BtY /rfFOWABlGrMrKsfA7LfNhSA+L7I4T8aFTbnNBFXhlViDJ4VDlNv2B0xn9GWcDWyUtD+ CyJk54TbUndkgAclQNIvwvmIgEsWX4ayGehAuJ7WlLMM8B73UqY2myBf81kO3AYILcgC La2w==
X-Gm-Message-State: AOAM5320Vl0G9RTYAfJtEFd/6s3xDOlcuJintYce9nbcOgFKQbYiIgyV CVhfV/DlO2xPVe/Y/KHLauNkEkoPDOKouw==
X-Google-Smtp-Source: ABdhPJxb10MNXm8KvE+9/ySqVFAdCUp9umJMs3X+P0jUdyQ1dJOByGA3K0ShWhtz3eQif2Nwtr11jQ==
X-Received: by 2002:a17:906:d551:: with SMTP id cr17mr28880046ejc.247.1643906244323; Thu, 03 Feb 2022 08:37:24 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id s26sm22845215eds.39.2022.02.03.08.37.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 08:37:23 -0800 (PST)
Date: Thu, 03 Feb 2022 17:37:22 +0100
From: Job Snijders <job@fastly.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, sidrops-chairs@ietf.org, morrowc@ops-netman.net, sidrops@ietf.org, draft-ietf-sidrops-6486bis@ietf.org
Message-ID: <YfwEwtTfbm3QcXF8@snel>
References: <164385267401.26801.16932009193407138969@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <164385267401.26801.16932009193407138969@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/4rlNabm2w9r6vD3r-2oY5ezr6Fs>
Subject: Re: [Sidrops] Roman Danyliw's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2022 16:37:41 -0000
Dear Roman, Thank you for this review! On Wed, Feb 02, 2022 at 05:44:34PM -0800, Roman Danyliw via Datatracker wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I support Ben Kaduk's DISCUSS position. > > ** Section 8. The Section 4.2.1 guidance that “Each RP MUST verify that a > purported "new" Manifest contains a higher manifestNumber than > previously-validated Manifests” is crucial to prevent a replay-like attack. > What is the recovery procedure if an RP loses that state (i.e., “forgets” what > the last manifestNumber was for a given publication point)? Should it be TOFU > (trust whatever is the first value it downloads next)? Through this update I made an attempt to clarify https://mailarchive.ietf.org/arch/msg/sidrops/NzCcNzcN46FD7RgV3D5ULMnEhxs/ If the RP has "forgotten" what the last manifestNumber was (for example, a brand new RP instance which only has a Trust Anchor Locator in its trust store, and an empty cache), there obviously is notthing for the RP to compare the purported "new" Manifest against. It is not entirely TOFU, in the sene that the cryptographic validity through signatures is checked, and the Manifest's eContent, EE certificate, and CRL all contain pointers to determine whether the object at hand is is valid within the set of constraints outlined in both the original RFC and this -bis document. > ** Editorial > -- Section 1. In the spirit of inclusive language consider replacing > “man-in-the-middle”. For example, s/man-in-the-middle attack on the > retrieval/an on-path attack during the retrieval/ Updated: https://github.com/job/draft-ietf-sidrops-6486bis/commit/83ade7f35d6e7b8379cb798e258c3cbb86278fee > -- Section 4.2.1. Editorial. In the thisUpdate field, s/is recent any/is more > recent than any/ Thanks, this was already addressed through https://mailarchive.ietf.org/arch/msg/sidrops/EYxcUtZLF7go2UBnOoOXqwn6bRY/ Kind regards, Job commit 83ade7f35d6e7b8379cb798e258c3cbb86278fee Author: Job Snijders <job@sobornost.net> Date: Thu Feb 3 16:36:14 2022 +0000 Add more inclusive language Feedback from Roman Danyliw https://mailarchive.ietf.org/arch/msg/sidrops/VFKYHp2WdsJ7yVt8fHY3hBSJnzY/ diff --git draft-ietf-sidrops-6486bis.xml draft-ietf-sidrops-6486bis.xml index d103cf4..97db9fd 100644 --- draft-ietf-sidrops-6486bis.xml +++ draft-ietf-sidrops-6486bis.xml @@ -85,7 +85,7 @@ A manifest is a signed object that enumerates all the signed objects (files) in the repository publication point (directory) that are associated with an authority responsible for publishing at that publication point. Each manifest contains both the name of the file containing the object and a hash of the file content, for every signed object issued by an authority that is published at the authority's repository publication point. A manifest is intended to allow an RP to detect unauthorized object removal or the substitution of stale versions of objects at a publication point. - A manifest also is intended to allow an RP to detect similar outcomes that may result from a man-in-the-middle attack on the retrieval of objects from the repository. + A manifest also is intended to allow an RP to detect similar outcomes that may result from an on-path attack during the retrieval of objects from the repository. Manifests are intended to be used in Certification Authority (CA) publication points in repositories (directories containing files that are subordinate certificates and Certificate Revocation Lists (CRLs) issued by this CA and other signed objects that are verified by End-Entity (EE) certificates issued by this CA). </t> @@ -609,7 +609,7 @@ <section title="Acknowledgements" anchor="sect-10"><t> The authors would like to acknowledge the contributions from George Michelson and Randy Bush in the preparation of the manifest specification. Additionally, the authors would like to thank Mark Reynolds and Christopher Small for assistance in clarifying manifest validation and RP behavior. - The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, Sean Turner, Adianto Wibisono, Murray Kucherawy, and Francesca Palombini for their helpful review of this document.</t> + The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, Sean Turner, Adianto Wibisono, Murray Kucherawy, Francesca Palombini, and Roman Danyliw for their helpful review of this document.</t> </section> </middle>
- [Sidrops] Roman Danyliw's No Objection on draft-i… Roman Danyliw via Datatracker
- Re: [Sidrops] Roman Danyliw's No Objection on dra… Job Snijders