Re: [Sidrops] HTTPS in TALs
Job Snijders <job@ntt.net> Wed, 19 July 2017 18:30 UTC
Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFD1131AAF for <sidrops@ietfa.amsl.com>; Wed, 19 Jul 2017 11:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-ET3_XTn63c for <sidrops@ietfa.amsl.com>; Wed, 19 Jul 2017 11:30:19 -0700 (PDT)
Received: from mail3.dllstx09.us.to.gin.ntt.net (mail3.dllstx09.us.to.gin.ntt.net [IPv6:2001:418:3ff:5::26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 312EA131B48 for <sidrops@ietf.org>; Wed, 19 Jul 2017 11:30:19 -0700 (PDT)
Received: by mail3.dllstx09.us.to.gin.ntt.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <job@ntt.net>) id 1dXtjl-0003LD-Fk (job@us.ntt.net) for sidrops@ietf.org; Wed, 19 Jul 2017 18:30:18 +0000
Received: by mail-wr0-f172.google.com with SMTP id 12so62038746wrb.1 for <sidrops@ietf.org>; Wed, 19 Jul 2017 11:30:17 -0700 (PDT)
X-Gm-Message-State: AIVw11277PTYowJb4z/VlpwwiA8J+9h86786E/a/1SvhNyuJdNn5Umhl nvXEWU96ApIhRT1eb+3FcqUgvYBUdFW8
X-Received: by 10.223.130.102 with SMTP id 93mr1042962wrb.253.1500489016364; Wed, 19 Jul 2017 11:30:16 -0700 (PDT)
MIME-Version: 1.0
References: <F3B9CD28-7643-43B9-B210-805687297D9E@ripe.net> <0428C22A-4D93-4961-92FA-968B4E177BC5@apnic.net>
In-Reply-To: <0428C22A-4D93-4961-92FA-968B4E177BC5@apnic.net>
From: Job Snijders <job@ntt.net>
Date: Wed, 19 Jul 2017 18:30:05 +0000
X-Gmail-Original-Message-ID: <CACWOCC98j45ZZt4H40KpUr9pNPhQ7JS5J_Yb+w3Ee_VoEe5NyA@mail.gmail.com>
Message-ID: <CACWOCC98j45ZZt4H40KpUr9pNPhQ7JS5J_Yb+w3Ee_VoEe5NyA@mail.gmail.com>
To: Geoff Huston <gih@apnic.net>, Tim Bruijnzeels <tim@ripe.net>
Cc: sidrops@ietf.org
Content-Type: multipart/alternative; boundary="001a114b3c44cf9e5e0554afd2c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7PZV1AuC_oK3gIdPts7qysnK0ms>
Subject: Re: [Sidrops] HTTPS in TALs
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 18:30:22 -0000
Hi all, I'd like to encourage the working group to consider modernizing the file format a bit. I'd like to see JSON or XML on anything that is structured, and a version field somewhere. Kind regards, Job On Wed, 19 Jul 2017 at 20:14, Geoff Huston <gih@apnic.net> wrote: > This particular author of RFC7730 is more than happy to apply > s/rsync/https/g on RFC7730, but will only do so if the chairs can gather > the consensus of the WG to proceed in this direction, of course > > regards, > > Geoff > > > > On 19 Jul 2017, at 10:59 am, Tim Bruijnzeels <tim@ripe.net> wrote: > > > > Dear WG, > > > > As presented I want to propose a change to RFC7730 to move to HTTPS > URIs, rather than RSYNC. > > > > The reasons why I want this change are: > > - As a TA operator I feel more confident assuring the availability of a > TA certificate over HTTPS compared to RSYNC > > - As an RP implementer I want to reduce the dependency on rsync in the > validator. Especially if RRDP is also used, this would mean we don’t need > to call rsync at all anymore. > > > > Conventional wisdom would be to first allow HTTPS in addition to RSYNC > (and make it preferred if available), then mandate it, and then deprecate > RSYNC. > > > > However, I feel that in this case it would be perfectly safe, and much > simpler to go for the end-stage immediately for the following reasons: > > - step 1 of allowing HTTPS already forces RP software to support HTTPS > > - nothing stops us from having a mix of RFC7730 style TALs and ‘HTTPS’ > TALs for a while: > > — TAs can create new TALs when they are ready to publish their > certificate using an HTTPS URI > > — TAs can continue to have their certificate available under RSYNC for > those RPs unaware of the updated TAL > > — We can pursue parallel efforts (other thread) to have a way for TAs to > pro-actively communicate an updated TAL to RPs > > - and, of course, updating/replacing 7730 in one step rather than 3 is a > lot less work > > > > So, updating 7730 to use HTTPS this way is almost as simple as > 's/rsync/https/g’, and updating the references. > > > > In addition I would advocate an HTTPS consideration section, similar to: > > > https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-08#section-4.3 > > > > Essentially, TLS certificate or host name validation issues found are > worth logging about, but since the RP can verify that the retrieved TA > certificate matches the “subjectPublicKeyInfo” in the TAL, and is newer > than previously obtained certificate, it should be safe to process. We > should probably also advocate that in cases where multiple HTTPS URIs are > present, and TLS certificate or host name validation issues are found, > other URIs are also followed to see if there is no newer TA certificate. > This may be left to local policy, but I believe this will help against > replay attacks where RPs are presented an outdated TA certificate. > > > > So, questions to the WG: > > = Can we adopt this work? > > = What is the best path? Are the 7730 authors willing to update? Should > I start work on a -bis? > > > > > > Thanks > > > > Tim > > _______________________________________________ > > Sidrops mailing list > > Sidrops@ietf.org > > https://www.ietf.org/mailman/listinfo/sidrops > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops >
- [Sidrops] HTTPS in TALs Tim Bruijnzeels
- Re: [Sidrops] HTTPS in TALs Geoff Huston
- Re: [Sidrops] HTTPS in TALs Job Snijders
- Re: [Sidrops] HTTPS in TALs Nick Hilliard
- Re: [Sidrops] HTTPS in TALs George Michaelson
- Re: [Sidrops] HTTPS in TALs Roque Gagliano (rogaglia)
- Re: [Sidrops] HTTPS in TALs Di Ma
- Re: [Sidrops] HTTPS in TALs Tim Bruijnzeels
- Re: [Sidrops] HTTPS in TALs Rob Austein
- Re: [Sidrops] HTTPS in TALs Tim Bruijnzeels
- Re: [Sidrops] HTTPS in TALs Daniel Shaw