IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-05.txt

George Michaelson <ggm@algebras.org> Mon, 27 April 2020 22:26 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16AE73A0CBB for <sidrops@ietfa.amsl.com>; Mon, 27 Apr 2020 15:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdd7twtgH2dV for <sidrops@ietfa.amsl.com>; Mon, 27 Apr 2020 15:25:59 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05DC93A0D6A for <sidrops@ietf.org>; Mon, 27 Apr 2020 15:25:49 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id c18so3112136ile.5 for <sidrops@ietf.org>; Mon, 27 Apr 2020 15:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=mHQKRaMRczhem77dhj5zS4JsWwszcQj3y5oP3MzNKPQ=; b=Nf/T6/I2v3agWRYyJJaqwsrI8apBEPIVVPGwFvnXLVRpk9rEfJRjz2/oslzMsEKlBi 0p86z2e0EH70qNR9bGb+Nq4bWA5UBHbMzRzsfVYKEO+FJDDHsfooNDHO1rLcmDUzaGMK qL/RCe95AHZWHXVf+gFj4RrIkca+N1+xaDLJplspyig1yBgaX+7uNuLLYALQQWpfWcgr yEtuzlXW5IPhvEB52wJKoSrseBZcN//ABj28gYMUdlMbsedvInyn1WDrWm0pUQ8ssOr+ k4ZozEUrLwiOsp3ylgoQ09J0F7a/eo2Dogx36F2qv/cd31MRvx3hleKt3Kcv9lu95guA gXWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=mHQKRaMRczhem77dhj5zS4JsWwszcQj3y5oP3MzNKPQ=; b=M1yUE3CB5Y+juWvc9Z7U2erh0c97IEEm8M5DSfXr2ilpj30QCzCf7+yxSg1/33Cf5O pgxtY/Q+AcYB896ovdSvpJgQxIp2fNHrZaVu/E7EA/nrHDOCKwUu1t2/9OBxorM3QhZD Tc6cOJ+pTsbmtWKHuSTfLqGfILRpfO88B7SPq5BHrZO2jFOkmdAscvuzy1RjenzcV5wC AqR3I9tkoDrZk1MVrpIqW9L/rcSMmw4JgHVB5E0NsPlgQYw7/H1y6+MT3O/dAu83ixXq uRllJCRhhmisJZctg/5zB451sANmCuIi6gYf5RdJJE4sfI4Uj6aObgmPyjp5p0zmUw2R CGTA==
X-Gm-Message-State: AGi0Pubm1Wnp6o3hL8Tqw6UmUgDyxQloAIQhtU6LvUJ26iJ/D7JN8GqU khu0rSAtmMekpEkribe4NfWQK0iHE3bg//P3CjfIGBZy
X-Google-Smtp-Source: APiQypIuvGw6p37Ozc0fdcFyCnqAulRVOup9fGUVmDM9JPt3QtChf3SgjdBPpq8NJOnAMslHTV84XY0RQsLd81AT4qs=
X-Received: by 2002:a92:9e0b:: with SMTP id q11mr11597111ili.133.1588026348925; Mon, 27 Apr 2020 15:25:48 -0700 (PDT)
MIME-Version: 1.0
References: <157914534015.22379.11024327123542212494@ietfa.amsl.com> <CAL9jLabyFSP0C1Rq3FY6JkJVbPbm9yG9JuAfMQeZZtEeSb0Dfg@mail.gmail.com> <CAKr6gn11jN5Jb+uTeQerSktE5mE_DH+rSiBeYc90dpJqsAXGig@mail.gmail.com> <920CAE43-E94A-45A1-AD2C-86095F396E96@nlnetlabs.nl> <c0774788-c572-7dd1-8b15-41bee5af16c6@ripe.net> <m2lfodjpfx.wl-randy@psg.com> <CAL9jLabFAh9EKA9yH5VhsLfU8dzU-tRm2GpghtnjL2P=gy2GZg@mail.gmail.com> <m2o8rc60aq.wl-randy@psg.com>
In-Reply-To: <m2o8rc60aq.wl-randy@psg.com>
From: George Michaelson <ggm@algebras.org>
Date: Tue, 28 Apr 2020 08:25:36 +1000
Message-ID: <CAKr6gn0UKD16fTNOJJ8njXAkA_z2h=bOyrSMHf7o1wegdvPB3A@mail.gmail.com>
To: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/88ZOD3ej_erH5aew6Ghb66cvKvI>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 22:26:09 -0000

There are (at least) three ways you can be taken to changing a TAL

1) because you receive "strongly" out-of-band signals such as a mail
list notification, or a website change you see (RSS?) or
word-of-mouth.

2) because the software updates, and you are given new TAL and a
README explains (this is how browsers update the trust anchor set at
present)

3) the missing third mechanism: an in-band signal informs you that a
TAL you trust is signing intent to move to a new TAL.

Robert K noted that if your primary concern is the distribution
problem this is fine, but if the risk is subversion of the TAL itself,
in-band signalling is actually weak, because the subverted signing
system can be used to signal a move to a new keypair in the bad
people's hands.  Robert preferred we focus on 2) but this places the
burden and responsibility into the same process issues we see with the
secret committee which white- and black- lists the TA set in the
browser. OTOH that is a process vested in "the community" in some
sense.

1) and 2) is how we do things at present. The draft tries to present
3). It riffs on the concepts in the DNSSEC key rolling. Signal intent,
allow both, signal deprecation on the old key.

Others (Randy?) have pointed out that if you want to do 3) like DNSSEC
you need to invoke "trust' in a higher, non-software bounded sense:
people need to see what you do. It opens the door to 'ceremonies'
because they are the vehicle which builds trust in that space. Its a
person cost, and a process cost.

I don't think the draft has much more which can be said. It could try
to capture the risk side, it could try to capture the ceremony side.
We implemented an early version and its simple to script, so I don't
see technology as the barrier here.

-G

v2.23.0 | Report a Bug | By Email