[Sidrops] Why is the SKI field included in RFC8210(bis) Router Key PDUs?
Job Snijders <job@fastly.com> Tue, 07 March 2023 00:06 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC38C14F72F for <sidrops@ietfa.amsl.com>; Mon, 6 Mar 2023 16:06:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.095
X-Spam-Level:
X-Spam-Status: No, score=-6.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_AFFORDABLE=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_GR8qPZWtG5 for <sidrops@ietfa.amsl.com>; Mon, 6 Mar 2023 16:06:36 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41DC4C14F738 for <sidrops@ietf.org>; Mon, 6 Mar 2023 16:06:14 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id k10so21980255edk.13 for <sidrops@ietf.org>; Mon, 06 Mar 2023 16:06:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1678147571; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=sPB2bKhJbsa8TX+FFj1/q/lXdtkTY43m9jQ/72rIygQ=; b=HkZ47ajoczxJt9sctam2yyJLtrIq7Rn884itMZWjERSRmA5BCudQ42hzuXucdOdpxM UnErWH7y6SFNgr8RwHxug+adiMizJslszte148/OxBZtRo45wdvByO2bnBa34aNnjAh3 ffeeBpsS79J1rAK9dU3rpWZK5bxvin51P63DM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678147571; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sPB2bKhJbsa8TX+FFj1/q/lXdtkTY43m9jQ/72rIygQ=; b=TIpTwKmmaE07WHMT0Dz6pT9FKJ+1BtEZNEeYDLYb2pPkmw4wdpaPIjxCYgBW8Kx4X6 r481IfcryaTadxcl91g9D/JUNgWYqL1iS/plggp1xt4HDziZ4QJWcqVionDDT9QowDjB hUBXXFbG8sc1AIiXHilrv06wrSrYfgUUHUQy7ivQ43p3SxX0WPn5wjLRQkCGvff9VL0n zvnfnHD0J3Q3koeTbenbcFTbAlnRCFQ3QLrfCsfI4+Fjpdr85FM1f5RZZxrnUd/DY+dU JivibBhsG4oTMUBN9tgToW4GAHRkpSZHcpPYqJllAWvRtTkA2QnYuHrcO1TX4yjB71Ax JQdQ==
X-Gm-Message-State: AO0yUKU6jm7VVL1uw2Ts1Tkg3taJ94/VHPakat6fG+ettM1NnE0qgBbB GKo7Goura4rnDNcxx0wHcsNddpv4AqLk10ASDhcmdyngzTBXNvDtfUUiqZS1JQ84n/t5L+TbQTe ZCz1TcR1YNOR5Wcl9h6PiT2naAQReXAaZYFFkabqmrUMKp0r2+BIjuW6TUqjP
X-Google-Smtp-Source: AK7set++KBp9aCVJXKxhiVBojNUFd8KBU+TsReAaq4/JiiuDp/a/icW79pyu/59hm3mNbt6dL6LrBA==
X-Received: by 2002:a17:907:7f13:b0:884:3174:119d with SMTP id qf19-20020a1709077f1300b008843174119dmr16899765ejc.14.1678147571250; Mon, 06 Mar 2023 16:06:11 -0800 (PST)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id l9-20020a50c109000000b004e0334ee807sm2943560edf.40.2023.03.06.16.06.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Mar 2023 16:06:10 -0800 (PST)
Date: Tue, 07 Mar 2023 01:06:09 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZAZ/8ffHkiZBNSg2@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/CvFlT_dipToKl85AcNBq7e8WE4o>
Subject: [Sidrops] Why is the SKI field included in RFC8210(bis) Router Key PDUs?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 00:06:40 -0000
Hi all, RFC 6487 section 4.8.2 specifies that SKIs are not arbitary identifiers: an SKI must be the SHA-1 hash of the Subject Public Key (SPK). This is expected in the deployed field: a number of RPKI RP implementations does hash the SPK and compare it to the SKI contained within the certs's X509v3 extensions. All the Internet's deployed RPKI CA certs have their SKI set to match the SHA-1 hash of their SPK. Section 5.10 of draft-ietf-sidrops-8210bis-10 notes: "Also note that it is possible, albeit very unlikely, for multiple distinct Subject Public Key values to hash to the same SKI." - This remark gave me pause for thought, as SHA-1 chosen-prefix collision attacks nowadays are deemed affordable. Side note: in context of draft-ietf-sidrops-8210bis-10, the message to-be-digested is a DER-encoded SPKI containing an ECDSA public key, and in context of RFC 6487, the message to-be-digested is a DER-encoded RSA 2048-bit modulus (e) 65537 public key. In context of RFC 6487 section 4.8.3 (AKIs), the authority's SPKI is not available for comparison in the subordinate product. Also an RSA signature does not contain a public key. Additionally, AIAs are unreliable [1]. But RFC 7093 notes that second-preimage resistance is not a required property of key identifiers, and indeed; I'd expect an RP implementation to only add an authority to the chain of trusted authorities if-and-only-if the subordinate authority's RSA signature validates with the public key of the trusted authority whose SPKI SHA-1 hashes to the TBS AKI. OK, phew, problem avoided - as RSA isn't broken. Draft-ietf-sidrops-8210bis-10, as a solution to collisions, suggests to use the SPKI (aka the full ECDSA public key, rather than the SKI) as the primary identifier for the information structure. Good suggestion. My question is: why does the SHA-1 collision warning in draft-ietf-sidrops-8210bis-10 exist? Or more specifically: why at all bother including the SKI in the RTR PDU? Why not let the RTR client hash the SPKI (if needed, as they deem fit)? The SKI field in 8210bis Section 5.10 RTR Router Key PDUs seems redundant, or am I missing something? Kind regards, Job [1]: https://mailarchive.ietf.org/arch/msg/sidrops/wRa88GHsJ8NMvfpuxXsT2_JXQSU/
- [Sidrops] Why is the SKI field included in RFC821… Job Snijders