IETF Logo Mail Archive

Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt

Job Snijders <job@fastly.com> Fri, 09 July 2021 22:01 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C24C3A30BA for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 15:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrOVR7u35ltV for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 15:00:58 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF9A3A3090 for <sidrops@ietf.org>; Fri, 9 Jul 2021 15:00:58 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id b2so18819460ejg.8 for <sidrops@ietf.org>; Fri, 09 Jul 2021 15:00:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=P/ZvjiEyN8kaNYejcCv6szoiUfyrVltwU4PLN9yzL7g=; b=Sb8pZVaJlK+vRkckzSwEbVf9FdCcT3iBGTCHINldDEStJydtkXhbnsrsEwaD5+7IMO jI6DwX7yuolDDomtH+FL3enaYn29MDYVQkKNFPGYMaI+E6aL+gfr2De/AfQYweCPXaHG RikJPnjUMBnLmAVB7kpCbAXJHNPGjKFv72Vv8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=P/ZvjiEyN8kaNYejcCv6szoiUfyrVltwU4PLN9yzL7g=; b=nRmQdrr1/WHCqCNhYLUPgnpPwqmuZq92Zx39luWXlh/POLmSpT/TK3uOrijtmasi37 Xggs8qOslbjvkJLdP/MqNpKK5yxcejxxBDIyErG5as16fo4kd04eEBsqYfwxLS4OG/Cl V7PLwNkEHO0EJWeaLa4zJOT/vxfp5mP8mz0vtf0ljXAt2LgUYud7uXHP4Qb7SHRGnIjc sDfTUzt0INhJ6kY/Gsl8M1vrCz7ifynMw85rwMLPJNHg27nGZzoxbWGE+W2FFDJvUQEL 1l3gPqqoNZpBaaJ+Dk6EekP4uHyKCu3/H765EFDfgd1W+JaIRq5BaeFqIvxKSDPAt1sQ 3hew==
X-Gm-Message-State: AOAM531SbGPJqVuR5VdMa5QW7vLmuvYeVQvHerhQW9XE7i8EG12UNkBy Um8pDrbRKONp4TuHS2RmtIdo1hftl7putw==
X-Google-Smtp-Source: ABdhPJzcSEHk5jhs0iO9YmQ8hWHghu9XLmKtm5eq84sKFzFl2BOIC8XEExfskLiEFmRPmTGkoupItA==
X-Received: by 2002:a17:906:a897:: with SMTP id ha23mr12201739ejb.164.1625868055750; Fri, 09 Jul 2021 15:00:55 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:21e:c2ff:fefb:f388]) by smtp.gmail.com with ESMTPSA id eb9sm2872050ejc.32.2021.07.09.15.00.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jul 2021 15:00:55 -0700 (PDT)
Date: Sat, 10 Jul 2021 00:00:53 +0200
From: Job Snijders <job@fastly.com>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: sidrops@ietf.org
Message-ID: <YOjHFVZFtCahcfr7@snel>
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl> <564f0d8f-942e-e4e6-b97c-563564f235fe@verizon.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <564f0d8f-942e-e4e6-b97c-563564f235fe@verizon.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/DIP3waXK2_fACafsgHnjKLhYxos>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 22:01:12 -0000

On Fri, Jul 09, 2021 at 02:28:50PM -0400, Stephen Kent wrote:
> > One other note. NTP not being as perfect as we would like, I would
> > advise backdating the 'thisUpdate' and not before a tiny bit, say 5
> > minutes.
> 
> I can modify the text to refer to this as a spec for version 1 (vs. 0)
> manifests, if folks want to adopt this approach to aid transition to more
> stringent CA and RP requirements.

I would like to suggest to not deploy the innate 'version' feature
aspect of RPKI objects, when it concerns the Manifest object, for this
purpose.

The community lacks experience with this type of transition mechanism,
and I suspect some RPs will not be able to parse the eContent when they
stumble upon a version field, even when it is set to 1. 

Given that CA's in their SIA currently can't point to two different
Manifest objects, unless a new accessDescription element for the
id-ad-rpkiManifest accessMethod is introduced. At that point CAs would
be doubly publishing Manifests (v0 + v1)... all to reduce some potential
churn in the CRL space.

If the objective only is to reduce CRL growth, the paragraph must be
written in a way that makes it clear it only applies to certificate
issuers, and is for their own benefit. 

I propose this text for Section 4.2.1 second paragraph:

"""
   When signing a manifest, it is RECOMMENDED to use an "one-time-use"
   keypair. The EE certificate SHOULD have a validity period that
   coincides with the interval from thisUpdate to nextUpdate in the
   manifest, to prevent needless growth of the CA's CRL.
"""

Kind regards,

Job

v2.23.0 | Report a Bug | By Email