[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker

Russ Housley <housley@vigilsec.com> Thu, 20 June 2024 17:57 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE8DC14F71B for <sidrops@ietfa.amsl.com>; Thu, 20 Jun 2024 10:57:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_eEGIGB9MAf for <sidrops@ietfa.amsl.com>; Thu, 20 Jun 2024 10:56:57 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EFDAC14F6FB for <sidrops@ietf.org>; Thu, 20 Jun 2024 10:56:57 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 9FA327329D; Thu, 20 Jun 2024 13:56:56 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 8F2C772FEC; Thu, 20 Jun 2024 13:56:56 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <ZnNtl9d7cnkMtK-1@snel>
Date: Thu, 20 Jun 2024 13:56:46 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <6CC9BD6A-8CF7-4647-9D3F-60AE0DEDC512@vigilsec.com>
References: <ZnNtl9d7cnkMtK-1@snel>
To: Job Snijders <job@fastly.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=pair-202402141609; bh=aIRe1ibYtpJJlHv+qjJ6eSDAdfpYYWZLlqb/WEAIndo=; b=Dvp59cdmQn8TcJBG1/2vK00gQunnPYxluGzBYxouGnH48qvcyJ+wIah3mXnmk+n9mDKdh0TGZt8zck493y8WAZQeeyDPYH4IzQY1m3+E0LkgFS/yyHic0/9f9E+4+B/dfE2VNLOmIC9NJU88asH4psNPPmnomVam/tbglc8xF8vP/WpX/8bbhg+zD1BSzFVu2uGkMLRDJUWA6J8ybJyylYOYzKTBDGi3zDVHLi5Kd62NbsAwvTPbABhqt8oly/wUriY5x1hBMzVkIA+rPBKQCvywWOoXnPvdmrxJxK6r6zCHQtnQzOvKCKHQxzEHfRsTcYEILIYRG/HqrLfadKIWQQ==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: SSDMZEXM4JLFYWKFBS4VSEFCSVPJLRS2
X-Message-ID-Hash: SSDMZEXM4JLFYWKFBS4VSEFCSVPJLRS2
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SIDRops <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/FhIXVf_ctInIG_nuZLDxZE-IxRk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Job and co-authors:

I think that this document needs to be clear that this is talking about a TA renewing its own certificate.  If a TA does a rekey in accordance with RFC 6489, there is no need for tiebreaking.

Russ

> On Jun 19, 2024, at 7:45 PM, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Dear SIDROPS,
> 
> In context of Relying Parties maybe having acquired access to multiple
> different valid issuances of a Trust Anchor certificate, Ties de Kock
> pointed out potential issues relating to certification path validation.
> 
> An implementation to demonstrate a tiebreaking scheme in the presence of
> another TA certificate was instrumented in OpenBSD rpki-client, and we
> documented our effort in this internet-draft.
> 
> Your feedback is most welcome!
> 
> Kind regards,
> 
> Job
> 
> ----- Forwarded message from internet-drafts@ietf.org -----
> 
> Date: Wed, 19 Jun 2024 16:11:54 -0700
> From: internet-drafts@ietf.org
> To: Job Snijders <job@fastly.com>, Theo Buehler <tb@openbsd.org>, Ties de Kock
> 	<tdekock@ripe.net>
> Subject: New Version Notification for
> 	draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt
> 
> A new version of Internet-Draft
> draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt has been successfully
> submitted by Job Snijders and posted to the
> IETF repository.
> 
> Name:     draft-spaghetti-sidrops-rpki-ta-tiebreaker
> Revision: 00
> Title:    Tiebreaking Resource Public Key Infrastructure (RPKI) Trust Anchors
> Date:     2024-06-19
> Group:    Individual Submission
> Pages:    7
> URL:      https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt
> Status:   https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-ta-tiebreaker/
> HTML:     https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker
> 
> 
> Abstract:
> 
>   A Trust Anchor (TA) in the RPKI is represented by a self-signed X.509
>   Certification Authority (CA) certificate.  Over time, Relying Parties
>   (RP) may have acquired multiple different issuances of valid TA
>   certificates from the same TA operator.  This document proposes a
>   tiebreaking scheme to be used by RPs to select one TA certificate for
>   certification path validation.  This document updates RFC 8630.
> 
> 
> 
> The IETF Secretariat
> 
> 
> 
> ----- End forwarded message -----
> 
> _______________________________________________
> Sidrops mailing list -- sidrops@ietf.org
> To unsubscribe send an email to sidrops-leave@ietf.org