[Sidrops] Re: Paul Wouters' No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)

Paul Wouters <paul.wouters@aiven.io> Thu, 23 May 2024 16:12 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA1FBC14F6FA for <sidrops@ietfa.amsl.com>; Thu, 23 May 2024 09:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ez8ig8-5wJis for <sidrops@ietfa.amsl.com>; Thu, 23 May 2024 09:12:22 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B2CC14F5E9 for <sidrops@ietf.org>; Thu, 23 May 2024 09:12:22 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-51f72a29f13so8617156e87.3 for <sidrops@ietf.org>; Thu, 23 May 2024 09:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1716480740; x=1717085540; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=VUogUj+EZbO3r+Mzwo0wof/OlIbhtsCRitXbDlnM6dw=; b=Kb118h7FZkoLKhNho5g0A1dhzGdHXWhep83F261l6oJa4jUhuM8zAA/VDoP41v1vH2 HZZ/g5Q1zWMPSt9mhDimYrBdK/paTNU0XkoMSDEJiRArq1PaEuOrQ0q6ZM278mPLUsY5 jE2yXiZo3zKDDs7g7xJ3HUs/H1sWuxGbscb/w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716480740; x=1717085540; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VUogUj+EZbO3r+Mzwo0wof/OlIbhtsCRitXbDlnM6dw=; b=sl+Y3r5luLaq6ek/CVrVsIoP7wNAVDtK+JfTs96UYnOdVJWgvSNpfIYklCue0HhYDm 7nu6g5kmqW/HGPwNfdZAomNLmhRuTRLdeoj6IoR6qK8kzEt3N3yeyZz3vNp5JXAJvIv5 yvjmJzuV9DVCauu2lObKlzcsCI7LSGDCS+H75tzkI72a/DNZuQD5c5yEyNSQ3y1+B/E5 gP2YebyOeJh+PUa4HUEUbg0ptfTNGSgHJec2FhaWY9zPFrD2hSPeFaSUsmJndaUhq93H i93iCtKdpDDyPgELd6xg0whyIruhAdMP2aSCUthL7Wq/gjn06GUFGSTJAWrnw84AOxSo 9YCg==
X-Forwarded-Encrypted: i=1; AJvYcCX8RRVz3C30sPA6USfOKoNRTYZpeQEPqsALoxMElDLPkTjU/O58+ipXg2HDG1G8sRs3Co8yP3xNvgW1b3J2CQFh
X-Gm-Message-State: AOJu0YzhRm0eJCXyE4V3YBsZD6fnkPn9+u395TZ2hrTQHDAonIF4NQ1H ZH7UjicKxfu9ogpCi9er4U2x+sTpWJNZbz4sOEJYgiFgd4Q1gkYd8a/jykqKV5o=
X-Google-Smtp-Source: AGHT+IEnu3Sg2rOZ5o15uwNEWCBSLogO3+kq3Kj+7PVkyLnsSUvJAVTtJpxwdIvv00Ools/+FZLBTw==
X-Received: by 2002:ac2:4437:0:b0:51a:ca75:9ffe with SMTP id 2adb3069b0e04-526bef881a9mr3454781e87.42.1716480740600; Thu, 23 May 2024 09:12:20 -0700 (PDT)
Received: from smtpclient.apple ([2001:56b:3feb:7015:78cd:dc71:621f:dbef]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-373778b4904sm2147345ab.53.2024.05.23.09.12.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 May 2024 09:12:20 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul.wouters@aiven.io>
Mime-Version: 1.0 (1.0)
Date: Thu, 23 May 2024 12:12:08 -0400
Message-Id: <AB669751-87A4-4C11-AFD8-FB68FBBEC323@aiven.io>
References: <ZkVdmBffRP7S13M4@TomH-498551.lan>
In-Reply-To: <ZkVdmBffRP7S13M4@TomH-498551.lan>
To: Tom Harrison <tomh@apnic.net>
X-Mailer: iPhone Mail (21E236)
Message-ID-Hash: LUC54LU2O5V6ULQE6ARZ4J2JFXPQ52JG
X-Message-ID-Hash: LUC54LU2O5V6ULQE6ARZ4J2JFXPQ52JG
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Job Snijders <job@fastly.com>, The IESG <iesg@ietf.org>, draft-ietf-sidrops-signed-tal@ietf.org, housley@vigilsec.com, keyur@arrcus.com, sidrops@ietf.org, sidrops-chairs@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Paul Wouters' No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

thanks for the clarifications!

paul

Sent from my iPhone

> On May 15, 2024, at 21:13, Tom Harrison <tomh@apnic.net> wrote:
> 
> Hi Paul (and Job),
> 
> Thanks for your review.
> 
>> On Wed, May 15, 2024 at 08:26:21PM +0200, Job Snijders wrote:
>> Thanks for the review and your question. Jumping in as working group
>> participant.
>> 
>>> On Wed, 15 May 2024 at 20:01, Paul Wouters via Datatracker <noreply@ietf.org> wrote:
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>> 
>>> I am not an rPKI expert, so this might be a dumb question. If Key A
>>> generates its CA, and then lets its CA expire, or the expiration
>>> time is smaller than the acceptance window, is there a way to
>>> recover from this? The rules seem to say a new Key B cannot be
>>> created because it wouldn't be accepted ?
>> 
>> The relaying parties have a local copy of the Trust Anchor’s public
>> key (this is called the Trust Anchor Locator). The TAL does not
>> contain expiration information, it only contain a URL where to
>> download the Trust Anchor certificate and the public key to verify
>> the certificate.
>> 
>> If the Trust Anchor’s self-signed certificate expires, or the TAK’s
>> EE certificate expires, the TA operator can simply issue a new TA
>> certificate or new TAK that’s not expired.
>> 
>> If expiration happens during the acceptance window, the whole
>> process needs to start anew, a new TAK for B would need to be
>> issued.
>> 
>> Does this help clarify?
> 
> In addition to the above, there is guidance in the 'Acceptance Timers'
> section
> (https://www.ietf.org/archive/id/draft-ietf-sidrops-signed-tal-15.html#name-acceptance-timers)
> that is relevant to this scenario (though that section is in terms of
> removal of a successor key from a TAK object, rather than expiry of
> the TAK object).  The TA should change the URLs for the successor
> public key when the new TAK object is issued, so as to increase the
> chance of RPs switching over at about the same time.  (If the URLs
> aren't changed, and an RP does not attempt to validate during the time
> when the TAK object or TA certificate is expired, then when the TAK
> object or TA certificate is renewed, that RP's acceptance timer won't
> be affected.  Changing the URLs will cause the acceptance timer to
> reset.)
> 
> -Tom