IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-05.txt

Christopher Morrow <christopher.morrow@gmail.com> Tue, 28 April 2020 04:02 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD1A3A043A for <sidrops@ietfa.amsl.com>; Mon, 27 Apr 2020 21:02:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RShwwoqoESyS for <sidrops@ietfa.amsl.com>; Mon, 27 Apr 2020 21:02:08 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B168C3A041D for <sidrops@ietf.org>; Mon, 27 Apr 2020 21:02:08 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id c23so15743454qtp.11 for <sidrops@ietf.org>; Mon, 27 Apr 2020 21:02:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YUwPsMtjz/+7EFj8W8BlRiz5RLYOJc2CT0WSq5quYVY=; b=Bi5WRCy0XKb8hy8RkO1Pe/Przv8EwlglcUDV9GJTBjQ+jgJfZTbvQbLeF9pObVb5Tt Ob3J/wuoNIxYj2K1c2jhtYWu5PmmOcJNPhdbbcAq4v6ZcJj1YBexipIWA5OsXrewA1dt 14V6a7nRNbAKyjdTEvNi0aKXI2kxIGpLaEQtKDY2s8tsBZPzTsmXaaQggX3rYWU7uXak AWLpwQwhcZ6YxcEPyyGTnU5zwO1VX8h7xMpaMYiJ4eSsyzM5CDGflRvwZUZ9BlWfwVlN kyoWx/IeiQNo3Q29ut9t89pj5HFHFTxGwgZG4lcKqkjQCnCB7L7Kfxu8viN7C1bQVdwo nFfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YUwPsMtjz/+7EFj8W8BlRiz5RLYOJc2CT0WSq5quYVY=; b=tU+mPd4nBXUTYlyp73otqNe/9hqBECkskWAQuMbHaLRcb0f4hm76e9OWUpbqAYmAk9 B2SHDJgmODvCRaf/7BT5MdMT8DVz8Rca8jz3WU9xQyrZcpE19zJC0xGqfnpDAwabyQ8J N0YqQVC48oIueqXMxg/++u2zjbM3Ix91XZh6Pjzc1aCXvJiDWwZN0heIDmuOdUR14P5m 23mJH5xx1cGjg+byQ537I7XOxZrUNOoutgBdVOdjVHbOuSyoGNz4DIBlO2sBw4NS0BhB l1VIqG/VeZv2sDbhwZabtuSNqUeCUpu31M6HgziVOh0CJ/6SPvh/qh3hELJ1mq59foXv PRrg==
X-Gm-Message-State: AGi0PuZKm1hvByQPPh6PBSZGG2Z0oWYd1F8yWNeEH40S4Re7uI7/dypH r9gUnDtJyeMd1iBCwE2KLjY82/9MuQo+ypq/83qGWc8B
X-Google-Smtp-Source: APiQypJsv6VV4avHe4qA1jaRIXI3TjfFdQouvl07QSOTJS2bkQ6gBd5QjLirA+QOmlbVaThq8Jn6j3L4vafejBIclxk=
X-Received: by 2002:ac8:4e56:: with SMTP id e22mr27276248qtw.185.1588046527326; Mon, 27 Apr 2020 21:02:07 -0700 (PDT)
MIME-Version: 1.0
References: <157914534015.22379.11024327123542212494@ietfa.amsl.com> <CAL9jLabyFSP0C1Rq3FY6JkJVbPbm9yG9JuAfMQeZZtEeSb0Dfg@mail.gmail.com> <CAKr6gn11jN5Jb+uTeQerSktE5mE_DH+rSiBeYc90dpJqsAXGig@mail.gmail.com> <920CAE43-E94A-45A1-AD2C-86095F396E96@nlnetlabs.nl> <c0774788-c572-7dd1-8b15-41bee5af16c6@ripe.net> <m2lfodjpfx.wl-randy@psg.com> <CAL9jLabFAh9EKA9yH5VhsLfU8dzU-tRm2GpghtnjL2P=gy2GZg@mail.gmail.com> <m2o8rc60aq.wl-randy@psg.com> <CAKr6gn0UKD16fTNOJJ8njXAkA_z2h=bOyrSMHf7o1wegdvPB3A@mail.gmail.com>
In-Reply-To: <CAKr6gn0UKD16fTNOJJ8njXAkA_z2h=bOyrSMHf7o1wegdvPB3A@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Tue, 28 Apr 2020 00:01:56 -0400
Message-ID: <CAL9jLaZCvMLmLskuB66Yo3URKa_Sw5pHuA-EH1_nP8nC3-bzOg@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HR564KlWl3ZXPqf_N-3ieuRggrQ>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 04:02:10 -0000

On Mon, Apr 27, 2020 at 6:26 PM George Michaelson <ggm@algebras.org> wrote:
>
> There are (at least) three ways you can be taken to changing a TAL
>
> 1) because you receive "strongly" out-of-band signals such as a mail
> list notification, or a website change you see (RSS?) or
> word-of-mouth.
>
> 2) because the software updates, and you are given new TAL and a
> README explains (this is how browsers update the trust anchor set at
> present)
>
> 3) the missing third mechanism: an in-band signal informs you that a
> TAL you trust is signing intent to move to a new TAL.
>
> Robert K noted that if your primary concern is the distribution
> problem this is fine, but if the risk is subversion of the TAL itself,
> in-band signalling is actually weak, because the subverted signing
> system can be used to signal a move to a new keypair in the bad
> people's hands.  Robert preferred we focus on 2) but this places the
> burden and responsibility into the same process issues we see with the
> secret committee which white- and black- lists the TA set in the
> browser. OTOH that is a process vested in "the community" in some
> sense.
>
> 1) and 2) is how we do things at present. The draft tries to present
> 3). It riffs on the concepts in the DNSSEC key rolling. Signal intent,
> allow both, signal deprecation on the old key.

both 1 and 2 leave us open to 'orgX just NEVER updates their software,
sheesh!!!'
now, orgX may just disappear from the net periodically: "ok"
so long as orgX isn't 'a.root-servers.net' I guess? :)

3 means yea... a bunch of possible/going-to-bite-us problems about
auto-update...
It's hard to argue for 3 for something that "shouldn't" change that
often (2x/yr per TAL ? :))
and where the total number of 'things changing' is low (5).

The cost to 1 and 2 seem to be: "orgX could fall off the internet,
they'll learn their lesson or not...:("
I'd argue that the 'in software updates with clear warnings to the
updater' is probably safest here,
despite my sre friends screaming about 'automate all the things' :)

> Others (Randy?) have pointed out that if you want to do 3) like DNSSEC
> you need to invoke "trust' in a higher, non-software bounded sense:
> people need to see what you do. It opens the door to 'ceremonies'
> because they are the vehicle which builds trust in that space. Its a
> person cost, and a process cost.
>
> I don't think the draft has much more which can be said. It could try
> to capture the risk side, it could try to capture the ceremony side.
> We implemented an early version and its simple to script, so I don't
> see technology as the barrier here.

ok, so.. if you author types think it's read to put back on the WGLC
menu, let's do that after today/tomorrow's meeting?

v2.23.0 | Report a Bug | By Email