Re: [Sidrops] 6486bis: referenced object validation

Ties de Kock <tdekock@ripe.net> Fri, 04 December 2020 10:47 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438753A0911; Fri, 4 Dec 2020 02:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UvVY1q2etF1; Fri, 4 Dec 2020 02:47:19 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079383A08FA; Fri, 4 Dec 2020 02:47:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version: Content-Type; bh=wtRSbpxaebblc5CwFzscFa7RL7FO2wGeCQJB+FRCyD8=; b=U58Pwu/ywzHJ w/NxUK/5/CnPKJeqQwDL7dXVn8a73M7nkgrXeME2GCFboJ+ZCjeUWimXj9CM5jJgRG5Tn3rq4Lzxg Qe8UAwnQjN1WXkZq/M0rgsAIvnEiQm7/3gG+p4oq8Xji7fWARGCw1ywcjXpmUy2xvNFDxFwabUXek NExnkNwx7HqyTuf0Iqd1dJkZNXRk84HZKIhg0mvfg6QYC5cdCLSNifikDH7au4zW9/F/1Ix3vXOzc hxseuRm8+X51XKMCP4l5Mv2alrUANQYh+8Zh9nXUj2e+sbQ/1vgOk+Fb05bwItYK4OIfKXHo0nOvT r+K9y5+6yEeZ4bN3fW9cEg==;
Received: from allealle.ripe.net ([193.0.23.12]:58218) by mahimahi.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <tdekock@ripe.net>) id 1kl8cP-0009FY-Go; Fri, 04 Dec 2020 11:47:17 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::91f]) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <tdekock@ripe.net>) id 1kl8cP-0000MS-E3; Fri, 04 Dec 2020 11:47:17 +0100
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <X8oSBlR1pDhX83nH@bench.sobornost.net>
Date: Fri, 04 Dec 2020 11:47:17 +0100
Cc: Martin Hoffmann <martin@opennetlabs.com>, sidrops@ietf.org, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF03D4E0-83EE-4C70-8E81-002DC8C38B95@ripe.net>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net>
To: Job Snijders <job@ntt.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-ACL-Warn: Delaying message
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e1d842a1bb5c12b25172660e6b3d16d876
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HSPXqUvzi5iYXwOqms-yzffEXnc>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 10:47:20 -0000


> On 4 Dec 2020, at 11:40, Job Snijders <job@ntt.net> wrote:
> 
> On Fri, Dec 04, 2020 at 11:16:51AM +0100, Martin Hoffmann wrote:
>> Under this approach, the manifest expresses which objects the CA
>> intended to publish. If all the objects listed on the manifest are
>> present with a matching hash, the publication point reflects the
>> intent of the CA and can be processed. If it contains invalid objects,
>> these can be discarded individually.
> 
> Indeed, I believe you've now captured the essence of why manifests
> exists at all. This is what rpki-client & FORT seem to have implemented.
> 
> Other than the hashes matching & files being present, additional
> conditions apply: the manifest & EE certificate need to be valid,
> current, latest, correctly encoded, part of the cert chain, CRL present,
> etc.

However, validating these requirements for just CMS objects (as per -03, instead
of for CAs as well as per -00) leaves open the situation where only part of the
objects for a CA apply. When the ROAs are correct, but the sub-CA is not, this
can cause outages.

I don't have a preference on which way to go, but I would propose that we treat
invalidation (time, c.f. because of semantic errors) for both CA certificates
and other objects similarly.

Ties