Re: [Sidrops] 6486bis: referenced object validation

Job Snijders <job@ntt.net> Fri, 04 December 2020 10:51 UTC

Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9BA3A0936 for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 02:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RSr9ujJGMr-E for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 02:51:30 -0800 (PST)
Received: from mail4.dllstx09.us.to.gin.ntt.net (mail4.dllstx09.us.to.gin.ntt.net [IPv6:2001:418:3ff:5::192:26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85A283A091C for <sidrops@ietf.org>; Fri, 4 Dec 2020 02:51:30 -0800 (PST)
Received: from bench.sobornost.net (mieli.sobornost.net [45.138.228.4]) by mail4.dllstx09.us.to.gin.ntt.net (Postfix) with ESMTPSA id 16545EE007C; Fri, 4 Dec 2020 10:51:28 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id 7edfc160; Fri, 4 Dec 2020 10:51:27 +0000 (UTC)
Date: Fri, 4 Dec 2020 10:51:27 +0000
From: Job Snijders <job@ntt.net>
To: Ties de Kock <tdekock@ripe.net>
Cc: sidrops@ietf.org, Martin Hoffmann <martin@opennetlabs.com>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Message-ID: <X8oUr+zsCbHk0Q3a@bench.sobornost.net>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net> <EF03D4E0-83EE-4C70-8E81-002DC8C38B95@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <EF03D4E0-83EE-4C70-8E81-002DC8C38B95@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/JU6v6Zd0ZpgvlKICKz3MbT7o5D8>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 10:51:32 -0000

On Fri, Dec 04, 2020 at 11:47:17AM +0100, Ties de Kock wrote:
> > On 4 Dec 2020, at 11:40, Job Snijders <job@ntt.net> wrote:
> > On Fri, Dec 04, 2020 at 11:16:51AM +0100, Martin Hoffmann wrote:
> >> Under this approach, the manifest expresses which objects the CA
> >> intended to publish. If all the objects listed on the manifest are
> >> present with a matching hash, the publication point reflects the
> >> intent of the CA and can be processed. If it contains invalid objects,
> >> these can be discarded individually.
> > 
> > Indeed, I believe you've now captured the essence of why manifests
> > exists at all. This is what rpki-client & FORT seem to have implemented.
> > 
> > Other than the hashes matching & files being present, additional
> > conditions apply: the manifest & EE certificate need to be valid,
> > current, latest, correctly encoded, part of the cert chain, CRL present,
> > etc.
> 
> However, validating these requirements for just CMS objects (as per
> -03, instead of for CAs as well as per -00) leaves open the situation
> where only part of the objects for a CA apply. When the ROAs are
> correct, but the sub-CA is not, this can cause outages.
> 
> I don't have a preference on which way to go, but I would propose that
> we treat invalidation (time, c.f. because of semantic errors) for both
> CA certificates and other objects similarly.

I am not sure I follow, can you construct an example data set where the
'situation left open' you describe appears?

Kind regards,

Job