Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt
Job Snijders <job@fastly.com> Fri, 19 January 2024 12:17 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84700C14F736 for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 04:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2ge_VI_9zw6 for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 04:17:23 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C47E4C14F749 for <sidrops@ietf.org>; Fri, 19 Jan 2024 04:17:23 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a2c179aa5c4so74526766b.0 for <sidrops@ietf.org>; Fri, 19 Jan 2024 04:17:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1705666642; x=1706271442; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ig3fH32g2V8+sR1nt9ovx2piBue+jd9KiIIFa+2Geg8=; b=WfbpR5u+GLktMqxPPssQKgIX0k9S+BzZIXeA/T1OgyGnLg0ujpkendg3O0C/BYgCLc 9Xp3muu3M6EH/HCwr5EsXi98u5Vq9pgt7sjoQZmzuMJABMRXpjYYRhJq1cWcDptiM3Qj zM/ec2TLQ8/5cRf/81z+BCJ9eHOgIfnpyuXJY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705666642; x=1706271442; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ig3fH32g2V8+sR1nt9ovx2piBue+jd9KiIIFa+2Geg8=; b=pOl3an+5+8FzZNVO7b1zukJDuvncVSWUECaj8pnLaV8mDPJN6Iriz14HmZzHQzq9OA 2t9SnugyAiFCghqsEGiAvGvSR2ETcpNmppuco0zrs91CQ3VM1jkW9slHJ9+oRQO2XeU6 DQdxcUy06gHPiRPt+optV7mBHCr3L1Dpbe2vrEWTeKBu2h9zLLE7SpHgrazLvYkqEvsQ Irnl2Kcbt1/q6n+IlCoJl/gmbAB4VjstUqHp5DOVlzloE0obezyfm3/tyWplzko45I8L C+LFn7ifv8xwJoeCr+2yS0mQ0axubi3MNfujUF3HmCXqDutDhwyflWaJRum6Aw1ISGjg uQDA==
X-Gm-Message-State: AOJu0Yz0ByjE7dTDWYCWALG1pC2hglsQ+pwkiVehcxDpMVZIf1VTCw4g O6delYrYIoDPo2vaXwCy6wI3QMtymR8ROgHXynF7sOePiaawMrLXz3qFk8AKg79F+6NGmb7YIpf Q
X-Google-Smtp-Source: AGHT+IEpz3hUVXBaKZTH70k5eyCR/TI9A844pCxwg5VdWG0csS7ZBCfd+zQ+CEr1FuGVL4VvzfmknA==
X-Received: by 2002:a17:906:2d49:b0:a2f:62b3:45cd with SMTP id e9-20020a1709062d4900b00a2f62b345cdmr618001eji.144.1705666641969; Fri, 19 Jan 2024 04:17:21 -0800 (PST)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id qc21-20020a170906d8b500b00a26ac5e3683sm10217028ejb.100.2024.01.19.04.17.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jan 2024 04:17:21 -0800 (PST)
Date: Fri, 19 Jan 2024 13:17:19 +0100
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: sidrops@ietf.org
Message-ID: <ZapoTxRlSvSSVqk_@snel>
References: <170561454824.54895.360140302624981870@ietfa.amsl.com> <ZamgKc5PTJPDcISD@snel> <C10EC4E3-9A59-4BBA-B5DC-DB4680AD0B0D@ripe.net> <ZapR2qVBAu7lECFB@snel> <7547BE09-8FF6-40F4-BC6E-388BAEFE6CD6@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7547BE09-8FF6-40F4-BC6E-388BAEFE6CD6@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/KHWF4JlXko__U5zx8xKOxBZ4Y70>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 12:17:27 -0000
On Fri, Jan 19, 2024 at 12:25:56PM +0100, Ties de Kock wrote: > >> This has significantimpact on implementations that are fully > >> conforming to rfc6488 and has a significant impact on those > >> implementations, effectively invalidating their test set of > >> objects. > > > > Indeed, RFC 6488 is updated and simpified. Preventing invalidation > > of a set of private objects which solely exist for regression > > testing seems a non-goal to me? It seems unsurprising to me that a > > full coverage test suite for 6488 objects may need to be updated if > > 6488 is updated. > > I am fine with mandating the existence of signing time. That provides > value now that we have found a goal for that attribute that was unused > until last year. > > Based on the document, the reason to go further than mandating signing > time is aesthetics imo. In my opinion, based on the document, we lack > motivation for the further changes. On the contrary - while revisiting 6488's formal signing time requirements, it makes a lot of sense to simplify closely related data fields. For example removing the requirement for RPs to (if both of these attributes are present), check whether they provide the same date and time is a welcome simplification. On top of that the binary signing-time attribute does not appear in the global RPKI, so no CAs become noncompliant, making this an easy win. > >> It also invalidates objects generated by public CA implementations if > >> a feature is enabled. > > > > Extensive long-term quantitative research showed that no public > > Certification Authorities issue and publish Signed Object with a CMS > > binary signing-time attribute. The complete absence of the binary > > signing-time attribute in the global RPKI is a positive signal that it > > is feasible to formally disallow the attribute. I suspect that lack of > > support for binary signing-time in commonly used libraries contributed > > to binary signing-time's lackluster fashionability in the field. > > I agree that implementations of 6488 have generally skipped the checks > mandated on signing time. > > > > >> Please elaborate on the improvement in security posture this gives iff > >> any. > > > > There are more angles to consider than just security posture: > > disallowing the binary signing-time attribute simplifies implementations > > on both the signer and the RP side: instead of enumerating, parsing, > > checking for duplicate attributes, and also comparing the encoded > > timestamps against each other for both normal & binary signing-time > > attributes; after publication of this draft RPs merely need to confirm > > the absence of the binary signing-time attribute. To me this seems is a > > welcome simplification. > > Now we are getting to the core of what confuses me. My read of the > draft is that binary signing time can still be present, just not in > the set of signed attributes (this would not comply to RFC6019, but > implementations have ignored RFC6019 in general so far). This draft > may even introduce malleability this way. > > How about: > * Mandating that the binary signing time attribute MUST NOT be > present (signed or unsigned). Yes, this is in RFC6019. But we no > longer refer to that. And as you said, some RPs have not implemented > those MUSTs because of a lack of library support. RFC 6488 section 2.1.6.7 already forbids the presence of unsigned attributes entirely. The draft at hand does not change this requirement. Rpki-client checks for the presence of unsigned attributes and treats objects as invalid if the count is non-zero. Additionally, RFC 6019 forbids binary signing-time to be an unsigned attribute, unauthenticated attribute, or unprotected attribute. RFC 5652 section 11.3 explicitly forbids normal signing-time to be an unsigned attribute, unauthenticated attribute, or unprotected attribute. I don't see how malleability is introduced. > * Clarifying in security considerations that the previous profile > allowed objects to have ambiguous singing time if the implementation > was not standard compliant and this document prevents objects from > having ambiguous signing time? Aren't all bets off when implementations are noncompliant? :-) I think I agree with the gist of what you're saying, but I'm not entirely sure what to add that's not already covered by existing literature. Kind regards, Job
- [Sidrops] I-D Action: draft-ietf-sidrops-cms-sign… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-… Job Snijders