IETF Logo Mail Archive

Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 11 May 2021 14:38 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DFFA3A1A07 for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 07:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yc_Lu8albpzk for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 07:38:19 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 609CA3A1A03 for <sidrops@ietf.org>; Tue, 11 May 2021 07:38:18 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id C1BEB60561; Tue, 11 May 2021 14:38:15 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1620743893; bh=7P691vb0yGNTfQBi95nToNQl2xHkZsbzN+zkPf9NFK8=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Ko2iV409b2nFxQcm//XdcidZOHcy3zHfEPUt9xozl2em03gI0VpiNiixafGm0u+LS h3renWySf8M0SMUBHAua//ASQoc9s4+To3ztSRx+dQ2QX4H0dkwHxC+xP7xPIXpTe7 QhIwVngYK5M6JB0k1rqLx9BSoi2DmXZUI2TS7hgVbvDOrhmPPMgjxdLC73tSDBt/uc I/yBWJotNsMVI2NqKLfpvqd8thjx2E5PLWuLv9TiPnFHOUNWHSkbK9/kQj+6LTOwU/ aic9TGcEvs9qfWoIOuF7C99E52Ti7VkPQuuIl+N9gUHhhuNXCUIls5d0Eh0emY05Ub wwmg/BdwgNPZg==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <4455A207-2637-444B-BDA0-1209425C2EF2@vigilsec.com>
Date: Tue, 11 May 2021 16:38:09 +0200
Cc: George Michaelson <ggm@algebras.org>, Randy Bush <randy@psg.com>, SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D988AA2-7860-4F5E-B9D4-87A747A39FD2@nlnetlabs.nl>
References: <m2k0o6uqot.wl-randy@psg.com> <CAKr6gn3oCZBOP3L8AQWvH9Nk4fum-ycZCnHO_DUtgdx5M=z_+A@mail.gmail.com> <m2fsyuuofa.wl-randy@psg.com> <CAKr6gn18yGTrAiqPA2P+kc+JBt2Tf8D-G4Gf5WCnASm8vk1Fvg@mail.gmail.com> <4455A207-2637-444B-BDA0-1209425C2EF2@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Ku55Denf7gFa2ELxkqOxsep-GS0>
Subject: Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 14:38:26 -0000

Russ, all,

> On 11 May 2021, at 16:20, Russ Housley <housley@vigilsec.com> wrote:
> 
> George:
> 
> I am confused.  The RPKI design purposely avoids binding IIJ's identity to the resources assigned to IIJ. What kind of assertions need two signatures, one that ca be validated with an RPKI certificate and the other can be validated with a certificate from an identity-confirming PKI?

I believe that the main point here is that a parent RPKI CA does not attest to the identity of a child. It just associates INRs to $their public key.

However, with RSC/RTA the operator of that child CA could then sign an attestation containing anything else, including a public B-PKI key that they may wish to associate with their INRs in specific use cases.

At least that is how understood George's words. Please correct me if I misunderstood George :)

Tim



> 
> Russ
> 
> 
>> On May 10, 2021, at 8:50 PM, George Michaelson <ggm@algebras.org> wrote:
>> 
>> holder of RPKI cert over 192.83.230.0/24 creates a nonce, and
>> communicates it OOB to cert holder in "iij has a corporate x.509-based
>> employee database" using their public key: this is private, only can
>> be decoded by private keyholder.
>> 
>> the specific person, they sign "I saw nonce" with IIJ corp cert
>> private key. they hand it back to RPKI cert person.
>> 
>> holder of RPKI cert validates: yep: under the IIJ TA they signed over
>> the nonce I gave them. This private key, it is the one I passed the
>> nonce to, no matter how indirect that happened, it wound up being a
>> chain from the nonce to the Private Key. If you care, you need to
>> communicate the nonce over some secure channel, but its out of band.
>> 
>> You sent them a thing only the bPKI private key holder can decode,
>> they sent you back a reply only the bPKI private keyholder can encode.
>> 
>> you then sign over some other assertion, saying "I did a nonce check,
>> and this private key here, which IIJ says is employee X, they seem to
>> check out." with the INR you want to associate. Your RPKI sign, can
>> only validate you control the INR. if you use either RTA or RSC, you
>> co-validate the hash of >some other assertion< but only in X509
>> cryptographic sense: the hash is asserted to be valid, under the
>> constraint it was signed over by this specific RPKI INR. You cannot
>> validate the >applicability< of that hash, it lies outside the RPKI
>> validation model.
>> 
>> neither PKI has to breach its own validation policy. They only ever
>> apply to validate the property of "which INR is associated with the
>> specific assert being made here" for RPKI validation and "which
>> identity, outside of RPKI, is being asserted here" for bPKI
>> validation.
>> 
>> why did you trust the bPKI in the first place? You have a TA. Thats
>> what TA do: they tell you to trust things. This isn't an RPKI TA, its
>> a bPKI TA. I can imagine somebody is whispering PGP at this point.
>> 
>> -G
>> 
>> 
>> On Tue, May 11, 2021 at 10:03 AM Randy Bush <randy@psg.com> wrote:
>>> 
>>>> If another mechanism can provide positive proof (eg an x509 identity
>>>> certificate which lies under a non-RPKI TA you trust) then there is no
>>>> barrier to countersigning an assertion over that proof (the public key
>>>> and a nonce, for example) binding the INR you can validate inside the
>>>> RPKI, and an identity which lies outside the RPKI.
>>>> 
>>>> and
>>>> 
>>>> No part of the RPKi validation can "prove" the identity in the
>>>> signing. What it can do, is relate the INR in RPKI, to a specific
>>>> assertion about identity. Validation of that assertion is not subject
>>>> to RPKI validation. Validation of the INR which is being associated,
>>>> is a function of the RPKI
>>> 
>>> are you trying to say
>>> 
>>> the owner of some j random inr is attesting to some identity binding
>>> in some k random pki?
>>> 
>>> maybe a concrete example would help me wrap what is left of my head
>>> around this.
>>> 
>>> there exists an rpki cert attesting to a holding of 192.83.230.0/24.
>>> iij has a corporate x.509-based employee database in which i have a
>>> cert.  so the unknown owner of 192.83.230.0/24 cross-signs (let's
>>> leave out the ugnlies) my iij cert.  what is the real world meaning of
>>> this?  in few small words.
>>> 
>>> or, what is the meaning if i cross-sign the cert for 203.119.101.18
>>> from iij?
>>> 
>>> what are the attestations and what is the trust?
>>> 
>>> randy
>>> 
>>> ---
>>> randy@psg.com
>>> `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com`
>>> signatures are back, thanks to dmarc header butchery
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email