Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 12 July 2021 07:42 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F273A0CCE for <sidrops@ietfa.amsl.com>; Mon, 12 Jul 2021 00:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwFtjE0W7LIN for <sidrops@ietfa.amsl.com>; Mon, 12 Jul 2021 00:41:58 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.126.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC113A0CC8 for <sidrops@ietf.org>; Mon, 12 Jul 2021 00:41:57 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id B8FCA30B; Mon, 12 Jul 2021 07:41:54 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.142]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1626075713; bh=tr/D+yG8OBww44xPX5598/e9j7coNC28X6pjlE5DLsA=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=VL6liGGTWXQPfxEqLtIIozAJSs2dSbnYnTlsAOWiq9fV3VLZ8nPAlz7juC46s3yQm xZ5ifywF14uDE4GzG4P2dcdsncpxI5E1SOEXvmPnX8jrcjN0MvzOOyYrTQd9vjSefh EO50mEWS7TcI5oqivtd1Fof+Q3nqZxEBZIgnAnE5ZGVyh/KpDBmN1p4LFQCZ3lk9OL oF+wAGlQaEDdOG3bZ1UrwRz5Y8OooQ8lSlx3wh0IIC/j92W838KIsgEs1/HMt5LM02 Bv+b2qmF9lGft/s/LzwC56nmv/NbS+CehEU1RyUVLwGQgXPubUZOv3Hy4Gf1pfeGIV ChmVf4UrYMl7g==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <YOjHFVZFtCahcfr7@snel>
Date: Mon, 12 Jul 2021 09:41:48 +0200
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D5E6E72B-8830-4C2C-B63D-E39BCF9DF5F3@nlnetlabs.nl>
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl> <564f0d8f-942e-e4e6-b97c-563564f235fe@verizon.net> <YOjHFVZFtCahcfr7@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/M10beUIUtLpuNNgmRuCpWJ3YFCM>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 07:42:04 -0000
> On 10 Jul 2021, at 00:00, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: > > On Fri, Jul 09, 2021 at 02:28:50PM -0400, Stephen Kent wrote: >>> One other note. NTP not being as perfect as we would like, I would >>> advise backdating the 'thisUpdate' and not before a tiny bit, say 5 >>> minutes. >> >> I can modify the text to refer to this as a spec for version 1 (vs. 0) >> manifests, if folks want to adopt this approach to aid transition to more >> stringent CA and RP requirements. > > I would like to suggest to not deploy the innate 'version' feature > aspect of RPKI objects, when it concerns the Manifest object, for this > purpose. > > The community lacks experience with this type of transition mechanism, > and I suspect some RPs will not be able to parse the eContent when they > stumble upon a version field, even when it is set to 1. > > Given that CA's in their SIA currently can't point to two different > Manifest objects, unless a new accessDescription element for the > id-ad-rpkiManifest accessMethod is introduced. At that point CAs would > be doubly publishing Manifests (v0 + v1)... all to reduce some potential > churn in the CRL space. > > If the objective only is to reduce CRL growth, the paragraph must be > written in a way that makes it clear it only applies to certificate > issuers, and is for their own benefit. > > I propose this text for Section 4.2.1 second paragraph: > > """ > When signing a manifest, it is RECOMMENDED to use an "one-time-use" > keypair. The EE certificate SHOULD have a validity period that > coincides with the interval from thisUpdate to nextUpdate in the > manifest, to prevent needless growth of the CA's CRL. > """ This text for 4.2.1 works for me. I think the SHOULD is appropriate because of existing deployment where this restriction was not present. Furthermore, while shortening the lifetime will help to keep the CRLs a bit shorter (in case of Krill 1 previous MFT EE revocation entry instead of 10, bear in mind there might be other entries for ROAs, certs..), I think this gain is marginal. I do not see how the security aspects are changed here, it just saves a small number of cycles. Furthermore, I fail to see why a version increment of the manifest would be needed in this context. Before discussing the 'how' of such a transition I think the 'why' should be clear. Kind regards, Tim > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-… internet-drafts
- [Sidrops] mft/ee validity time window alignment i… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Ties de Kock
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Julian Reschke
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Russ Housley
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels