Re: [Sidrops] Francesca Palombini's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
Job Snijders <job@fastly.com> Thu, 03 February 2022 16:19 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12233A0CF0 for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 08:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vy_fko8u6WTG for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 08:19:09 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38EA73A0CF2 for <sidrops@ietf.org>; Thu, 3 Feb 2022 08:19:09 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id w14so7049634edd.10 for <sidrops@ietf.org>; Thu, 03 Feb 2022 08:19:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=4eKoAdSQAcPTHZ0yEH5PSkTQhEITZXtj8Aa2MrCUa6Y=; b=aiG5LcQloI6fYYLSiD9m1QKnTRwcwxcIKmRVj41Pdkkc70eyFsDdiVPWvcSNg9dZrP /yHhIh5l02kF9G6fRND9arulzpZHAqMjCIDRaic+Uc8kXtzWdoKNJfI1BIwHCz02D8lN IvDNHusTod9LZc2yxXGtydfuPxJ6F5PAqwK1Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=4eKoAdSQAcPTHZ0yEH5PSkTQhEITZXtj8Aa2MrCUa6Y=; b=RIBZ6CyHJ7qNB1N6txW8gxirpLh0EVDTa1wK/jvOOoEOkGldd9v0Z+2T8/iKxGuesL E1mUqsp69ALuRI9T7DR8SaonyLh7OJR41pVQtERNYDEMDcZ53zCK1+z26xjII0QtIU2y sC+JeTuXlEIcme7PF0AtYWDvYuBWeqNCREILV/cv+G5l1ET9VjCoScWbkP89bCEin2Fq q3P0WYCDyfMQMs4XSylCHzda0NhjA+pUcl6KG6KxCtr4Z6xGQXcnROMb3CjELiPZp55G xV8PHlD5cpFal4toSBJaAprKbX0g/Zaa3NRwZKvT4oIW8wl40nJCWdx7V6re2b10rlVg P7kA==
X-Gm-Message-State: AOAM531os0IfIndBUt80idqeUV9uo3siR3vif1o071hETMt5g04bYJ7/ U89enxnG5txb95ENL8jyJ1qd4A==
X-Google-Smtp-Source: ABdhPJxN+xe/FYfEVs8JRHThTnaGr9HKS90MDFJ9yiw8D9SaXfJ/rXaa5nlnBWbLUVzEd7hdFpyknw==
X-Received: by 2002:a05:6402:b8e:: with SMTP id cf14mr35633509edb.196.1643905146506; Thu, 03 Feb 2022 08:19:06 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id by22sm16950783ejb.5.2022.02.03.08.19.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 08:19:06 -0800 (PST)
Date: Thu, 03 Feb 2022 17:19:04 +0100
From: Job Snijders <job@fastly.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: The IESG <iesg@ietf.org>, sidrops-chairs@ietf.org, morrowc@ops-netman.net, sidrops@ietf.org, draft-ietf-sidrops-6486bis@ietf.org
Message-ID: <YfwAeNybmNocW1sj@snel>
References: <164380721377.28554.13713193582509780845@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <164380721377.28554.13713193582509780845@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/NzCcNzcN46FD7RgV3D5ULMnEhxs>
Subject: Re: [Sidrops] Francesca Palombini's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2022 16:19:14 -0000
Dear Francesca Palombini, On Wed, Feb 02, 2022 at 05:06:54AM -0800, Francesca Palombini via Datatracker wrote: > # Major > > 1. ----- > > objects from a successful fetch. This implies that the RP MUST not > > FP: This should be "MUST NOT" (rather than "MUST not") You are right, a small oversight on proper capitalisation. I've updated this for -10: https://github.com/job/draft-ietf-sidrops-6486bis/commit/27928105481a16ef097ae69681950135ba23349f > # Minor > > 2. ----- > > FP: as noted by the shepherd, there are some references to fix: > > * RFC 6485 needs to be replaced with RFC 7935 > > The following references need to be removed as they are not used. > > == Unused Reference: 'RFC6482' > == Unused Reference: 'RFC6493' > == Unused Reference: 'RFC8209' > == Unused Reference: 'RFC8488' (this was even last called as downref) The above has been addressed through https://mailarchive.ietf.org/arch/msg/sidrops/EYxcUtZLF7go2UBnOoOXqwn6bRY/ > 3. ----- > > monotonically for each newly-generated Manifest. Each RP MUST > verify that a purported "new" Manifest contains a higher > manifestNumber than previously-validated Manifests. > > FP: This should contain a sentence about what the RP has to do if verification > fails (I expect ignore the "new" Manifest). To resolve this comment I propose to add the following sentence to that paragraph: ADD: If the purported "new" Manifest contains an equal or lower manifestNumber than previously-validated Manifests, the RP SHOULD use locally cached versions of objects, as described in <xref target="sect-6.6"/>. > Same comment for the thisUpdate field: > > Manifest. Each RP MUST verify that this field value is greater > (more recent) than the most recent Manifest it has validated. To resolve this comment I propose to add the following sentence to that paragraph: ADD: If this field in a purported "new" Manifest is smaller (less recent) than previously-validated Manifests, the RP SHOULD use locally cached versions of objects, as described in <xref target="sect-6.6"/>. > And for the text in Section 5.1: > > Note: An RP MUST verify all mandated syntactic constraints, i.e., > constraints imposed on a CA via a "MUST". > > publication point that is described by the manifest. (RPs are > required to verify the CMS signature.) I am not entirely sure what the question or comment is in the above paragraph about section 5.1 - can you elaborate? > 4. ------ > > nextUpdate time. Each manifest encompasses a CRL, and the > nextUpdate field of the manifest SHOULD match that of the CRL's > nextUpdate field, as the manifest will be re-issued when a new CRL > > FP: What are the exception cases where it is expected not to match (i.e. what > is the reason for the SHOULD here)? The RPKI is a globally deployed production system; this means the RPKI operator community to be careful about what it can mandate from RPs versus what it can mandate from CAs. Putting in a stronger mandate was discussed in the working group: For example, I observed some time window alignment issues in the wild. Detailed discussion in this thread https://mailarchive.ietf.org/arch/msg/sidrops/VNG77j05I2JXOwv4qkSy-DCgRNE/ Aligning the Manifests eContent nextUpdate with the Manifest's EE certificate's "Not After" with the associated CRL's "nextUpdate" optimizes operations (it thwarts needless CRL growth); but deviation from this recommendation for alignment does not negatively impact cryptographic robustness. Hence, I believe a softer 'SHOULD' is appropriate. Does my elaboration help? > 5. ----- > > The RP MUST check that the current time (translated to UTC) is > between thisUpdate and nextUpdate. If the current time lies within > > FP: I am not sure the parenthesis needs to be there - this seems like an > unnecessary implementation detail. I believe this implementation detail is useful: in this context the ASN.1 Type "GeneralizedTime" is used, which allows specification of an timezone offset. There are some seemingly thorny complications related to Validity Time windows as described in https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5 Therefor I believe it is useful to remind implementers to normalize towards Zulu. > # Nits > > 6. ----- > > * all published signed objects that are verifiable using EE > > FP: Please expand all acronyms (EE, OID) on first use Thanks! EE already was expanded, but I added capitaliation to improve readability; I added expansion for OID. Did I miss any others? > 7. ----- > > termed a "one-time-use" EE certificate [RFC6487] > > FP: missing period thanks, added. An overview of the changes related to this feedback can be found here: https://github.com/job/draft-ietf-sidrops-6486bis/commit/124c15569a991083cf8b8ca3ac249d98c49d41ef The changeset in patch(1) format is also available below. Kind regards, Job commit 27928105481a16ef097ae69681950135ba23349f Author: Job Snijders <job@sobornost.net> Date: Thu Feb 3 15:22:38 2022 +0000 MUST not -> MUST NOT Feedback from Francesca Palombini https://mailarchive.ietf.org/arch/msg/sidrops/chrDRb2twlBi4zwOw6qG__SBYnk/ diff --git draft-ietf-sidrops-6486bis.xml draft-ietf-sidrops-6486bis.xml index ed7de68..bd07ae4 100644 --- draft-ietf-sidrops-6486bis.xml +++ draft-ietf-sidrops-6486bis.xml @@ -565,7 +565,7 @@ <t> Termination of processing means that the RP SHOULD continue to use cached versions of the objects associated with this CA instance, until such time as they become stale or they can be replaced by objects from a successful fetch. - This implies that the RP MUST not try to acquire and validate subordinate signed objects, e.g., subordinate CA certificates, until the next interval when the RP is scheduled to fetch and process data for this CA instance. + This implies that the RP MUST NOT try to acquire and validate subordinate signed objects, e.g., subordinate CA certificates, until the next interval when the RP is scheduled to fetch and process data for this CA instance. </t> </section> commit 124c15569a991083cf8b8ca3ac249d98c49d41ef Author: Job Snijders <job@sobornost.net> Date: Thu Feb 3 15:38:59 2022 +0000 Add a sentence about what to do when the manifestNumber verification shows a lower or equal manifestNumber compared to previously-validated Manifests Add a sentence about what to do when the manifest validity window is older compared to previously-validated Manifests Expand acronyms Add missing period. Feedback from Francesca Palombini https://mailarchive.ietf.org/arch/msg/sidrops/chrDRb2twlBi4zwOw6qG__SBYnk/ diff --git draft-ietf-sidrops-6486bis.xml draft-ietf-sidrops-6486bis.xml index d8b545c..3a5df83 100644 --- draft-ietf-sidrops-6486bis.xml +++ draft-ietf-sidrops-6486bis.xml @@ -97,7 +97,7 @@ Authority (CA) publication points in repositories (directories containing files that are subordinate certificates and Certificate Revocation Lists (CRLs) issued by this CA and other signed objects - that are verified by end-entity (EE) certificates issued by this CA).</t> + that are verified by End-Entity (EE) certificates issued by this CA).</t> <t> Manifests are modeled on CRLs, as the issues involved in detecting @@ -153,11 +153,11 @@ <section title="Manifest Signing" anchor="sect-3"><t> A CA's manifest is verified using an EE certificate. The SubjectInfoAccess (SIA) field of this EE certificate contains the - access method OID of id-ad-signedObject.</t> + access method Object Identifier (OID) of id-ad-signedObject.</t> <t> The CA MUST sign only one manifest with each generated private key, and MUST generate a new key pair for each new version of the manifest. - This form of use of the associated EE certificate is termed a "one-time-use" EE certificate <xref target="RFC6487"/></t> + This form of use of the associated EE certificate is termed a "one-time-use" EE certificate <xref target="RFC6487"/>.</t> </section> @@ -236,6 +236,7 @@ Conforming manifest issuers MUST NOT use number values longer than 20 octets. The issuer MUST increase the value of this field monotonically for each newly-generated Manifest. Each RP MUST verify that a purported "new" Manifest contains a higher manifestNumber than previously-validated Manifests. + If the purported "new" Manifest contains an equal or lower manifestNumber than previously-validated Manifests, the RP SHOULD use locally cached versions of objects, as described in <xref target="sect-6.6"/>. </t> <t hangText="thisUpdate:"> @@ -244,6 +245,7 @@ This field has the same format constraints as specified in <xref target="RFC5280"/> for the CRL field of the same name. The issuer MUST ensure that the value of this field is more recent than any previously-generated Manifest. Each RP MUST verify that this field value is greater (more recent) than the most recent Manifest it has validated. + If this field in a purported "new" Manifest is smaller (less recent) than previously-validated Manifests, the RP SHOULD use locally cached versions of objects, as described in <xref target="sect-6.6"/>. </t> <t hangText="nextUpdate:"> @@ -617,7 +619,7 @@ <section title="Acknowledgements" anchor="sect-10"><t> The authors would like to acknowledge the contributions from George Michelson and Randy Bush in the preparation of the manifest specification. Additionally, the authors would like to thank Mark Reynolds and Christopher Small for assistance in clarifying manifest validation and RP behavior. - The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, Sean Turner, Adianto Wibisono, and Murray Kucherawy for their helpful review of this document.</t> + The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, Sean Turner, Adianto Wibisono, Murray Kucherawy, and Francesca Palombini for their helpful review of this document.</t> </section> </middle>
- [Sidrops] Francesca Palombini's No Objection on d… Francesca Palombini via Datatracker
- Re: [Sidrops] Francesca Palombini's No Objection … Job Snijders