[Sidrops] Re: Paul Wouters' No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)

Tom Harrison <tomh@apnic.net> Thu, 16 May 2024 01:13 UTC

Return-Path: <tomh@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29EC9C14F689; Wed, 15 May 2024 18:13:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.75
X-Spam-Level:
X-Spam-Status: No, score=-0.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7I4TqsVnvz1; Wed, 15 May 2024 18:13:03 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01on2108.outbound.protection.outlook.com [40.107.107.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E1A8C14F5F9; Wed, 15 May 2024 18:13:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JwedPLtAFZ/UNm6wrrEnpeDirRH/y1hcdUWw70p6h6K5k/nvKPNWHw5S9y+otAlnGzTZtHtMknF9yTS3CO7BzkBdH9LqniZlk5sQb0+2aShdCHKUCRSNuxt2dMzDJhURPCVGbzJmY3MgcvBaWyYqDf7x8QoBvlVK5GXkp3wCSR1Zc1sqWZa5E/WHwUg3DbkM+TxfoAuOvh59Gf6pPbzUre4N3p12tH9cYbW2Ep/SIn1BXTYNdheZg4u5/XFg4Iu2wDrgeY+SdvzUhy1aoqXrP/zfT2fHaxb0TleRxZeAvHcEgN0p8vl3w4w4Wscz83jVxF8edBGTZwPseoFLztN3jQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iqcjK9fpsTgKNwTB2IHHGBD93LI2lq0i7N8RVF+zJrM=; b=CjJFD1cX1s+XFfBHJWMyhyt8cQlJcVoosPoFKMq9ZjYgaYxv668+Z9ILHsx6ebi6pMcy7mUl6s+Gd2UcjUyv3jjF/JXNcNIxFRxUUm9aUMXE1Lb/zzSa0YSlprsd48tHGsCKnVhGKNLTpk0KIstJzmGl4a/TTv7LM33ua2bEjCkc3/KdPuuABxZDNf1DSy5U5fqGfIgPo5nZ2Ke3qX98SfkWq1TgYBjFGDASfCh95tcPW0tj1xQNii3ETikF5UOqYPiku2OkGAheoG2aft9mwwvUbB/R5S7UfSnNW/UcY3WwHPPWdGL0TgboQ1nw9Nd++/QUdK4QzlT6zn/cyijzaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iqcjK9fpsTgKNwTB2IHHGBD93LI2lq0i7N8RVF+zJrM=; b=BQL3CjT/8TDfISGjmOALJSJ3F9CzXs5+Uf8jgq1X9KEnvFGWhvy1EoYENedNfZi75MEkFF9R0pRo7Bx58OWeua8mSH6AFgX8j8ArXBzoo0m7I/62w9y/zvrmmpYZMWh9hlWJ1cv9I5JsycvVBh9fxn1FrflLi2EmDCSCHMOXJ2c=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
Received: from SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:273::5) by ME4P282MB0950.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:9d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.55; Thu, 16 May 2024 01:12:57 +0000
Received: from SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM ([fe80::9551:44e2:c0cb:9c49]) by SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM ([fe80::9551:44e2:c0cb:9c49%7]) with mapi id 15.20.7386.017; Thu, 16 May 2024 01:12:57 +0000
Date: Thu, 16 May 2024 11:12:56 +1000
From: Tom Harrison <tomh@apnic.net>
To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <ZkVdmBffRP7S13M4@TomH-498551.lan>
Mail-Followup-To: Paul Wouters <paul.wouters@aiven.io>, Job Snijders <job@fastly.com>, The IESG <iesg@ietf.org>, draft-ietf-sidrops-signed-tal@ietf.org, housley@vigilsec.com, keyur@arrcus.com, sidrops@ietf.org, sidrops-chairs@ietf.org
References: <171579608044.63858.14015123005455550322@ietfa.amsl.com> <CAMFGGcCZ3rQ45cwNzs3978uqrqP4xBixpC4m-EzjO4J3sGiDTA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAMFGGcCZ3rQ45cwNzs3978uqrqP4xBixpC4m-EzjO4J3sGiDTA@mail.gmail.com>
X-ClientProxiedBy: SY6PR01CA0037.ausprd01.prod.outlook.com (2603:10c6:10:e9::6) To SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:273::5)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SY7P282MB4761:EE_|ME4P282MB0950:EE_
X-MS-Office365-Filtering-Correlation-Id: f04091ef-ff55-4a13-5158-08dc75455207
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|1800799015|376005;
X-Microsoft-Antispam-Message-Info: DDmugNRCQr4UHBnY2bPOKyw/Uwa6UZrho9sLNJrczhMCC8Lz0y0mAb6I/lxlwjTpjsUXSI1RZM09Zq/K/HKmKnYhCgW2InZUH7hID+TFHjEz6PT8Y5EY2QetkVEJbn9f/Bd9nd7r1Gj5YtPoe3wI78cO92ds3WVYn5z4w5GeQwfFK6qyGomW3tusETLbn6WZ9gXa3KMzkm0rNJ+CZ9xxgI3BP0kRNreYF114oqNvttdrPJphaz1gNCEtHAUNwd/Qq1jB9BkF7dmo58CXIF6qMBp1qnpbrSFh0CltzJ23SoT1j7ZfKPHNe/uWUQZuzUFYKM+f1yhdfkHb2QaB0MSYG2i0O5TdYh+eOJV1txB4QOlZfQ9QTDMr2Ly0+5ODZyxsDwQbDY4y2q1WYdRDmaLQir6xXL1FM1EQCDvT1L4L5xeqOX18kABDnrDkOTpFms2gPJrBGdpjaGrwsi1zWeBrxi3zOaQTvZbraddLAoGE0uhFLsvkLheCKlqIcVBTvk2hnh9iAx0dMv64+znJxepjIvJTjSJZ0W76jEb9Awpzy2HU3IZV78uH/UGOXEM63+u7i5cvjJi6rpjFdZNHfyxdjfyopom8Hzz3wWlVXVrmCySQMjqnldeWhqeaJTyL00LoYi8tSI7jQ9jw6792+WpPZinAsnMQcSej8THH/zhAvdNl7Fa5Yd5+i/365YLPJ/ANRaomrAa8LaAJeqlsgBIxlM9paBeY8naJpD4fgBy8Y4x90U0xIhgoL9FRAumcnAHGd6aLzK9tVQGCnZ2fZpj2TxXNCrij4UtVngVTid6X1oTWIv2X4lzgrCqibHpFzpkMyIoBcrXin/TJyKO08GaSFu5vZwFDeZIclgNtGCyEVCGERWmhj9kAJL7CuoFto0Dglkd6kuRLZkPwEkmwlpTIsBtIPqTIpVqhCZ1ijjlQgoP4e3uXY2AMc7bGNISpXFEqV5wqavBtINSXcSvIegUHYlUN/kQVJj378SWK9NcfxkFbl3tPSEGaZyOhHZkTuDxAX/aug6WSwAzDzq0R8j0YSve+NSFl3tXAwAJPjLaP2SL/gaQrDadzTk0hEr3bmJzUVRucvFlBqSqnw1hD+y3H+WOoEKzxOoa1IvOxeFIw+Jm+W4Wn76r/GIFlzQHtdaIpUkBAP4UPuEpc7Q3nXkU7nG/fqJEE1Ueih6cU79s6djDOBsV4XEH0LTKeKiSKn4KWnzm/HTG/FbsrWhGw0gfFhS3rtusI6C++7Xkh2FrTYjw=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(376005);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 1D/69aVtZN6u1PHH+LPo12GfRZ2R4pzknhCaqs6lMb7rUxMd0/pDh6zBwf2AulRwdxdVAr2Tmp5XMfztClOCcIVTkdQ5ULf7OP/LLZaBOZYB9AGEAm9CDqUHoKpeo75rWejiJMSn4CKHkJimQ4ZwxF8uIYRGAbE8xfe5bvKmZ52uUK11EbwZMyAediTlnPcEEIxA2Y4JkeYFRapQK2a8ZaYk+/u/pBzuGjLdCjdhTXTmxRz7Kg6V6+ewmFAXoF0Fn6/UbJaQtF3YK6osGTKanEBZ7mVM+FlbRkhfkVHhABa4KASkVrKvp+wUfZr/7u7RPR5OfavQU5J4rOK1TrHoNr2aqHH9597CEmk+K2LFqssxHch8Cs5Tg9m/F6xvEcbb8ZgVI1I228SfTQuEZT4xQtOg2hRyKmP6ahzP4QLwcczSHDm+PA8cVEbfGgT3UVzXjqhlk7vdOU01mJZgBdwPuSwFAAZVWnOoy3X4+TqeZz0VSLHp803oS5ogN0sSSathB1yom5wPTwM/LBh4crcOi6bv9BjZPlgJemhM9hpRw0DxzVex9JUafSigd7QvyS1QymcbyQkuvU5Ut64xroX8yI9ia7doDIncGwYDXlNBigcZ7UCubnOGGSQxGTShueRHB9d7TUCW860Adxv4Craq3wG01xAJqjfZYlk6vzYKhKqCxOkYMuBuUsZYItdvm8fzhS29AggRQwXlLTYcwzAzWmBNHC3VhIk5JnMQID5RXO2VhcO/9TafGoQyE+N3dCdLjMB45nCMlLROcpFzJ4HnQGVPBUhUMuD2+xLuRExjfSpHrpRhys3PrPw7VVZETdh46kWtc3QjHykl/xbm4oJnjYRjxqmMqVIBsntR9zEp7jhE3RLGigNZrfbx+zCkgTdX228EYHJJl7kPCKferFUKkKHVwDyYB5DF+N+BIXpGR6lFpFtChMrJMkm1pJOm/D0mOKIk1XITi7omTiKE5M/uTxspx9cMuF4qvTMDVnn0ggUl5UmaycIYOJRSoTC+E7EVA/GV7AIfz6WZ1JqQtCc63vrEKIfE2FspZK5xV/P/Vaov7gygemNdulSPxLsKoIPJBWKeLBfDSc9o1Qz9uktUWf8kG8tK8qOBWL7hqJRcoItpixJbHLZxwz9lmaOBDzsB1etrWMqwzh/jjItAW8QFh3lCKU05q3kH+lviYAk4ksAsQ+DN0gp81Xv2IZJjER/3KeNAlpAAJY7ZER88qaKI5AZNUanPAoxfc+48jOfSNqmj+2LkytyhO03T+snt8CW8/0Qsdwhh5P4FaEn1VWeTeYhV8FMpXmrl/zHAGQBMdllE7HB7YhZhFnL59RmX/ZsAh0uVVeoUSuf/L6+gHf5l9l7KEj4Krhz5uLt3IYgBiYk00p7M4Lianz0v+8IYin2BkicQZsifn4NLZBrQ+lUUqJJvRlOfcicetS5pWXZ/bi2A5da4DpJuR2MwhegKfU3yjIFFUcldvtNHa6Qk/pKh35FRAa0UIJP30FnDuHUObpFpw+aJnRovGdAp4H9SziwLJ5asRAMvkGjgGLNcBCYxBMhMAFA2gprkFQ2Nl0iOiMQojH+BoXa6t0fiNL+8POhEbKWyScgzMPxohaZXSBsLDJUeMLzQwgTUt2qyrpM9v/WBZ6OLbT4flyQWm6ZIlt4h
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-Network-Message-Id: f04091ef-ff55-4a13-5158-08dc75455207
X-MS-Exchange-CrossTenant-AuthSource: SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2024 01:12:57.1021 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: EFn8H7QkC2sYQlJfu+5MqedvfF29124f0JxjPNWbEWyKCtvDZcA2EXlpokDTmccz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME4P282MB0950
Message-ID-Hash: EBUOBKURPKHNOGECRJ37KEKZ2VFAWWOF
X-Message-ID-Hash: EBUOBKURPKHNOGECRJ37KEKZ2VFAWWOF
X-MailFrom: tomh@apnic.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Job Snijders <job@fastly.com>, The IESG <iesg@ietf.org>, draft-ietf-sidrops-signed-tal@ietf.org, housley@vigilsec.com, keyur@arrcus.com, sidrops@ietf.org, sidrops-chairs@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Paul Wouters' No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/O6RE9zVaBOmZYTTIz1SlWfdZs3Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi Paul (and Job),

Thanks for your review.

On Wed, May 15, 2024 at 08:26:21PM +0200, Job Snijders wrote:
> Thanks for the review and your question. Jumping in as working group
> participant.
> 
> On Wed, 15 May 2024 at 20:01, Paul Wouters via Datatracker <noreply@ietf.org> wrote:
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> I am not an rPKI expert, so this might be a dumb question. If Key A
>> generates its CA, and then lets its CA expire, or the expiration
>> time is smaller than the acceptance window, is there a way to
>> recover from this? The rules seem to say a new Key B cannot be
>> created because it wouldn't be accepted ?
> 
> The relaying parties have a local copy of the Trust Anchor’s public
> key (this is called the Trust Anchor Locator). The TAL does not
> contain expiration information, it only contain a URL where to
> download the Trust Anchor certificate and the public key to verify
> the certificate.
> 
> If the Trust Anchor’s self-signed certificate expires, or the TAK’s
> EE certificate expires, the TA operator can simply issue a new TA
> certificate or new TAK that’s not expired.
> 
> If expiration happens during the acceptance window, the whole
> process needs to start anew, a new TAK for B would need to be
> issued.
> 
> Does this help clarify?

In addition to the above, there is guidance in the 'Acceptance Timers'
section
(https://www.ietf.org/archive/id/draft-ietf-sidrops-signed-tal-15.html#name-acceptance-timers)
that is relevant to this scenario (though that section is in terms of
removal of a successor key from a TAK object, rather than expiry of
the TAK object).  The TA should change the URLs for the successor
public key when the new TAK object is issued, so as to increase the
chance of RPs switching over at about the same time.  (If the URLs
aren't changed, and an RP does not attempt to validate during the time
when the TAK object or TA certificate is expired, then when the TAK
object or TA certificate is renewed, that RP's acceptance timer won't
be affected.  Changing the URLs will cause the acceptance timer to
reset.)

-Tom