[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
Job Snijders <job@fastly.com> Tue, 25 June 2024 05:55 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B245C14F6A0 for <sidrops@ietfa.amsl.com>; Mon, 24 Jun 2024 22:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3NoPqmlW35u for <sidrops@ietfa.amsl.com>; Mon, 24 Jun 2024 22:55:36 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C99C14F602 for <sidrops@ietf.org>; Mon, 24 Jun 2024 22:55:35 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-57d203d4682so6100434a12.0 for <sidrops@ietf.org>; Mon, 24 Jun 2024 22:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1719294933; x=1719899733; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Ief1YTlCIVD0YJpxhejMCo8zM0+a+mjrqGn1Pev7zyA=; b=jmbu4vUV4qFKeMNSZgnWh0iH9hvzjATCgc8pIxK2IP4Ao+anoUXYIOtZnI4SQntxlM SojkxANeP7nIukB6CjLF230MF0tIQWm9pQHOYCdr+FMkhGADoQnVmmXwxefg5PR7iuaS JXw+CqNuP9n5gHki+Swi+6R/pef2ogB3ReIyA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719294933; x=1719899733; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ief1YTlCIVD0YJpxhejMCo8zM0+a+mjrqGn1Pev7zyA=; b=gnoO/RZH6+SeEIXQv9wFkXICEuDCs8afPm60cYiORxNZ6zKBdk/PfxzJrt6+7Zxook rvenyFZpZrS/TE68n3/ZV8bXk1yYN39rEjzrj6kPP42hyVTfYJCq2uUXR5BVDtrLG+uK fAAso+IFer5HcYNivF3KNXqcqF2VK9Um5RbDKVxNwj2vn/mOSY5iyBDDIbCbodZfkp0H TyowlM9o6QamQVUWkgW6clvSsJCqzjiRAyjj4TEcQeFzO7cezODxGKTLDkoIYPl/f8Yu CCF0UjfsAyRrRjlQd/+Cf/e1uc7gEhb9HlFMCYDOS8h7AX7tJ3svVjWHpvAVnk+a41bt YSlQ==
X-Forwarded-Encrypted: i=1; AJvYcCWW93xZZyC7JivWsAbJCIWT8EEp+HMZhcMXwvdNceN8bThwjoafIZE2+a7kyJxfaqUyfyK3zbZTsiRBvtiF19rI
X-Gm-Message-State: AOJu0Yw37CS8JGAYe2w18KRH9SHYHBsWunogBO/0WbLlxQ5TDIHSqEe3 TPkaXskiOjqoKEsOO7UHID6sYGYFXb75tD1TTTo8lSN+ZEbgZgt1Zd5B3LIe3VA=
X-Google-Smtp-Source: AGHT+IFm14bfLnU50TmckpnKa4ovh1rbkNE/hm70AnzG5CkfqHgVq/9lDYfgVtBTdSJy/W1E2jDrpg==
X-Received: by 2002:a50:f61d:0:b0:57d:5c0:9dc0 with SMTP id 4fb4d7f45d1cf-57d7007f509mr1144979a12.38.1719294933330; Mon, 24 Jun 2024 22:55:33 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-57d3042fd72sm5584086a12.48.2024.06.24.22.55.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jun 2024 22:55:32 -0700 (PDT)
Date: Tue, 25 Jun 2024 07:55:30 +0200
From: Job Snijders <job@fastly.com>
To: "Dale W. Carder" <dwcarder@es.net>
Message-ID: <Znpb0hosKXPdx4H0@snel>
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel> <ZnmnuCooWOpkY4XC@dwc-laptop.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ZnmnuCooWOpkY4XC@dwc-laptop.local>
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: XTLGLVFYOWGAEXKA7RRVTGP3KTKHFEO4
X-Message-ID-Hash: XTLGLVFYOWGAEXKA7RRVTGP3KTKHFEO4
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/O6_J-etfdCCmLmfYQ0Hy9cSOxpI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Dear Dale, On Mon, Jun 24, 2024 at 12:07:04PM -0500, Dale W. Carder wrote: > Thus spake Job Snijders (job=40fastly.com@dmarc.ietf.org) on Mon, Jun 24, 2024 at 02:34:39PM +0200: > > Tim and I had a meeting and talked this draft over, Tim suggested to > > remove the notion of 'local policy' (as this introduces ambiguity). > > Instead: if the validity period is considered equal, and the > > signature is good, use the newly-retrieved cert (if it differs from > > the locally cached copy). > > > > I incorporated this feedback in my edit buffer: > > https://github.com/job/draft-sidrops-rpki-ta-tiebreaker/commit/957080b9c279494564dd06e7bcaf714d7acb4c06 > > As I read through -00, would it make sense for an implementation to > apply the tiebreaking only after other (local) validity checks pass? > If one TA object passes and the other fails, it would seem you don't > have a tie to break? In the abstract you might be right, but the issue is that we (me, Tim, others) have no idea what 'other local validity checks' practically speaking means. I'm not aware of any Relying Party implementation that "Perform other checks" in the manner that RFC 8630 describes. If one TA object fails (for example, the newly retrieved object has an incorrect signature), then indeed there is no tie to break and the RP should use the previously fetched locally cached copy. > As tiebreaker-00 updates rfc8630 section 3, does there need to be > adjustment to the 8630 text beyond those numbered list items? Does > the tiebreaking also apply in the case of multiple TA's in the TAL, > (would you want to grab them all and do the above logic) or is this > case different? If a TAL contains multiple URIs, all those URIs are supposed point to the same TA certificate object. RFC 8630 states "Where the TAL contains two or more TA URIs, the same self-signed CA certificate MUST be found at each referenced location." While it is technically trivial for RPs to fetch all URIs and confirm the fetched objects indeed are the same, and then run a process to select a candidate from the newly retrieved and locally cached copy, it would also double the network traffic for this operation. So far RP implementers have interpreted the presence of multiple URIs in a TAL to be for redundancy: if the HTTPS fetch fails, try rsync. I've not yet spotted more things in 8630 to update, but it is a fair question whether to do an 'update'-draft or a '-bis'-draft. I view as advantage of draft-ta-tiebreaker that it is a local-only improvement, doesn't change the TAL format/concept, and in that sense backwards compatible. Can you think of anything else you'd like to change in RFC 8630? Kind regards, Job
- [Sidrops] Notification for draft-spaghetti-sidrop… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Dale W. Carder
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock