Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)
Ties de Kock <tdekock@ripe.net> Fri, 11 November 2022 11:07 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E280C1522C6 for <sidrops@ietfa.amsl.com>; Fri, 11 Nov 2022 03:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKfdmWI6p3PF for <sidrops@ietfa.amsl.com>; Fri, 11 Nov 2022 03:07:54 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBCADC14F738 for <sidrops@ietf.org>; Fri, 11 Nov 2022 03:07:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=zq8bvkpxEWyitdpQxJB8Z/bRWZ34VjhNEZfikHn0Azo=; b=jHF5FHVvZnDK0DKwVnAvjhkq k+JMYZ82YrL1v5GBleAcq7hUPhicXxUIxqvAbRw9xM0Qh2fn16S//vR1AXWzG/qpOP4ziQdbOTSLc awP9T2FpOoeF9nzfWKdOt1UFlTdZ7M4ayDzVhRmvw+ck+PlsdjWiRjq5viYa0vIzK979R+JREq+sQ wqG42EWhq9BG8HNhdN6908zD959j6YNnIWBwAMrHL+nzLNzeiGZzrqnBMQTGNDhHlhg+TwZ7E4jgD JlZTP6ymRCZsMN6lDlRcfdQmihMK1P5mDQgF/7swor0BFJC70NznOHeLBi5XUErTe2mj6LLxxL7yP /2bDneTiWw==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:50054) by mahimahi.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1otRsx-0004HN-2h; Fri, 11 Nov 2022 12:07:47 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1otRsx-0001c5-2D; Fri, 11 Nov 2022 11:07:47 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <30A2528B-F435-49F4-9A7C-A7B15E07D558@apnic.net>
Date: Fri, 11 Nov 2022 11:07:37 +0000
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, "sra@hactrn.net" <sra@hactrn.net>, "kent@alum.mit.edu" <kent@alum.mit.edu>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, Warren Kumari <warren@kumari.net>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, Keyur Patel <keyur@arrcus.com>, "morrowc@ops-netman.net" <morrowc@ops-netman.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8C293529-2DBE-4348-B64E-34D34567E3C5@ripe.net>
References: <20221107163523.04502C8AF4@rfcpa.amsl.com> <Y2o+HsUxcJnMX1gh@snel> <30A2528B-F435-49F4-9A7C-A7B15E07D558@apnic.net>
To: Geoff Huston <gih@apnic.net>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e195e20b8da8dc93470b9398fb49dd83f9
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Pq3B0rB25wtBLc8iTrF2vQr-CVw>
X-Mailman-Approved-At: Fri, 11 Nov 2022 11:05:03 -0800
Subject: Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2022 11:07:59 -0000
> On 9 Nov 2022, at 18:06, Geoff Huston <gih@apnic.net> wrote: > > Rejected from me. > > >>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time. > > > ? "thisUpdate: This field contains the time when the manifest was created." > > > I believe that this text an explicit statement to that effect, and does not contain an error. I agree that the original text was clear, however, I would still incorporate it into the normative language. > > >>> >>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second. > > > Yes, multiple manifests issued at the same time will be rejected, according to the text in RFC 9286 and its predecessor RFC6486. Could you please point me to the section of rfc6486 specifying this? I have trouble finding it. > imho the proposed text does NOT correct an error in the original document. This proposed text proposes a different behaviour from the original text. This is therefore not an errata per se, but a proposed revision to the protocol’s described behaviour. Thanks for your input. Kind regards, Ties > > > Geoff > > > > > > > >> On 8 Nov 2022, at 11:31 am, Job Snijders <job@fastly.com> wrote: >> >> Dear all, >> >> I would recommend this errata be marked Verified. >> >> When the specification was authored, I don't think it occurred to anyone >> that subscribers might end up hammering the APIs of CA implementations >> prompting issuers to issue more the frequently than once per second. >> >> Although it seems somewhat unlikely for Relying Parties to see multiple >> manifests issued within the same second (subsequent updates to the same >> location probably coalesce); however, if an RP is faced with multiple >> valid manifests with identical validity windows, the monotonically >> increasing manifestNumber remains the strong tie-breaker. >> >> The Errata's suggestion to substitute 'MUST be more recent' with "MUST >> be current time" combined with "must be equal or more recent" to me >> seems to be in spirit with the objective of adhering to a linear forward >> progression of time when issuing products. >> >> Kind regards, >> >> Job >> >> On Mon, Nov 07, 2022 at 08:35:22AM -0800, RFC Errata System wrote: >>> The following errata report has been submitted for RFC9286, >>> "Manifests for the Resource Public Key Infrastructure (RPKI)". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid7243 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Ties de Kock <tdekock@ripe.net> >>> >>> Section: 4.2.1. Manifest >>> >>> Original Text >>> ------------- >>> thisUpdate: >>> This field contains the time when the manifest was created. This >>> field has the same format constraints as specified in [RFC5280] >>> for the CRL field of the same name. The issuer MUST ensure that >>> the value of this field is more recent than any previously >>> generated manifest. Each RP MUST verify that this field value is >>> greater (more recent) than the most recent manifest it has >>> validated. If this field in a purported "new" manifest is smaller >>> (less recent) than previously validated manifests, the RP SHOULD >>> use locally cached versions of objects, as described in >>> Section 6.6. >>> >>> Corrected Text >>> -------------- >>> thisUpdate: >>> This field contains the time when the manifest was created. This >>> field has the same format constraints as specified in [RFC5280] >>> for the CRL field of the same name. The issuer MUST ensure that >>> the value of this field is equal to the current time and higher or >>> equal to the thisUpdate of any previously generated manifest. Each >>> RP MUST verify that this field value is greater or equal to (as, >>> or more recent) than the most recent manifest it has validated. >>> Suppose this field in a purported "new" manifest is smaller (less >>> recent) than previously validated manifests. In that case, the RP >>> SHOULD use locally cached versions of objects, as described in >>> Section 6.6. >>> >>> >>> >>> Notes >>> ----- >>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time. >>> >>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC9286 (draft-ietf-sidrops-6486bis-11) >>> -------------------------------------- >>> Title : Manifests for the Resource Public Key Infrastructure (RPKI) >>> Publication Date : June 2022 >>> Author(s) : R. Austein, G. Huston, S. Kent, M. Lepinski >>> Category : PROPOSED STANDARD >>> Source : SIDR Operations >>> Area : Operations and Management >>> Stream : IETF >>> Verifying Party : IESG >>> >>> _______________________________________________ >>> Sidrops mailing list >>> Sidrops@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidrops > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] [Technical Errata Reported] RFC9286 (72… RFC Errata System
- Re: [Sidrops] [Technical Errata Reported] RFC9286… Job Snijders
- Re: [Sidrops] [Technical Errata Reported] RFC9286… Geoff Huston
- Re: [Sidrops] [Technical Errata Reported] RFC9286… Stephen Kent
- Re: [Sidrops] [Technical Errata Reported] RFC9286… Ties de Kock