[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
Martin Hoffmann <martin@nlnetlabs.nl> Tue, 25 June 2024 13:44 UTC
Return-Path: <martin@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0F6C180B50 for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 06:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d7XH04S3OPVg for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 06:44:24 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BE3AC151557 for <sidrops@ietf.org>; Tue, 25 Jun 2024 06:44:23 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4W7mJy5JhFz9tMH; Tue, 25 Jun 2024 15:44:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1719323058; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dca8e8ePthK9zcZjqm33hWgjFQL8GQdJoIx8I2l5qjw=; b=IpTLZngETnytuNjslkpgeIgVXQM52WhUtV3jw7iHR5riXeG0o8+nXp3l/zYiEinCZ+BKPE HyUyIUKJdkwOS8A13LEBndSsYHqMclTeegHB4nsyDKi8lhjevZJXxb8wYNfJVrqquf8yxk /hKltroIUlMbw6ujbagmUg/Pq+/LFvEho7yc2rEkg775BrqI2MYy1JA3TY+Z3hxzmNH4E3 WLVGVehJljh4flFkN51+ml0NA/UJB+B4IznqJKnEadUOQUfM360gS/XxdD+BCc+Xc+LrsO LAHvCwJGk2qFMvoZq3NErRJf56mAJYwa52elWThKn0sUANRUp00+scNyAIMDBw==
Date: Tue, 25 Jun 2024 15:44:15 +0200
From: Martin Hoffmann <martin@nlnetlabs.nl>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Message-ID: <20240625154415.2479876d@glaurung.nlnetlabs.nl>
In-Reply-To: <Znqkvv29Q2MK11-i@snel>
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel> <20240625120620.60ac7d31@glaurung.nlnetlabs.nl> <Znqkvv29Q2MK11-i@snel>
Organization: NLnet Labs
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4W7mJy5JhFz9tMH
Message-ID-Hash: 3TGIYGEINYZ7VSWDSJXHVXBCW6Q2YMLU
X-Message-ID-Hash: 3TGIYGEINYZ7VSWDSJXHVXBCW6Q2YMLU
X-MailFrom: martin@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Q8udJLdfgrIJQnAMR2KGgukzW2I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Job Snijders wrote: > > An argument in favor of also looking at notAfter is that it is > possible for CAs to 'freeze' the notBefore at a given point in time, > meaning that in subsequent issuances the same notBefore continues to > appear. I've seen some RPKI CAs (unsure about TAs) exhibit this > behaviour. I figure we can reasonably trust (ha!) TA operators to be careful. > I'd also argue that defining a 'complete' tiebreaker procedure at the > small expense of having a handful of sentences and 4 lines of code* is > worth it to cover for the edge case of TAs issuing with identical > notBefore's. It’s not really complete though, since you still have the case that both notBefore and notAfter are identical. So you still need to define what happens if you have two different certificates with identical times. Worse, if you have identical notBefore dates but differing notAfter dates, you need to make an arbitrary choice which one of the two certificates you choose. There just isn’t a “clearly it’s this one” kind of answer. So having this additional check doesn’t provide extra safety. I want to argue that if there’s no benefit, leave it out. > Another approach is to pick a random URI from the > TAL (be it HTTPS or rsync), because with the proposed protection > mechanism rsync becomes less risky. Picking a random URI from the TAL > has the benefit that if they are hosted on different FQDNs, overall > resilliency increases. I still wouldn’t want to use rsync unless HTTPS doesn’t work -- if only to keep the rsync load on TA operators at a minimum. Whether we should suggest to randomize URIs (of the same type) is a question I’d would like some input from the TA operators from. Given that currently there is always exactly one HTTPS URI and exactly one rsync URI, it’s all a bit academic. If the operators say that they want to keep it that way, I’d rather not have to have randomizing code that isn’t actually ever used. -- Martin
- [Sidrops] Notification for draft-spaghetti-sidrop… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Dale W. Carder
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock