[Sidrops] proposed, revised text for Section 6

Stephen Kent <stkent@verizon.net> Mon, 04 May 2020 20:09 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3A4903A0FD3 for <sidrops@ietfa.amsl.com>; Mon, 4 May 2020 13:09:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id nx1lCdVCADaw for <sidrops@ietfa.amsl.com>; Mon, 4 May 2020 13:09:46 -0700 (PDT)
Received: from sonic316-12.consmr.mail.bf2.yahoo.com (sonic316-12.consmr.mail.bf2.yahoo.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5043A0FDC for <sidrops@ietf.org>; Mon, 4 May 2020 13:08:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1588622929; bh=L+G5Uasg94MjYj0+SauPPQtdGZf15NLG2xVOWr25NhU=; h=To:From:Subject:Date:References:From:Subject; b=BHkyNvYP4sbGfjTUpilDKSNSpfbxQuP+c6l8KOSBRegeNudpXghV5zYetHwrII7gSXSgKFcG7Ssa+bk4Sm0RUc3qZCQm5DWE+I5ZXC83MNP0uE9sLBzgFNJ8RV6G8q+7DwzZBVfJj+Ba1eIT1/XEAsS6X4rzlgUGQXfL+BiA+pajBSNCiSF50YcDnEeHV2iZRzZ22BTp5fBIqmIlQRd5nkxC+pwvNtDakhVCPcQ5R2igHNppIDvXtTUOZ/r2V31+F8mtujXjroDbjK3MWVYhSt7y0x9e8yEgo71Jx0G6V76WMF0Qm7dN480XfE+mw9f5OpRKD+NlZYWDHU87iP8fuQ==
X-YMail-OSG: 8w3gElYVM1kGUvD3vOOHMgvs4nh79aoXUwPkwqcQdZVH1TXQOPxLj3bQWSAvhIj IQPHPJfmWzeN9UyO6yExI4DEENPw1ncDVhXgTDXAthDz9Z6XKc3K2jfRQktTAbhnf0e40ZEUgKg. nIkOVFh59mgGhJf5iZkQlMwM0nEHKWCJ4_Xo2XJrTLPb2FglxkICK4hrr5fbzWanK2ttwIDDmLOy fyqabh1M4XN_UXzL16eeTICVyoJBZjz1b2Mm75C6E2ZYuUA8oPb4ENvCR7bQL4ay6onViU8gPcPV D0esEMWNpXpcAOcX5KTlSyPBIk5Krhxh_mhk71GBPsBUU0H0rTb6xGBLgR48x.TAOnm3uv7niP9t 6hKiOj2Mi1wmnF_OxTCl_d0mytACnWosVca_ZlL.XgR0OdTf_HXI_QENP3z71fuamsptegbVPWwD GfCZukqk6UTEGfol3OGFs6byTyuTYSO35k9XhNhAzZ2l3X1YKdIKTd3rwEJ9HAmiB1nim.7vYZ4r tF.pRXOrbciodWGdMDUq1wGIjjtvRzF6TxOfpuxk7Zx8RIYAcp46teG1F20JBo.kv21Sw2vNQwlz g6fJn.pMCsJbK_0VtsXjmPbLRkf2PBRHa8Ynw0Td1Bzb4ZYK_0dDK0.5m4ZPjyYRrr_R0WsOli8_ qsoJrQkdj1NHAQX_cXMXgs2wAT6uGaV71vF0GwYUdoGFbrcvQ1KZ_hef0Jqolgapvm6jDboPLC8J KdVOaoLzq.hiEjlYnIp.sMb8o.4hlA3wsKdOO204pf2JFTC6_ijqvCXA1v_SAxUmqaSfLLh2Lvm7 rnItnHg1c5E96Gx7AsFf1RQ1iC4440XynQ61_cJlsAocblUd4a.8kc6W7iDllc0VKDOB1CjJRKVb Zy4MECTAkCcIS0xe148bBFzG84pwdEicYAA2atd4tR5xKsecw9JzUBc95q1CVOIBQ3nZMfdI8SqB nLGfGvzfE_PgYBIsTvIy99hTQeaf4jUmnUgmzWB2btT_dqhhDes825QBA14x0_1wKMvWpkiThhpa QVP7NMWSnQuM9o9XWIyS9LIwDue_OcSUlUqoihpqvgLt3FZMr6UrMDHL9Gp2Q.gmlZ3MTnGldYb. Z4sVR_o8smjlqwKHCIzQQHVEChDV6Mfm7J0VyYHWtY_rVBE8n6BfOiN3F5f5gdchUrI7OBFtYJL4 zFh2OnA2x3NhLI8WIcSuJSBywqTy43vdm58KkcZIJifw8t_d3.ceqP00sCgssq86MMcfJTbRV8fB ACNLqn2Sdigo229fyDWurpePmmx2LSTH7L5UtM8knP2sEK_TJB9pl0d9Mvn.tYZ4AZFH9bKjpTdF vXbf0cfkRJZ6zTMdOE9U9EvBBrb7HamVvKF7Gb7pyS87B.OdFBlRvq64IGHExML3Klpp6S3a41SH W0LkIi.55uD6tV4MBLNkfPbDljE805mqcTts5ZdxlaBCKW2odE6P6nGwv0XE-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Mon, 4 May 2020 20:08:49 +0000
Received: by smtp402.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 206a63d32eeede4cfd229ae50b27af5d; Mon, 04 May 2020 20:08:44 +0000 (UTC)
To: "sidrops@ietf.org" <sidrops@ietf.org>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <557f0928-c7b1-4b8d-b3b6-078733f7ef8a@verizon.net>
Date: Mon, 04 May 2020 16:08:43 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------9F93DCCA5CD5453651086D8A"
Content-Language: en-US
References: <557f0928-c7b1-4b8d-b3b6-078733f7ef8a.ref@verizon.net>
X-Mailer: WebService/1.1.15756 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Qy7YAVOUYrDVZxUPFPNZfekoJKI>
Subject: [Sidrops] proposed, revised text for Section 6
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 20:09:50 -0000

To get the discussion going, I generated the following text for Section 
6. I deleted anything that was not definitive (e.g., deferred to local 
policy) and removed the warning message suggested text (I assume RP 
software developers can write their own messages, but we can add this 
back if folks feel it's useful.

I also added a paragraph about the manifest/CRL circular relationship.

In all cases I adopted the approach George suggested, i.e., if there's 
an error indicating that one or more signed objects may be missing (or 
not current), ignore ALL data associated with the CA instance at the pub 
point and DO NOT rely on cached data.

Comments welcome, as usual.

All new text is in red.



6.1. Determining Manifest State & Object Acceptance

For a given publication point, and given CA instance, an RP MUST perform

the following tests to determine the manifest state of the publication

point. (Note that, during CA key rollover [RFC6489], signed objects for

two or more different CA instances will appear at the same publication

point. The tests described below are to be performed for a specified CA

instance, i.e., a the manifest’s EE certificate was issued by that CA.)

1. Select the CA's current manifest (the "current" manifest is the

manifest issued by this CA having the highest manifestNumber among

all valid manifests (as defined in Section 4.4).

If the publication point does not contain a valid manifest, proceed

as described in Section 6.2. (Lacking a valid manifest, the following

tests cannot be performed.)

2. Check that the current time (translated to UTC) is between

thisUpdate and nextUpdate.

If the current time does not lie within this interval,proceed

as described in Section 6.4.

3. Acquire all objects at the publication point associated with this

CA instance, i.e., the CRL and each object containing an EE

certificate issued by the CA. If there are files listed in a manifest

that do not appear at the publication point, then proceed as

described Section 6.5.

4. Verify that the listed hash value of every file listed in the

manifest matches the value obtained by hashing the file at the

publication point.

If the computed hash value of a file listed on the manifest does

not match the hash value contained in the manifest, then proceed

as described in Section 6.6.

5. If a current manifest contains entries for objects that are not

within the scope of the manifest, then the out-of-scope entries

MUST be disregarded in the context of this manifest.If there

is no other current manifest that describes these objects within

that other manifest's scope, then see Section 6.2.

Note that there is a “chicken and egg” relationship between the

manifest and the CRL for a given CA instance. If the EE certificate

for the manifest is revoked, the CA or publication point manager has

made an error. In this case all signed objects associated with the CA

instance MUST be ignored. Similarly, if the CRL for the CA instance

is not listed on a valid, current manifest, all signed objects

associated with the CA instance MUST be ignored, because the CRL is


6.2.Missing Manifests

The absence of a current manifest at a publication point could occur

due to an error by the publisher or due to (malicious or accidental)

deletion or corruption of all valid manifests.

When no valid manifest is available, there is no protection against

attacks that delete signed objects or replay old versions of signed

objects. To guard against the adverse impact of processing an

incomplete set of signed objects, an RP MUST treat all signed objects

associated with the missing manifest as invalid. (These objects are

all issued by the same instance of a CA.) RP software MUST issue a

warning when there is no current manifest for a CA instance.

An RP may have access to a local cache containing a previously

issued manifest that is still valid. It is RECOMMENDED that the RP

not make use of this data, to ensure consistent a consistent outcome

in when a manifest is missing.

6.3.Invalid Manifests

The presence of an invalid manifest at a publication point could

occur due to an error by the publisher or due to (malicious or

accidental) corruption of a valid manifest.An invalid manifest MUST

never be used, even if the manifestNumber of the invalid manifest is

greater than that of other (valid) manifests.

If there is no valid, current manifest available at the publication

point for the CA instance, an RP MUST treat the signed objects at the

publication point as indicated above in Section 6.2. A warning MUST

be issued when an invalid manifest is encountered.

6.4.Stale Manifests

A manifest is considered stale if the current time is after the

nextUpdate time for the manifest.This could be due to publisher

failure to promptly publish a new manifest, or due to (malicious or

accidental) corruption or suppression of a more recent manifest.

All signed objects at the publication point issued by the entity that

has published the stale manifest, and all descendant signed objects

that are validated using a certificate issued by the entity that has

published the stale manifest at this publication point, MUST be

treated at invalid and a warning MUST be issued.

The primary risk in using such signed objects is that a newer

manifest exists that, if present, would indicate that certain objects

have been removed or replaced.(For example, the new manifest might

show the existence of a newer CRL and the removal of one or more

revoked certificates).Thus, the use of objects from a stale

manifest may cause an RP to incorrectly treat invalid objects as

valid.The risk is that the CRL covered by the stale manifest has

been superseded, and thus an RP will improperly treat a revoked

certificate as valid.

6.5.Mismatch between Manifest and Publication Point

If there exist valid signed objects associated with a CA instance and

they do not appear in any current, valid manifest for this CA instance,

these objects MUST be ignored by an RP, and a warning MUST be issued.

If there are files listed on the manifest that do not appear in

the repository, then these objects have been improperly deleted from

repository (via malice or accident).A primary purpose of manifests is

to detect such deletions.Therefore, in this case, an RP MUST ignore

all signed objects associated with this CA instance.

6.6.Hash Values Not Matching Manifests

A file appearing on a manifest with an incorrect hash value could

occur because of publisher error, but it also may indicate that an

attack has occurred, e.g., one in which an older version of an object

has been substituted for a newer version of the object. In this case

an RP cannot know the content of the missing object, and thus all

signed objects associated with this instance of the CA MUST be ignored

by the RP, and a warning MUST be issued.