Re: [Sidrops] 6486bis: Failed Fetches

Martin Hoffmann <> Tue, 18 August 2020 06:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 315DB3A17B7 for <>; Mon, 17 Aug 2020 23:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ToaE--oLs6jT for <>; Mon, 17 Aug 2020 23:37:02 -0700 (PDT)
Received: from ( [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6A2DF3A17B6 for <>; Mon, 17 Aug 2020 23:37:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 8E2ED2E489; Tue, 18 Aug 2020 08:36:59 +0200 (CEST)
Authentication-Results:; dmarc=none (p=none dis=none)
Authentication-Results:; spf=none
Date: Tue, 18 Aug 2020 08:36:59 +0200
From: Martin Hoffmann <>
To: Stephen Kent <>
Message-ID: <>
In-Reply-To: <>
References: <> <>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Sidrops] 6486bis: Failed Fetches
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Aug 2020 06:37:04 -0000

Stephen Kent wrote:
> Are you positing the case where the cache contains an expired ROA for
> a CA instance, and a fetch that would have replaced the expired ROA
> fails?

No, I am talking about a case where the ROA can be fetched successfully
and matches the manifest hash, but its EE certificate is expired.
Section 6.4 says that "if [files] fail the validity tests specified in
[RFC6488]", the fetch has failed. Thus, the expired EE certificate in
the ROA fails the complete fetch of all objects associated with the CA.

So, not replacing an expired ROA in a publication point makes the
entire CA not update anymore. I.e., any other objects that now expire
cannot be replaced until that ROA is also replaced.

You could argue “Don’t do that, then” but this approach doesn’t make
the RPKI more robust but rather makes it break more easily on simple

> > This rule also blocks skipping objects of types I don’t know or care
> > about. I will have to at least do signed object validation on them,
> > which means reading and parsing them and then do signature
> > validation. If that is intended, I think this should be called out
> > explicitly in the document.  
> If a manifest points to objects that are not CRLs, certs, ROAs, etc., 
> then it is in error.

How do you introduce new object types in this case? There will always
be relying parties that run old software that doesn’t know of them. You
rather have to assume that objects of unknown types are signed objects
with unknown content. If you do that, the current draft stipulates that
you have to read, parse, and validate them -- and then throw away the

This still means that all object types added to the RPKI must be signed
objects. Whether that is okay or not, I don’t quite know.

> But, your question seems to be what processing
> has to be performed on the files contained in an apparently valid
> manifest, right? Section 6.4 and RFC 6488 defines the tests to be
> performed, and 6.4 explicitly cites 6488. What additional info do you
> feel is needed here?

I would like the document to explicitly state how to deal with object
types appearing on a manifest that a replying party does not know. If
nothing else then to make the document more helpful for implementers.

> > But I’m not even sure it provides any benefit. I, say, I am
> > validating a resource tagged association (RTA, [0]), I don’t care
> > about the ROAs at all. Does the RTA become invalid because a CA
> > somewhere in the validation chain had an expired ROA?  
> I have not examined the RTA ID, and it's an expired draft, so ...

RTA validates signed objects distributed via alternative means using
the PKI published as part of the RPKI. I.e., one of the CA
certificates published via the RPKI has issued the EE certificate used
in that signed object.

In order to validate that object, I do not need to look at any ROAs or
GBRs, only certificates, CRLs, and manifests.

Should validation of that object fail if there is an expired ROA
published by one of the CAs along the validation chain?

Kind regards,