IETF Logo Mail Archive

Re: [Sidrops] Benjamin Kaduk's Discuss on draft-ietf-sidrops-6486bis-09: (with DISCUSS and COMMENT)

Ben Maddison <benm@workonline.africa> Mon, 21 March 2022 12:43 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 091A43A13A7; Mon, 21 Mar 2022 05:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id by_QoDDo1i3L; Mon, 21 Mar 2022 05:43:22 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20604.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECD523A1379; Mon, 21 Mar 2022 05:43:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z1tRkETylZ+reHG6g9DtA4ysl2JoSyT0q7ec9JOfzuJ2msbtiW/XLA/A7qL6V2INK+PqIWokzV1u0zoihPrcynB6kdAkky4v6XvUytb5JcCnpMpki3IBFJ4gi3w5xk2B9kynBo499xw5aPPvAPF/ofBHQEfuC6rOZxF880z6Km9jObGx8cCUtGazeqGK+QbztzGUMuUewRPnOwoE/UHUi1ARjZ6iXcl6036OWZV41rwdYc7mDicD4pXVgKvkO/7Oi2tnOrgXeut7h4ATZmHL2Wq8teV/xa8qn3M3+aTVaBxq5AIR6nPnCptrgzFfjllkIEm7YzeykrXLao0o/BpAZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jiQ5VcrD9k+c8pPJLb2LtEpYm4XrzUJGPp/Mw/Y7Ob0=; b=TRNdd93+2EY73dtzw8hjt+0m5CVXdQI98Kkaun3urSaGUc12NxvEWrO0x2ytgM+bN6rQu9UmFaSoDlYnbgNkffLXlDvnl1bzVzpDeXKmdAKplXePyynHQg7LYEHyu21sdKIvmZNCI0G+4FmFwfPTBMPIbaPSKBrstH6m3/cUSt6t8/ILWQSUWxTqo07IJnfsx+oglzVTsZ+ypYDw5weRwDAQj/xaCuUuZFs3LJ1n7RJXMkHNSC505mqr2ffB62f3ziYIL7MuEt72voEk9Mv5Wkd7y8/eu7dQvVUfMPSiABDyvn7661PPtpAhH36v570ZcT8hYCoKBznPd/hvTmS+qA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jiQ5VcrD9k+c8pPJLb2LtEpYm4XrzUJGPp/Mw/Y7Ob0=; b=oX8lwmOPWzrmV7b/qp5OJjl0t7ea6joiTA6KNeqFR8EQGHk0QdoKGeZCd2WvfFJj1QAIKEXt3BxaQdTlw0KEm5vZvoSdCBkOCQirJu6+K8ENscWlxZFFn4SHfoKnRkbTdpfvCSAHXIc35kZUiPOKbnEGAUNgP2I2nXAe6vIMi2w=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=workonline.africa;
Received: from DB9P190MB1083.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:227::9) by DB9P190MB1404.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:243::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.15; Mon, 21 Mar 2022 12:43:08 +0000
Received: from DB9P190MB1083.EURP190.PROD.OUTLOOK.COM ([fe80::ac44:12ae:28e1:e4c8]) by DB9P190MB1083.EURP190.PROD.OUTLOOK.COM ([fe80::ac44:12ae:28e1:e4c8%5]) with mapi id 15.20.5081.022; Mon, 21 Mar 2022 12:43:08 +0000
Date: Mon, 21 Mar 2022 14:43:05 +0200
From: Ben Maddison <benm@workonline.africa>
To: Rob Austein <sra@hactrn.net>
Cc: Job Snijders <job@fastly.com>, morrowc@ops-netman.net, sidrops@ietf.org, sidrops-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidrops-6486bis@ietf.org, Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <20220321124305.kidxww4pje6dbndd@benm-laptop>
References: <164366773060.21391.16732854790829264927@ietfa.amsl.com> <YgZTmoUhfxlsQKMJ@snel> <20220225235526.GY12881@kduck.mit.edu> <20220227002536.3516E2EA009D@minas-ithil.hactrn.net> <YjNIZf/GcXnjGD2y@snel> <20220320192537.4AD522EA00A9@minas-ithil.hactrn.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="joyypo2haemdam5f"
Content-Disposition: inline
In-Reply-To: <20220320192537.4AD522EA00A9@minas-ithil.hactrn.net>
X-ClientProxiedBy: VI1PR03CA0071.eurprd03.prod.outlook.com (2603:10a6:803:50::42) To DB9P190MB1083.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:227::9)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c751e4ea-9295-4630-f522-08da0b3859c7
X-MS-TrafficTypeDiagnostic: DB9P190MB1404:EE_
X-Microsoft-Antispam-PRVS: <DB9P190MB1404F6DDAE12A42BFD52CF52C0169@DB9P190MB1404.EURP190.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wfbbIitRTR5S5iIi/GGpswiKtImQZYaR+E81THRqAbORNwVDeyhksrn+6P/pnOu20KQXDva7HRdGhki8HZTJt7zuyR6mCOGprbGUR5EzIxNih1DJ06XLvEclyC1ctMays8KgzspKHPxjAzokmKPlmQTwj4DF6St+JKN0+06WDUl12wFIP4jZB/JgC9WrRwX+FFXoh7A/l1HYv90bnhiKFYHqTcYAqwk8TFV06BxOsNO8ErBcgDDRSGB+p12pIJa1s4Yzwgo0JdPjz0lKxjR1cuT7xtedrcUqR39GC+mXJhvITW49fC21WwI4RPdQq4UC6ZHJhhvs6V5Vq7R+c2BlvWkwCJdd5fmuCWv31P7hntjoy2A8Uu6N4U0KDYmND2xUMxl2OE+V6NQdUtO3rP+mzlMwZQnoByHBjQoZ/S71GcfNDN69vjW1banzzgxUdNCKULh1n/5helOjGzut7DA61PZESOHZ+7kgMFFPMB9+Dlcf+lz86Paa4lDYKwYkbK3Pxz4igv+1soeCGxOQScgZrcNIMPydzLi/LjjFx+nE/A0y/punsipu4u8203Q9BgA3Jf2MOT1hlssziWcQlAcmNfLTQ2nvJKm0jTg+Q6ydoT8Q8B3F9dPySpbMX/UWYR1SqzQbISieoyJT9mP8BcWf0lMZEIQyKUUWqmL6e2iaOosmNogm6caaog2wrag728OiupCr315glxIHb+TX21XY7IPig0sIraLuueCE6qJ6mPs=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P190MB1083.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(7916004)(376002)(136003)(346002)(396003)(39830400003)(366004)(2906002)(38100700002)(52116002)(6506007)(6512007)(44144004)(9686003)(186003)(21480400003)(83380400001)(33716001)(1076003)(6486002)(508600001)(8936002)(6916009)(54906003)(66476007)(316002)(86362001)(8676002)(66946007)(66556008)(4326008)(5660300002)(6666004)(46492015)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: zq3bwz7AmT59GSULS5R6iHgW1OlavDE/1+UaaUK1j4kszXf5RB7AmARu4gUY7O7tmi+7L1AUxmx3rmZXW/AMGjS/DxZzQ+b8DYClHlrMGaAhGWq1qzLcCl4vutXA6GgUQrYtIWHSEGJmpqVyv6dvJj00ygTyTcAxzRtX+HW5ncegXZmj5IRxUrRHwwY+QRjKPIit8Jil6UFYhf/1Y5X3vDvWzRFq4u5ikPZrcetl4WU+b3mviSitAw9cYaLR/Bs2HBcLU1S1O9j4aRoAinroiC/UTBaYy+cfhg6rCTRwgbiCnXMYPz2jX8Q2qfKb5PiBrtXc/3nStfpZfovvH0ylVrV0BbrCqLVHRjIh9QLqbhnJyDP35LJ4IWnnN81qietIxyhwv/NPG3pn9SnrNdsFEnvRLfvTztKjtMpXkVbFCAntPj55M19meO1WoSYNvabaVw2eyLP++aq/tWga2cnXb3kZfwV5tx1lBnHz8VuWnTxlMU+1g6aLdjaFzx2JSYPYa4K3hy9Geuk1o+i+c/ZAb+ss4HWuadryceLA5lje/9QnWqXj4HfuEeSB36bw8XZ5PEUbI7LG6dm0cHR4F9vSxO7gvt1R0HLXRz6MhbCX+U0UD0DOXl/auMAAvg0v73NWQ327VwcFwmAY084kuO4XLRK0GwH6R0IGXRWgkmd/d90kG4KMJjps3s1uom75+x3Nikq36AypDP6jEFueXd3YHcWSpd2XZWqlK48NgKVUdVubSRvTP/MiP4TGa/1sJZPQXvQIkhrVrvbUyXGCmcMGgg4RYJBMnxveH75tL3S6vfw0gU08Axbh1aPofJJ8/wspYFeEm48sOfKemhxPAgvDumjzI9kWyCCl54nlciCV5wGL7qj/DF3prNnc4cKUNynNUu6lijSugAumiCk626ppvsFgaS1JuO0jFagFm/lh+CCNJ6WDvc1mCdZG/bYznPAtXojPR1C3W4MIHUnRYlfQ+I+PCEMhMHRdVsaZm8OF32FvhW1j13L3HtyUTfWTDg2O5xpPw0ubnqjEEFytJrS0/R9HmpNE8DsbPP8MKgEyLaIW7LwfRNLhudMEVnts8snIL5W1ifjUNbX484WJ20uZH/0ckXg2tCxDVpIJtXs+DnuPzxUNggTwcNOMWI9RksFtBm3vICkEdhtJe6mowuqKYhJcJimjVMkzxdJJEFo2tCvicgpzvTWR34klzq5E6JPgF+vaHFk1UDnHl9zJVjUVg/5P3D+Ol8te/U398vI4NAnlKBwcFig27aiWSiJCCygpcxKmj/S/QP4O5fGGdt+C4hSfNDCtDgKqyrNRx0Ky/4xmuLmDaEzhl6/oMYj4wvHszAv/OoTECoZ2MM8Dqqftmcnv2gqby1Rx6f9/fpU3cG8RUPXK09g7m+8UMlQqPjDiq93yFu/i2fBzSP9Ri7WEUkJUw5uraZ3cgoprm/t0atL+RlVOhlM5BSe6pPpjzVnNuNHWKWFeKRLMZmN6jcIRKv3/cv6regOQrf/7BfH64WXHxDMAD8dXGs9O8gepLx/c
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: c751e4ea-9295-4630-f522-08da0b3859c7
X-MS-Exchange-CrossTenant-AuthSource: DB9P190MB1083.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2022 12:43:08.1196 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: SpkKc5hLdnKVXLJWQ8kPF2eMd3tmaCeZwEAm+IOMciNR5diwnTQz1cSD3rkGCfc0QD0rObkqgFABs/vnKvux2Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P190MB1404
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/SHbbiS0KsK1teFtMuMICFDlTbzQ>
Subject: Re: [Sidrops] Benjamin Kaduk's Discuss on draft-ietf-sidrops-6486bis-09: (with DISCUSS and COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 12:43:28 -0000

Hi Rob,

On 03/20, Rob Austein wrote:
> On Thu, 17 Mar 2022 10:40:37 -0400, Job Snijders wrote:
> ...
> > > > > NEW Section 4.2.1:
> > > > >    Because a "one-time-use" EE certificate is employed to verify a
> > > > >    manifest, the EE certificate MUST be issued with a validity period
> > > > >    that coincides with the interval from thisUpdate to nextUpdate in the
> > > > >    manifest, to prevent needless growth of the CA's CRL.
> ...
> > CA operators are free to set the Manifest's eContent nextUpdate and the
> > CRLs nextUpdate as far into the future as they wish, each CA needs to
> > make a trade-off about how they schedule on-call on the weekends. CA
> > operators can nowadays rely on RP implementations only permitting the
> > narrowest validity window transitively concluded from the entire chain.
> 
> Except that you're changing the semantics of nextUpdate from "stale"
> to "hard failure", which is dangerously wrong and is not what the
> semantics were intended to be by the original authors before you took
> up the pen.

tl;dr: I think -10 accurately reflects the consensus in the WG.

One of the primary motivations for this document was, from it's
inception, to clarify that a Manifest with nextUpdate in the past is
stale *and should result in a failed fetch*.
This is set out in section 6.3:

    If the current time is later than nextUpdate, then the manifest is
    stale; this is a failed fetch and RP MUST proceed to Section 6.6;

Then, in section 6.6:

    Termination of processing means that the RP SHOULD continue to use
    cached versions of the objects associated with this CA instance,
    until such time as they become stale or they can be replaced by
    objects from a successful fetch.

Both sentences have been present since -00.

Thus, an RP that encounters a manifest with nextUpdate in the past will
attempt to fall back to its local cache.
If the manifest (if any) in the cache also has nextUpdate in the past
then it is discarded, and its associated repository is not processed
further.

Clearly an RP will similarly refuse to process a manifest whose signing
EE cert has a notAfter in the past.

Thus, for all practical purposes, the terms "stale" and "expired" are
synonymous when applied to manifests. The time at which that happens is
the *earlier of either nextUpdate or notAfter*.

The text of 4.2.1 is merely incidental to all of this. It is there for
no reason other than to limit CRL growth.

Cheers,

Ben

v2.23.0 | Report a Bug | By Email