IETF Logo Mail Archive

Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)

Stephen Kent <stkent@verizon.net> Thu, 10 November 2022 12:04 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90908C14F747 for <sidrops@ietfa.amsl.com>; Thu, 10 Nov 2022 04:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbxVSXWY6cK6 for <sidrops@ietfa.amsl.com>; Thu, 10 Nov 2022 04:04:10 -0800 (PST)
Received: from sonic315-20.consmr.mail.ne1.yahoo.com (sonic315-20.consmr.mail.ne1.yahoo.com [66.163.190.146]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37DDFC14F692 for <sidrops@ietf.org>; Thu, 10 Nov 2022 04:04:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1668081849; bh=z8oTr6OUMx80OeOIRm2BtDgQ60GZU6AgJFnuqF9v/w4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=JlWiocXuBUQRTMVh0FzDkEqNcYct1xicX/F00FjstS4BPt+S7ZgMG6uiodggrBEzaaRrodxHoJElthhi1gy9S43DsaVh/vert4hPz5LVVB7T3hu6jHxuu3QyCZdT9nSb01PONDxNa+NEV2ZxMfzvRv3PamEDjzdMEjhTTuDMDv68+u+c024I/3RkHyC8UxRfoFeX3GuJbMRy9EiR9bizhhCgSs/EGTHkdwHGA5Z3N4XOK4IO55K3jaX6UUyWo/LbQbfRMrhrsduP/z4ml1mvAjEIS3NzJRf8Xw6Vm3Gc6Svg0yzwmkR/CBWwSfe5BWi5ySeDwbAHBLx0uh9vvZP12A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1668081849; bh=qXxYS3wWxvf4zPvzpNETAT6q+kMhcRiZ2LsrS0jMF2W=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=PsnTTkV+FkG9CgIQ7xLvxyec8+bXejbIPhYuPzIwXgBmjfCIJR7CeOxvffD6sKznEdHzQ53MHhyiiXM177RgdfjgBLVTb3PtzZhy4/mkdQTzIsqXogWLQ5wXeKYbb2JRSNIHI7uInfUTaO141DDf5A/ks6WhNjh+YMdS5bHBh2lPpGFqKmrYJByj+Rb745sO1jluMBWYt7xZrFBA7Mts6x/6LTHRb79NN8T47pnf49FDoou0+U5gRvGsHrxO0H3s3Rgvfs1nBI2koNkjnQKtKl+gnnVQRI8oKMoKGMxU1zoj1VVx5xpfVa7Ws05YWCKgD/1ClFmhP2JnZSY/V2hCyA==
X-YMail-OSG: NjgS6mkVM1malZLYOo1RoOr4JPUHxavEjuh2YaX7JLxBcE1H6nehgfsZ48BQoYh RV1iQ70bVTYYlVTZc00rhc452dqc2aHMveoNY.UqG6MPmi.6BQmKD5yuifcGIjwSZwfpmBmGClA1 AOkJHWpGF8EzK2A9tEFM7gMfwAYfvqQ.8wMGVyocNKhc..E_SlRZzzHFDFNqrtCW.QkZsp3w.xGf AhYKG.iPfpdufW2QX3Dr_xwqXUHBQ.QTG3_ZJqmwebpzgqoibj2uXe5T961vFtEILQAT6KTlE93w vBefeLKdaqMsSLI6Xx8J0fMUgQ9LMhhStPvXNi7yMR4wHM_U5lzWHnGNfqal.4pLr6SIGebkO.i2 Tx_dYBt85orPKrb2vA3Qgeaiu_X6agjmKU_puaFuLgwiTkCzYlyd0JbLl9wF1sWqV4xhmgkEy7ZG svzfGqS0DgIT6ue9GHuFnCg.y3QI7cQfOPEjEakxRUi_xjy0TwBoReYl2P6tBmJmhR8sxw1PkryI VkIZ4uh7jp1NJ7JhpTMT23MpoGmCk2Heinji8HQ4I.e.EsEiJfQTi4LpRldh7vyK0bYjG4J0UpJt z8QB1IJQ8zXsSVHG6AsFXBVbuV6OEUhkxVhyg0Vbu9La30KASjygB6oWIq.D_g5dG.l1nka.lq4t 7Reuv_00FJF3EmUo5W6FSgwxXd_LgGtMKNTssPORtjNlgZe5XGlYKhBNIraEtcVUd_WzJuWmjNRc 9Nn7NbZSz_Ot.aUeum2459l_ZvYGP8_OVM8f0iEAEo2VRyQ.MQnq.._nJ6hx17kKVDjpxozNIcZJ nuXtcK4FKPemVJjAihvcGBuXnfhTSzCBVy8OD3oo3dHG0VhfZk7E4u25pFkBEC8BX.SOXe5DZ6Cq 5GsY01BeFPntGq8rxEVKPAME4OeIrevs8wMR18d458dUUMps_kV6rKLszrtAv_xEz.cTrr.QBr7w 16fio.NavHTk3A2.XfiSHv79MqDfJIuaZVwJ1dN6yo5n7gHM88QqiKYYCtVIbNWVCIS3v_sxzXYR ebyzVxxDW20IZwvvl_Ixs53sbWWRG2AVTJGmZdg_Z3FmrKSSotrXh1fnjwhb2rHbMsOMPBNSiPjY .CkNEJCZfYMj3J9yhq60Tf4wJdhWgyt42FMegB5puwqxrIBNOK4uhEDPIrvTvlwEBbdw4A.J9liY kET05CstsXkETUxZHIdvaY1t.h6m7mGiCwAAjwlkVGKZ73QQqSQV_9vhrt08BcKVLTq6hzqChQb3 j18uGXAPSHTABAvrlKrMcYYt3ijOSaHCt.0kH0rpJ06jvjUo7si.jhpOXsWGzpG3xcnPyJqFMo2W 4NwaOk2Ar4SrJtvpVlp1LbmuzkaZFQtS5wBG2hacmZir5As07VPHTyRVQNMBFNeOjf5HYyCVQDOy CEs.9Or36lHyPOEUZ2Dv.vkGSuNJ.sRu_8N8EqZVQza9Q5_FcmWOO.syv9AKl4DxbeNYf.ExvURb PvGfGD15tGdxgVbThSaqE4bZrHR0XnN4StzoUOwcOW.iGl7V.Ygh4uKniFFdO9qxvRVtIG5x8Gj5 CXbZvN1jfGOal36.L.15LjRhml.6BBIjOpG_6B9BO0wm2TRFVaNahr6n_wI.JuvG2QsSByQ7Wmrp av03M_W.ElQWnL9RsXsCmrs781WPgbQ.lHfNZSK1SsQPzmqHAMISD3wiJrjXzziUS_7ug5cD_8SE xrZ3E74DhTi9cBRZ9Empq_8vw55r_.gsxKB7rQN1fPOjsZSzcdV7jPqnZ5pzykRvWLffksdvjJ4O f5fUOyZeCpaa39n.9RPfn.lBAywgO9NqrO0jyKf0SCDrB2MG0hm2HJFUyZOANgX0XArmWMy70_.g 60ZJ4zHWvFKQpoCEyLhT9Q5a1RCRHYkOHXXr6zH11TOhb_pzbuLiSeOqT4sXeFQ5WhoTdebV2kVE yQVTojtEkNM_ip8WiJZmxzwB8ywLqFiY7azpKyfjLr49.7iICpvs3JGWmcAAz703ou132JYV8VZr FuCO3CMT4638YyCYtiGfQp1DRsjpo1uaHYokfXczx1zjSgo8ZhE.nU3.5UziB2OzW09mGPK0dPZt vRJrPGgqXu9rQjiZiTjAZBfXcEkfSluF9VHkS05iA7e_Y3OodJn_aDK1fu9ljucCetswRSqLsIsj J.RhygaemvjNaNHdPl6h8q6JIPVc3AxqR4eoBnMNm3DnSzABkoOo69aPIYW7cw3L3K9A1T4_DT4M mjdjYeRoMqz7cPb3vQ_UO4ELPGtpBS8nUZkBlPdjhPWQIUK6IEhSQ0c.9N_TRQ5UUsdYhrKDVvk1 x
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Thu, 10 Nov 2022 12:04:09 +0000
Received: by hermes--production-ir2-74cf6dc4df-nkhvs (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1a0f23379b5a4d53fee908bb076d75c9; Thu, 10 Nov 2022 12:04:03 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------qw1TNlPGqMhFPVXu2vtXc7y9"
Message-ID: <a6eedb5c-c757-a75a-246b-8a998e10cc0d@verizon.net>
Date: Thu, 10 Nov 2022 13:04:00 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Geoff Huston <gih@apnic.net>, RFC Errata System <rfc-editor@rfc-editor.org>
Cc: "sra@hactrn.net" <sra@hactrn.net>, "kent@alum.mit.edu" <kent@alum.mit.edu>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, Warren Kumari <warren@kumari.net>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, Keyur Patel <keyur@arrcus.com>, "morrowc@ops-netman.net" <morrowc@ops-netman.net>, Ties de Kock <tdekock@ripe.net>, "sidrops@ietf.org" <sidrops@ietf.org>
References: <20221107163523.04502C8AF4@rfcpa.amsl.com> <Y2o+HsUxcJnMX1gh@snel> <30A2528B-F435-49F4-9A7C-A7B15E07D558@apnic.net>
From: Stephen Kent <stkent@verizon.net>
In-Reply-To: <30A2528B-F435-49F4-9A7C-A7B15E07D558@apnic.net>
X-Mailer: WebService/1.1.20826 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/TuwuUicSm6okzNpuuvtSqTe64ZY>
X-Mailman-Approved-At: Thu, 10 Nov 2022 04:53:25 -0800
Subject: Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2022 12:04:14 -0000

I concur with Geoff with regard to the meaning of the field in question

The text says:

thisUpdate:
       This field contains the time when the manifest was created.

that seems pretty clear.

Steve
> Rejected from me.
>
>
>>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time.
>
> ? "thisUpdate: This field contains the time when the manifest was created."
>
>
> I believe that this text an explicit statement to that effect, and does not contain an error.
>
>
>>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second.
>
> Yes,  multiple manifests issued at the same time will be rejected, according to the text in RFC 9286 and its predecessor RFC6486.
>
> imho the proposed text does NOT correct an error in the original document. This proposed text proposes a different behaviour from the original text. This is therefore not an errata per se, but a proposed revision to the protocol’s described behaviour.
>
>
> Geoff
>
>
>
>
>
>
>
>> On 8 Nov 2022, at 11:31 am, Job Snijders<job@fastly.com>  wrote:
>>
>> Dear all,
>>
>> I would recommend this errata be marked Verified.
>>
>> When the specification was authored, I don't think it occurred to anyone
>> that subscribers might end up hammering the APIs of CA implementations
>> prompting issuers to issue more the frequently than once per second.
>>
>> Although it seems somewhat unlikely for Relying Parties to see multiple
>> manifests issued within the same second (subsequent updates to the same
>> location probably coalesce); however, if an RP is faced with multiple
>> valid manifests with identical validity windows, the monotonically
>> increasing manifestNumber remains the strong tie-breaker.
>>
>> The Errata's suggestion to substitute 'MUST be more recent' with "MUST
>> be current time" combined with "must be equal or more recent" to me
>> seems to be in spirit with the objective of adhering to a linear forward
>> progression of time when issuing products.
>>
>> Kind regards,
>>
>> Job
>>
>> On Mon, Nov 07, 2022 at 08:35:22AM -0800, RFC Errata System wrote:
>>> The following errata report has been submitted for RFC9286,
>>> "Manifests for the Resource Public Key Infrastructure (RPKI)".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid7243
>>>
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Ties de Kock<tdekock@ripe.net>
>>>
>>> Section: 4.2.1.  Manifest
>>>
>>> Original Text
>>> -------------
>>>    thisUpdate:
>>>       This field contains the time when the manifest was created.  This
>>>       field has the same format constraints as specified in [RFC5280]
>>>       for the CRL field of the same name.  The issuer MUST ensure that
>>>       the value of this field is more recent than any previously
>>>       generated manifest.  Each RP MUST verify that this field value is
>>>       greater (more recent) than the most recent manifest it has
>>>       validated.  If this field in a purported "new" manifest is smaller
>>>       (less recent) than previously validated manifests, the RP SHOULD
>>>       use locally cached versions of objects, as described in
>>>       Section 6.6.
>>>
>>> Corrected Text
>>> --------------
>>>     thisUpdate:
>>>       This field contains the time when the manifest was created. This
>>>       field has the same format constraints as specified in [RFC5280]
>>>       for the CRL field of the same name. The issuer MUST ensure that
>>>       the value of this field is equal to the current time and higher or
>>>       equal to the thisUpdate of any previously generated manifest. Each
>>>       RP MUST verify that this field value is greater or equal to (as,
>>>       or more recent) than the most recent manifest it has validated.
>>>       Suppose this field in a purported "new" manifest is smaller (less
>>>       recent) than previously validated manifests. In that case, the RP
>>>       SHOULD use locally cached versions of objects, as described in
>>>       Section 6.6.
>>>
>>>
>>>
>>> Notes
>>> -----
>>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time.
>>>
>>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second.
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC9286 (draft-ietf-sidrops-6486bis-11)
>>> --------------------------------------
>>> Title               : Manifests for the Resource Public Key Infrastructure (RPKI)
>>> Publication Date    : June 2022
>>> Author(s)           : R. Austein, G. Huston, S. Kent, M. Lepinski
>>> Category            : PROPOSED STANDARD
>>> Source              : SIDR Operations
>>> Area                : Operations and Management
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>>
>>> _______________________________________________
>>> Sidrops mailing list
>>> Sidrops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email