Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-06.txt
Ties de Kock <tdekock@ripe.net> Mon, 14 February 2022 08:47 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6D13A0CAD for <sidrops@ietfa.amsl.com>; Mon, 14 Feb 2022 00:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2sIV_aEuG50 for <sidrops@ietfa.amsl.com>; Mon, 14 Feb 2022 00:47:51 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FFE33A0C3D for <sidrops@ietf.org>; Mon, 14 Feb 2022 00:47:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=Message-Id:To:Date:Subject:Mime-Version:Content-Type:From:CC ; bh=zeZEMOBY+KJFa65w5T54epamc398EGbgDzxdngxsc44=; b=a4W5gOPDsmd+tu9WHXUbUE7I tQx3Nf+OQHHJM4/qIqvzlpGwTvwKdTRcE8g+CCSOcrlhd7XXahU7ueQPm6p7DT45I1JETL9lQCLn8 2jNS5n5xjRquuwx9tI6JepLvmiZHqxYPAQxSqz4hxXNmiVmHNeXLZNYmVyyH7Ui8u9x5JB/klpuj6 WcD1ztVImFBKkfvmKMDNVRM8i87A3B+TIlQuHLoeQ0Bri5t92fmKkNHwh0sNkuFBGLxMPd2wdYuOm LpwWubzUv8JiLriS4L0+Q9xyVweL4E8+HPtoQWCZKG3AuE+H52hLaPkNcECnfK6QOklDdZjI0iEbB 7ftOocX1Cw==;
Received: from bufobufo.ripe.net ([2001:67c:2e8:23::c100:170d]:36020) by molamola.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1nJX1Q-0002Br-Ie for sidrops@ietf.org; Mon, 14 Feb 2022 09:47:48 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1nJX1Q-0001R4-8T for sidrops@ietf.org; Mon, 14 Feb 2022 09:47:48 +0100
From: Ties de Kock <tdekock@ripe.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Mon, 14 Feb 2022 09:47:47 +0100
References: <164467776886.6200.12411287308620405950@ietfa.amsl.com>
To: sidrops@ietf.org
In-Reply-To: <164467776886.6200.12411287308620405950@ietfa.amsl.com>
Message-Id: <E1F0280E-5212-42C3-9D16-75218E122943@ripe.net>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e10de987a8adade852c26a081c16835398
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Vlw5D_lVNGwENRkDWObutEwVn5s>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-06.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 08:47:56 -0000
Hi all, > On 12 Feb 2022, at 15:56, internet-drafts@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the SIDR Operations WG of the IETF. > > Title : Resource Public Key Infrastructure (RPKI) object profile for Signed Checklist (RSC) > Authors : Job Snijders > Tom Harrison > Ben Maddison > Filename : draft-ietf-sidrops-rpki-rsc-06.txt > Pages : 15 > Date : 2022-02-12 > > Abstract: > This document defines a Cryptographic Message Syntax (CMS) profile > for a general purpose listing of checksums (a 'checklist'), for use > with the Resource Public Key Infrastructure (RPKI). The objective is > to allow an attestation, in the form of a listing of one or more > checksums of arbitrary digital objects (files), to be signed "with > resources", and for validation to provide a means to confirm a > specific Internet Resource Holder produced the Signed Checklist. The > profile is intended to provide for the signing of an arbitrary > checksum listing with a specific set of Internet Number Resources. > While this draft discusses the validity of the RSC object in isolation, it would probably be good to clarify and/or add constraints on when a RSC object should be considered valid. I think this is especially important because a CA has no visibility into what RSCs are out there for a private key (and there are multiple solutions for this, e.g. certificate transparency for the EE certs or requiring RSC objects to be on a current, valid manifest). For example, from the current draft, it is not clear if the CA certificates that form the valid certification path from a trust anchor to the EE certificate (6488) need to be on current, valid manifests. I think they do, but clarification would help :). Furthermore, when evaluating a RSC at a point in time, you need assurance that (a) the RSC itself is not backdated and that (b) the CA path was in place at that point in time. In practice, it may only be feasible to verify a RSC that "has been signed recently" and is valid at this point [in time]. Only considering the current state of the RPKI tree also solves the problems posed by key-rolls, resource transfers, etc. Kind regards, Ties
- [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders