IETF Logo Mail Archive

Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt

Stephen Kent <stkent@verizon.net> Mon, 12 July 2021 13:33 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC2D13A17C1 for <sidrops@ietfa.amsl.com>; Mon, 12 Jul 2021 06:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.202
X-Spam-Level:
X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5IRnm8fWCBe for <sidrops@ietfa.amsl.com>; Mon, 12 Jul 2021 06:33:29 -0700 (PDT)
Received: from sonic308-56.consmr.mail.ne1.yahoo.com (sonic308-56.consmr.mail.ne1.yahoo.com [66.163.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF7663A17AF for <sidrops@ietf.org>; Mon, 12 Jul 2021 06:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1626096764; bh=9tiZmmsqmLaCk4QSFjFqixRF1g/d8AoeyskG/mL9wno=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=axLUkdzOD7ys3GpQMiGnED8/AyDrWaVslL0sg8rxNbJY/tKBPz8+XSswTqzi91ud2jdvrmkVws5sqm7umdyfTMYtqQ9OlfWXQ2XEdZr0tjfMq2JDo1XyZ399TCw8/f8mAlaDUCstvIJT0LAIrK9wCBBqWNZlHgGXdOLbdV8fNWDFFxclnarpz3+ypKi3wbQKY61uuck9O8S2hK5soTw0UiIv/aL2eMLzIvsdFkjSA7iEMW/6O0EXZ85zvvFZwUWjVz5GuJQDVpPDHPfjzu32UEzjk+TWbVZYw9hWXgTEdpzYe4lEXU1VcKpprcUXBajX9UqWGZ0ROdPz88TsSfJyLw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1626096764; bh=9wSXtTS+/1g50YOi36HpIgHEzIsAbVkWi0YeBchm5U0=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=JwBLuMDnZ0OmHbm8eDY3sT4vh20yFMHePbU0nzDDDVyJz42fIv5823sOF7/Nynqticm65eMA0ho9fHEKEZNd9BZCrICp2mQgQjV0jeE3Rgf26FH9m4veNJQSWybkp22ypGl2h3MaLwZlwza1MmBRvBOPATULyTOJN71Wej7t1MjwNqaQ41BgsvDLjW341xqF/AZ2gwDVoH9LqmCMa/fovt7uOYKQtTOlt2HCrlF7VqJHxYkC0CxhkXKv7BLsPSnXaufjDak+C3ERR6M8qZbK1xWEYHIEBpwiqwQ7w+Xd7Eec1QnXtJIGO+NwchxvDeDAEEv0TBqTL63EhHlYD5qUpQ==
X-YMail-OSG: dEewJ0MVM1mYrABzxyJDxyl8.77f_24vXtclDTH05.JpjZDE6PA3kTQhJ5x16lm xtbHXyoSYYpmery_0XnSXZUVv9.N_qw3_aZdbWz6j62TX09XJ_zwExzLNfeeVI_al0ZlgtxUfee_ Mp3XIIQf6O5b5qKW1SWilMG3J8LICjC3Ld.0.hXSaxaUXFX6wjXmIyNlqO8O5tzPH4wD2T5KYCHH sKt2y4Jpm7liDxzNxQOfoMuD6s_2J4x6EnWBF6I6bBm9vFh8tyQoJ.6GkxjXugz.GG0grtVyZwvU 8zwg3ugltdCpEDxn5_A33.BgSFb9L66fv8HmxOUUujOp.rGIB7fKPuUE.9DQWuyEncEav5y0Xhqq 2BswaSp0jYXuC_9Fm8UioxMw9RgJHUPqLd9tzGLCf85_lrLuoqyzNDALg4AfZc8fqvVJ_5o1pqGB lGW0AkrqVHUtaiBfDl0LTBsAPrW5OloYv5ikYFF1zX1JlyLDYg9W9sxCRD88DefxqRk1G5m4aEFa iEqqWxtZWiuk5uiCew_6IOdfj7x6vgHmCyZoS6_.bLw4Uu8lqXMPyL41DPIgOdtGTbBF99S6w2Sn enHqtHBgxMhtic5s.wg0Xyx6Lwi0ujc8BQ4sDAvpbQlQTHscHD28Iym8LjCRgpoorKzx_dnWXnHn EPvy8l9gkpDWOY3cEoYzjxihXBFE21NU9S9pFHDkvHRR1sDCBQqB6UDfM._h0eLUcDlaTGpA8yfI DHX9CfDEqB.cEPeYCDK_xn72jSRJqeROHYI_SAWb9CM.twGxM9iOmkZIFTv1HcbOATBPBSrXM9cV 4EJd3mfRaOzMNiFEZiUBGSIEpyxy2YmFPPqRYsdfCbPIOhQ7_jqq5Cy__71gmcoz8yhqmJHQvZFl xWkNJVQH8NzfWwKYgTuQShLbFS5m1Ea1tUShL4pJqDv7hbDKv0xVl.tuJkTIBszTAVEjZawpEsOL GbPCySwSd9jFK46TIaRYb3JYVK3jHlxm9wYC8UppFzNHkpvZdi9hySqudv7F1M6nO5X06wCkiLF0 r6ODbVHBSlftKykGL7WNAXHHbLmhWM8gRmgMblpAawoL2EFoRgHIPYV2ScR6lNnDuMCn4KaJQMTP LO8gxtHqXM7oeCVnyFSQQ2Ni21bPEcDvnayVh8WbUOBx2cF_hLxAwyXYRakQOjBWwlvEhlnqbReF 4bPiII4aJ4tF2GsvKIUJTA7LQZssPyHTNnXaaMT4SHKi0IXeD7iPOykyY65vqm1K5PmCPfoTd52W iBf9K2AJPFYHU1JEUnKwXHwSQhj_pzDJ_pQkrQ8zeBCpENZhih.VFgneoMLZH3m9aRiZjZZmo6dK nZM7WE7fh8ws3bjcPP8q3waImmRT1aV6_a8hZvjW7t5D7C0_mWs6R4mch8Wbx1ZXoVu4YyINqOJN 5_HtJheyidKYURextktrd581x9bqRibEJ6Lv6QYoHVRfSUvyfvk8iV40s1m7s4MX3L6a1G4HdzOi 86ts8uGg5wNWPqSgvbjg5kt3dFhRBwauiKkeaYd3MB3i.ueDHwQQOtQj4ZZ7XBY.2rsmitOZJehw zpnYQdNnQKRLCz_ftqKQKl8xeg_w4nTQeeoYR35j2TgyXVBnik9Qs3aQFFq2KgX6_mFRdRWao7Lr gYNmHSXlci8nfgzFBMhGbABrYkGM92gnULT1aFxyhHV5EWYJ.dGTRtLumRXOszzbHZes9gZELQjM PkBtUmWgwGJPIn3wQwkcigU2MWJWXxu.i.RJIDgPhX2anyeMpd9ecfV8qWTY56IiyZWJnHjesfF1 r.2DZhj6rqmsQjW3IIDcsG5hBEQxHC6BCKp0kj5LIAprlS7kpjo4p2eJllB1mmHgSyO7TmwJ9avD KC17MtHeOKLHrOQs8RzHTPKJu8Rg3WJGCLioPaWfAk23wGL0dbexmXSgHsPH2d7NfBhF8PDi5MRD h6dYWmGw57qSM4nO7n42TEESY4Wud5Xb4CpzE_T9_rvbSKshOxcEtae2b66GVir6L3rSj5yGV1rA DFgfdC63i0661NnnjcrJirk87RgU_gb9HD_pGvu1E.PpCqIbh7_c3viSV9SUKB4UES4iJwgHQXoB pf4S_3y8XmtEkPf2OS4YL0xEinZfFJXl3I.M_9sk_CtxGnUsz428hWfU7PxXNxENZckU8WkrGCJN Sw4zrIvzrRwF06ulXCS408X9uy_gT560.EIMUUzdbE8oOCZdWxRLCuVzAO4oFZVvrrWZ_ECDh6gf kHYvIes_dS1aKrpR0VvK1h0qSY_Zqcmtdfc42e4pnGAcDDbBsMSiaDSBPPu3dG_DNRz6pxKpCZLZ snLYydm8lYJqgmEqY_NN5o5ANwucHrTanJtHsPxZCNS7cpvLAvL4B5I8zlgOTMTBYrOAWtEIGtnq l1DRvLmBCgGa9kif3I7qKx0aIMBpE0i_hkp05GMPIjLnzDDkv34_q9tQF3WUXtJcK7n2BFQ0H1tE B9BHq
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Mon, 12 Jul 2021 13:32:44 +0000
Received: by kubenode531.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID a2774ef3df5727257f0dd01c31cda470; Mon, 12 Jul 2021 13:32:41 +0000 (UTC)
To: sidrops@ietf.org
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl> <564f0d8f-942e-e4e6-b97c-563564f235fe@verizon.net> <YOjHFVZFtCahcfr7@snel> <D5E6E72B-8830-4C2C-B63D-E39BCF9DF5F3@nlnetlabs.nl>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <0e0d9bc3-4484-8c99-91e1-ca0bf3ee225f@verizon.net>
Date: Mon, 12 Jul 2021 09:32:39 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <D5E6E72B-8830-4C2C-B63D-E39BCF9DF5F3@nlnetlabs.nl>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.18469 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/WIeZatd94e5_lGFwhnANnfyt4KE>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 13:33:31 -0000

Tim,
> ...
>> I propose this text for Section 4.2.1 second paragraph:
>>
>> """
>>    When signing a manifest, it is RECOMMENDED to use an "one-time-use"
>>    keypair. The EE certificate SHOULD have a validity period that
>>    coincides with the interval from thisUpdate to nextUpdate in the
>>    manifest, to prevent needless growth of the CA's CRL.
>> """
>
> This text for 4.2.1 works for me. I think the SHOULD is appropriate because of existing deployment where this restriction was not present.

It doesn't work for me ;-).

No CA indicated that they generated multi-use EE certs for manifests, 
and all the RIR CAs confirmed that they employ single-use EE certs for 
manifests. This argues for a MUST, not a SHOULD.

> Furthermore, while shortening the lifetime will help to keep the CRLs a bit shorter (in case of Krill 1 previous MFT EE revocation entry instead of 10, bear in mind there might be other entries for ROAs, certs..), I think this gain is marginal. I do not see how the security aspects are changed here, it just saves a small number of cycles.
You said earlier that you have no data indicating how often a manifest 
is issued to accommodate a change in signed products, other than CRLs. 
Thus your comment seems to be based on a perception, but not 
substantiated by any data.
> Furthermore, I fail to see why a version increment of the manifest would be needed in this context. Before discussing the 'how' of such a transition I think the 'why' should be clear.

A version number change is always used whenever formats change, and 
generally used when processing is changed in a way that would impact 
interoperability, e.g., RPs would reject published, signed objects.

So, for example, if we require CAs to use one-time EE certs, no version 
number change is needed for manifests, because an RP was required to 
accept either one-time or multi-use EE certs in this context, and there 
was no requirement for the RP to try to check which type was employed.

If we were to require CAs to align the manifest EE cert validity 
interval with the manifest update interval, this too would not require a 
version number change, UNLESS we mandate RP checking of this alignment. 
If we say that a CA SHOULD align these dates, then we can't require RPs 
to check that, so, again, no need for a version number change.

Steve

v2.23.0 | Report a Bug | By Email