Re: [Sidrops] mft version field issue (Was: I-D Action: draft-ietf-sidrops-6486bis-05.txt)
Job Snijders <job@fastly.com> Sat, 10 July 2021 19:51 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46393A1CC0 for <sidrops@ietfa.amsl.com>; Sat, 10 Jul 2021 12:51:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrvJXN05CxK0 for <sidrops@ietfa.amsl.com>; Sat, 10 Jul 2021 12:51:47 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D7403A1CB2 for <sidrops@ietf.org>; Sat, 10 Jul 2021 12:51:47 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id t3so19681106edt.12 for <sidrops@ietf.org>; Sat, 10 Jul 2021 12:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :content-transfer-encoding:in-reply-to; bh=+HbYuscWtaxccydyAVsjDilo7SOTtuU5nQ+5mXraRbM=; b=xSltahuTcmc6p6ED91IIBJAjbFsXTvya+r3tP1P2FI8V5hLB2nM17VMQInYKmXj0ks ukpcBL034hi3OSy6NhiOF81j6ktOevd4aEe914qitiThT45CbkmgmJnZ70kP3HmFkR7O NUXXh3YvPzNE50rkJczL++V1SDxjqlYUEQnNs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=+HbYuscWtaxccydyAVsjDilo7SOTtuU5nQ+5mXraRbM=; b=qQYBSKGHi3Ukw6RcHRJXOjjiw8dd9o3zo/R77UQe1VO3mr5drDpcqy0jGx8T2hOJrN uwdDQ1Xn2nIXWDm2tVXayx8NyX73EFkmbiom+ey92UaBHesHeboMz5gS2e7bQ6sST+Da U0nQbFx/t+Xwirwuqy3vLhJ/0skRVlO9JAJtYqXkko1H5ARP+RltJwNUCm3E2HQrNCrJ 5nu384gyViQZ2wkYVoVzrcs/Aj6Dh7KctjtBjkB3EfyVVks+rIHDpaYBAT9gFXTiEbRN EhrSTMSHzpNzA5X2EXqMdHZDJur3Hs+25cX85z0L+OkwRaE0u1B6c5J+4TByHiVNtowa RiOw==
X-Gm-Message-State: AOAM533/25CQjnE41kpJ6dIGu9nQ3f+ERicOGjesvM1OxHW8tQnudlZC C38dWTvZTjFKuKU1DcdDPcjEjw==
X-Google-Smtp-Source: ABdhPJz2rcieiUef5PYAg8VM0SZWNGIcMYUp1NJV838pT9c1H64SznWnEZMl0GtkLj69Qi3zHtZO7g==
X-Received: by 2002:a05:6402:10c7:: with SMTP id p7mr38521807edu.159.1625946705177; Sat, 10 Jul 2021 12:51:45 -0700 (PDT)
Received: from snel (mieli.sobornost.net. [45.138.228.4]) by smtp.gmail.com with ESMTPSA id h3sm2517163ejf.53.2021.07.10.12.51.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jul 2021 12:51:44 -0700 (PDT)
Date: Sat, 10 Jul 2021 21:51:13 +0200
From: Job Snijders <job@fastly.com>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: sidrops@ietf.org
Message-ID: <YOn6Mcur4ZWebtm6@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <17a30b20-ce2e-b424-b56c-162c120e2ca9@verizon.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/WdIif2g1NKsCr9NnkqDhOgCotNI>
Subject: Re: [Sidrops] mft version field issue (Was: I-D Action: draft-ietf-sidrops-6486bis-05.txt)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jul 2021 19:51:52 -0000
On Sat, Jul 10, 2021 at 02:56:47PM -0400, Stephen Kent wrote:
> In the IETF we usually employ a version number change to facilitate a
> transition to a new format, or to accommodate a change in the rules for
> processing an existing object. If RP software can't deal with a change of
> version number for an object, the RP software is seriously deficient.
If you mean by "RP software can't deal with a change of version" that
the RP crashes (or worse), indeed, I agree, of course.
What I meant with "the RP cannot parse the eContent", is that the RP
applies its validation procedure - expecting the version to 0, and if
the version is not 0 the RP considers the Manifest invalid, and thus all
subordinate products are lost from the RPs view.
A change of version number (going from 0 to 1) will mean RPs will reject
'version 1' manifests upon discovery. In your other message you
acknowledge that Manifests with an unexpected version field (or
unexpected contents) should be considered invalid.
> > Given that CA's in their SIA currently can't point to two different
> > Manifest objects, unless a new accessDescription element for the
> > id-ad-rpkiManifest accessMethod is introduced. At that point CAs would
> > be doubly publishing Manifests (v0 + v1)... all to reduce some potential
> > churn in the CRL space.
>
> I agree that a CA cannot point to two different manifests at the same time,
> using existing the existing SIA format. However, that does not mean that
> it's impossible to transition to a new manifest format. The CA key rollover
> procedure, described in RFC 6489 describes a process which would allow a
> phased transition of a new manifest format.
I fail to see how a CA key rollover strategy can be applied to the
situation at hand, to facilitate introducing a new 'version' number in
the eContent.
When a CA 'refreshes' and starts pointing to a newly created manifest
object (version 1), any deployed RP unaware of what 'version 1' means
will discover and subsequently invalidate the Manifest.
To me it seems that 'version' is not backwards compatible for older RPs,
because it was not specified to be backwards compatible.
How can a CA cater to both last year's RPs (which all expect version 0),
and next year's RPs which support both v0 and v1? I fail to see the
migration path.
Kind regards,
Job
ps. to illustrate the point of the decision tree I'm looking at, see
below, all test & branch paths lead to 'goto out', which means the RP
will consider the manifest invalid. The introduction of a 'version 1'
object will cause older RPs to lose sight of the subordinate products.
This is not attractive to CAs, who generally wish to pass validation by
as many RPs as possible.
mft_version = ASN1_INTEGER_get(tt->value.integer);
if (mft_version == 0) {
warnx("%s: RFC 6486 section 4.2.1 and X.690, 11.5: not"
" expecting version field for version 0", p->fn);
goto out;
} else {
warnx("%s: RFC 6486 section 4.2.1 unexpected version: "
"%ld", p->fn, mft_version);
goto out;
}
- Re: [Sidrops] mft version field issue (Was: I-D A… Job Snijders
- Re: [Sidrops] mft version field issue (Was: I-D A… Job Snijders
- Re: [Sidrops] mft version field issue (Was: I-D A… Stephen Kent
- Re: [Sidrops] mft version field issue (Was: I-D A… Russ Housley
- Re: [Sidrops] mft version field issue (Was: I-D A… Job Snijders
- Re: [Sidrops] mft version field issue (Was: I-D A… Russ Housley