IETF Logo Mail Archive

Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt

Stephen Kent <stkent@verizon.net> Mon, 14 June 2021 13:54 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09093A253C for <sidrops@ietfa.amsl.com>; Mon, 14 Jun 2021 06:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIl7LkSGqDMM for <sidrops@ietfa.amsl.com>; Mon, 14 Jun 2021 06:54:00 -0700 (PDT)
Received: from sonic316-11.consmr.mail.bf2.yahoo.com (sonic316-11.consmr.mail.bf2.yahoo.com [74.6.130.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDFE83A253E for <sidrops@ietf.org>; Mon, 14 Jun 2021 06:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1623678838; bh=Quy8n74eztJSNSm+CMW54RflZkVGa7B5Wg6GoTGTnqw=; h=From:Subject:To:Cc:References:Date:In-Reply-To:From:Subject:Reply-To; b=WteQWhhJw1F2Cb1hHCixHG2hUj+GlWRXWGvKhv7nsAOulLRBJRoc6T1+qhZ5RX+Do3lHSYjTYbHiTfNe7k5FjwBY3VjNKuW4heHWU6ayEX7fo/Nwg4KQ5uSrwcBkgc3ardUTZF41+tWxKOOKycqFGonXt5hgADzjY4EtfJrqvR8bSkQdhGSWOqg3ZMEooyetNtwAyHgHr1/q9CDXOdaWCxwPvmk+e9apKIpgaVWSafXAOo6QFkndHcnRLjLfGdJ3A7W4xyBOJk8zj9wSH29UyDFX9RZ3cyom/JizBedp1TQ+VrR8yVP2+qx/j0jBAyol/jTlQM81FejB49TubF+j2A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623678838; bh=7k84+/fTC+o0/235I59ftTj7UWAckpHYJGRlJuPs6Z5=; h=X-Sonic-MF:From:Subject:To:Date:From:Subject; b=Ua53t7RD+zWzG1aKUJ8ypJYJ1h7ZdYuNOm3/ub/+gMGSWatRO0/aq6sdJUkcFFby6JOJKbd88+r24uQ5wC9di9GbNKUSiEC+LpBwtC1DqGS00NHCALUwZwassRY/OV+L91a7fuCyrkHaOW0kYR2qeTRy5B0zr8wzrcU4lZ8tlc+BnMdL7lPQYYt6JtGZAUHVB6dMjTc3f/c0ceINcp/EfwUZwdlnMBxIq2HMi41iQYxnJoyZnMlsI2JzBgN6I5EWqU/b89IvA+of27bENgVCWS0W7prJqn0Gx+K54rnokkpzQNpaTTvbh7fNRuHrgUZzH9bqO4zWDXZIbKcX2/J5VQ==
X-YMail-OSG: M.lZrksVM1lqHSGRnXUw32lUDZan5Lg_bOV1B2pe_hWXYj0VLO6aCcJGvh3AG46 GBt99y1iV28OxXjX0O.JMxig7_HIFbI9jyxIe06j13hZY4_PlU2EwUYNVOmZMOKSXw7mgC61DRYJ XRP5F0spz6RucIz7RqUjNAUi3skdnn0QrENdM6kxIEqk_FDXc8tSSyQiPoZRHJa8OCj4ktfqG9DY LlcLHi9q364jXQpB1s8JfQ8_7FHZOrPFqxL0U6aSoHrkmmV3e71gqc6I47JAfYhmPlIE5cAm6mMq MWyCfBV56VLufWTPRtWoIHvYuGpNq3bsEw_SkTRttY6CA1hEE3mw_dF0YtwoxYvUWYx8rg0jWDN8 MrfrAnW36dp6nwQJbK3Zgrpz8aQTd_dKduvMWFugp9_GNBFZ_avGGs1DfCJ_7ex4iyICX1DsWQRZ Evj3jjgChekJP29EAmnyyNfX7.EKTFoY7OFQnndTJPzrUrHnCKzYKIhnPFAOApDh7oD08QhvlZS6 2H6re_ayFrJdK.6FZW2.aNjl_SXcqHBLxRVzF7OnLXOtMUSWWROTaABFyY_rIlVlZPPa7y4ChDBR GqNxWLvoJ3_f32ymYI47avhoq5z9Qq6v_9BDa9E2q7nXG5sUO6lgpiL8vHb6UcYP0GictdlmYTeP eqFKljowkTysOuHQjmIOLva6P6jqW44OhmBcGbL7dh2gcdHDBFdcKr3UhIWbVt5nmoCg7uOeGTB7 VgBKwJc5cHP0BUCjs47hIjSxSZVb1_QpiBzAgDVEvL2rmvYa8VhbWHT.OsPzXYg1AsSbja5jmSeR jFK2lk5V31x8QbmrJ7qTyB5rINoclp0nI3cDWAAgRtglaqbSXwoXaZLnjRR1fRkQUiJI_8PwB3L9 zUQz3FP9aFPBVhZaPubhYqUbxN8NhEOfRMHF9MSbpfB6CWck1Y2TxsjuqInGXZDkz1QbMHOE2ks. 8kaAWiaWW5g0D0EbnfoDMs.U.inx_HwdnfTMKrbR0LqsSetWK217xfpXdoS7yC8WINe3XOXaPn4l PTfAjNiNzLCjmDN6EOo0i1f7Z_4kum7qcePE9m0jsZ.8sqLkqKrQJv2oSOKSjNK6m9hC6k13C224 Hc5aJhnd9TG94PwF86SjDBb9wXUgnYHnx.4RpXTObFw80Mn4mBe4bf5.fLz8uRG99ddNUhHtKFAm 4PErkItLaZNRZYbTqh56K1gZy2FeX7BEuGsEtK5xQY.Q1OxpAZZJ7RmQ_NFUQ2D2dL.0Cdxm4Zma sl8q4em9rbTXNXm9p_qGQDjh_q5R_oPT7Y03KX349SN1aXloDBPKXqQCYf2KMZowCMyOrJPNC8mF QY7GP1huJox4siGoVNZqdeSRt_8aFIapIs87xOz.Lc2SwIbMiuIUxRymc2m2bcuv4CPdCStuf0Ez ikS5wunRW4aqBDVRTdScNezqzFTBGPJEzazGTFiuNrE26gPPjaRe9OBBCmP7oqHrk7DvTj69gazo tgW5qoPMiJGu9IPXiVsZb.FlzhOlUVNFeoyyvqUaVQsrurNoCxqJXxeVqnu7QDYt3ijoGSX4B6ef x.L0kBWZ0GHgHXidYplK3lPE8wLsWo_gkmjIVKK_AhfRzEc6yqxc.KaJk6BIowgvH1NppBZU9V8L 99tSAo35IasEMPwPj_dxvXDQQnen.nhs_L1m7k9qP94Vk1bYCgLFp5MmleP1d7mWnZcAFR1gfh4. d6NJhxZ_UQMF0fRcd9jq6r4XZbKPBimzsg2D8SvOrKp4r28upJvreanmFZDTchf3y39OCWJwXALI QxY_o5PXAZpwXkexq1u5M5rAc3IG_C_JLmlDsfibcyUgxOu511WUtVyea..vNkE1tc3kptaQY74A XskdxgMzht3FlZCrK4cI21MpAfF_s3XoXFGLthNQetTKxAZJVwmQng27AsicVKxPXPRs0sEu5udS AzZrqSoOZ693fe4uUj1JE9Ro1K1msCfzL6.u6Qn.ueu96DwhsYi6au_icnGFGnV1DtXrY_w_AdfE c.Z4LMXvva_0o6EjYuR7tXXxUlGHAb5N4tT2GdP4P7Z8EKCxqXPP.Nnvq0E1Xpgz3tJWqb4c.NzY 82CG2zH9Da4tkdaK9eIBPx4ayI8mVeYED2OFynwNH4C7c3zvOg81k0lENv53dNRB7VGtz_1sfxWV 5bN54yNfeK1MpDKfFDNwPhKDh2l5.4GuWDjOGYVS1XbsanaZIA8hVOe_ki_mmwCdve.dI9XOpfYf 3npnLntb2hrkLsE54Gy.nzX5th8n2HD6Cxw73Tzbm460ADq45mYNV5OIy9B_krsBgZSL3Q5OUneP qdMQYi_xpJgSeYLPtVaMigvk8eGohIId.BZX0.sMCWisXkAvidoYE27H.uPgg.L_7BQLgTxpyXOp KIAN3Fu.pW2ii0SBxqR0UE85IIwwjfrayIMJs0uvQubVZ03N2qSfSQeQmM8yGvczxbzqGjLvK
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Mon, 14 Jun 2021 13:53:58 +0000
Received: by kubenode512.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID e347f3359a9fc0c9391e94ccf5df3c98; Mon, 14 Jun 2021 13:53:54 +0000 (UTC)
From: Stephen Kent <stkent@verizon.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: sidrops@ietf.org
References: <4576a83c-4118-9e4e-aec1-e8e9b0a1a069.ref@verizon.net> <4576a83c-4118-9e4e-aec1-e8e9b0a1a069@verizon.net> <1EF06618-5BF8-46CE-A25C-37D98867EADF@nlnetlabs.nl>
Message-ID: <9dcd34e6-3b07-c8fc-99b3-df9365cb19f1@verizon.net>
Date: Mon, 14 Jun 2021 09:53:54 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <1EF06618-5BF8-46CE-A25C-37D98867EADF@nlnetlabs.nl>
Content-Type: multipart/alternative; boundary="------------AF1F42DAD678B61E5EFC2AA0"
Content-Language: en-US
X-Mailer: WebService/1.1.18368 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Wsph--aM8NXv3ns3j2P6aKmsjTM>
Subject: Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 13:54:04 -0000

Tim,

> Thank you for taking this effort!
>
> I have some comments / questions I would like to bring up.
>
>
> - Section 2 Manifest Scope
>
> This section may benefit from a reference to RFC 6481. In particular, it may not be clear to the reader now that there MUST be only one CRL issued under a CA (certificate). Perhaps replace:
>   
>     o  the most recent CRL issued by this CA, and
>
> With:
>
>     o  the single, most recent, CRL issued by this CA [RFC 6481], and


done.

> - Section 3 Manifest Signing
>
> Job talked a bit about this as well. From my point of view, I believe that all CA implementations use single-use EE certificates for manifests. I don't see a use-case for multi-use in this context.
>
> This is not a showstopper to me, but I think that we have an opportunity to say the single use EE certificates MUST be used, and if we have just one option then this will make the document easier to parse and reason about. E.g. section 4.2.1 can be simplified.


I agree this change would make the doc simpler, but I need to hear from 
other CAs to confirm that NOBODY issues multi-use EE certs in manifest 
before making this change.

> - Section 5 Manifest Generation
>
> There is no text here that says that the single use EE certificate for the previous manifest (if single-use applies) should be revoked. Although later it is implied that a manifest can be revoked. Is this intentional?

Recall that 4.2.1 calls for the manifest EE cert (if single use) to have 
a validity period that matches that of the manifest, to avoid the need 
to revoke that cert when a new manifest is issued. So, unless a new 
manifest is issued before the old one expires, it is intentional that 
the cert for the old manifest not be revoked.

> Currently my CA implementation revokes old manifests. It is trying to be thorough.

does it do this in all cases? since you indicate that you are employing 
single-use EE certs here, that behavior runs counter to 4.2.1, unless 
the new manifest is issued before the old one expires. Also, do you 
remove the revoked EE cert from the CRL as soon as it expires, which 
should usually be before the next manifest is issued.

> ...
>
> One could therefore argue that rather than revoking previous manifest, the 'thisUpdate' or possibly 'manifestNumber' should be leading in selecting an eligible manifest - should an RP have multiple validly signed and current manifests for the same CA somehow. Not revoking previous manifests would help to avoid the "chicken and egg" issue raised in section 6. It is not clear to me that this would really be less safe.
>
> But look, really, rather than trying to pick an argument over this, I raise this because I would like to see explicit text in the document that says what's expected here :)

as I said, unless a CA issues a new manifest before the next scheduled 
issue time, this ought not be an issue.


> - Section 6
>
> I believe we have had discussions as a WG and concluded that any current RPKI object (such as ROAs) which are NOT on a manifest can be considered out-of-scope and de-facto invalid by RP software. Notable exception to this would be objects which are never intended to be published inside the regular RPKI such as RSC and RTA objects in future.

The notion of manifest scope is defined in Section 2. It says that "... 
all published signed objects that are verifiable using EEcertificates 
[RFC6487] issued by this CA." are in scope. So, based on that text, it 
would seem that the RSC and RTA objects are in scope. Also, the RTA ID 
indicates that these objects may appear on a manifest, so I find the 
proposed, revised text confusing.

>
> If I misunderstood please let me know. But otherwise might I suggest updating the first sentence:
>
> Current:
>   
>     Each RP must determine which signed objects it will use for
>     validating assertions about INRs and their use (e.g., which ROAs to
>     use in the construction of route filters). ...
>
> Suggest:
>
>     Each RP MUST use the current manifest of a CA and add each listed
>     file to the set of signed objects it will use for validating assertions
>     about INRs and their use (e.g., which ROAs to use in the construction
>     of route filters). Any files not listed on the manifest MUST NOT be
>     used for validation, unless the profile of its RPKI object type
>     explicitly states otherwise. ...
Steve

v2.23.0 | Report a Bug | By Email