[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker

Martin Hoffmann <martin@nlnetlabs.nl> Tue, 25 June 2024 10:06 UTC

Return-Path: <martin@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DDDC169402 for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 03:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqLMASHNzXNJ for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 03:06:28 -0700 (PDT)
Received: from mout-b-210.mailbox.org (mout-b-210.mailbox.org [195.10.208.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BDFAC16941E for <sidrops@ietf.org>; Tue, 25 Jun 2024 03:06:27 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-210.mailbox.org (Postfix) with ESMTPS id 4W7gTW1smWzDtsr; Tue, 25 Jun 2024 12:06:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1719309983; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ikTp8d4Gjik3BVjND/cHdgSDOMmC2+BRKSzpPA5qNr4=; b=c+aghVd3eLh+M79YGm+bCHuUnD4joxfWVZy8ScrS6Bw2NPNXwGsHbabdqZ4a/d99HZXwiw IQftaPSvkGEPIzR1DWIo8VH5/r+SE+e9uklkLo3+sy32sOefmml8PXzE2eFyyQplbTvv1f oDlF54KcEaFCmhPyE6zN+gha+SduH3X+cqnO17HYbO/Nmm1F71kZmcfX1FxSUnSJgSiZJf zfQojRzeaqWq1OL00o4JQV/ewR+NEl/1935/Crku/g3bVJNlJnqR+9il4i42qXi4tieog3 f1EAULO5B7m2rQyLVnB3r2ROKJc0a9c30ox8Uk7tc8Db4mryYJlo31dU1ULIKA==
Date: Tue, 25 Jun 2024 12:06:20 +0200
From: Martin Hoffmann <martin@nlnetlabs.nl>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Message-ID: <20240625120620.60ac7d31@glaurung.nlnetlabs.nl>
In-Reply-To: <Znln3-EDsb48hNWa@snel>
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel>
Organization: NLnet Labs
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ESF2UN5XUA6Z3KSORGIOUDR4EDGFMLQZ
X-Message-ID-Hash: ESF2UN5XUA6Z3KSORGIOUDR4EDGFMLQZ
X-MailFrom: martin@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Zz-EPd-SPXFQhBEILYItUipXDF8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Job Snijders wrote:
> 
> Tim and I had a meeting and talked this draft over, Tim suggested to
> remove the notion of 'local policy' (as this introduces ambiguity).
> Instead: if the validity period is considered equal, and the signature
> is good, use the newly-retrieved cert (if it differs from the locally
> cached copy).

Given that the aim here is to avoid replaying (either maliciously or
accidentally) an older certificate and that we can trust that TA
operators take a fair amount of care, I think only looking at notBefore
time and using the new certificate if it is greater or equal should be
good enough. As a safeguard, you could add a line instructing TA
operators to never issue TA certificates with identical notBefore.

One thing to possibly consider to make it more unlikely that a new
certificate is withheld (again either maliciously or accidentally) is
to require trying different URIs listed on the TAL if the fetched
certificate is rejected for any of the reasons in the list and only use
the stored certificate if all of them are rejected.

Routinator currently doesn’t do that -- it uses a stored certificate
for that particular URI if fetching a new one fails --, but that’s
mostly because we don’t want to fall back from the safer HTTPS
transport to rsync where replaying an old certificate is easier. But
with the proposed protection mechanism, this won’t be necessary any
more.

  -- Martin