IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-00.txt

Tom Harrison <tomh@apnic.net> Sun, 18 February 2018 23:01 UTC

Return-Path: <tomh@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 248F9126FDC for <sidrops@ietfa.amsl.com>; Sun, 18 Feb 2018 15:01:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qmx1tYTi_ssf for <sidrops@ietfa.amsl.com>; Sun, 18 Feb 2018 15:01:49 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0063.outbound.protection.outlook.com [104.47.124.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1060120227 for <sidrops@ietf.org>; Sun, 18 Feb 2018 15:01:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+rSPOXLKV9tFXwEABcdLwZnV7p/wPWekOsMzCU21XAQ=; b=bNUOr76YyllsnCry+ijIxhH1Ps/Q6So0o9MRA4fAUm40jKyALwS+hOI7eZeEGssCtZNax+/sDSG1t86SdLW09PJCG8ZV3eaUXaGjz5OH2wfc0iD19GWYInY1FN9M3ClLCr3QIO5yrwiih/UVPi3N7FY2wD0RWVSHJGGGwX3uQSI=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=tomh@apnic.net;
Received: from tomh-laptop (203.119.0.128) by HK2PR04MB0754.apcprd04.prod.outlook.com (2a01:111:e400:5891::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Sun, 18 Feb 2018 23:01:46 +0000
Received: from tomh by tomh-laptop with local (Exim 4.89) (envelope-from <tomh@apnic.net>) id 1enXxd-0005Uc-Kd; Mon, 19 Feb 2018 09:01:33 +1000
Date: Mon, 19 Feb 2018 09:01:33 +1000
From: Tom Harrison <tomh@apnic.net>
To: Tim Bruijnzeels <tim@ripe.net>
Cc: sidrops@ietf.org
Message-ID: <20180218230133.GG5488@tomh-laptop>
Mail-Followup-To: Tim Bruijnzeels <tim@ripe.net>, sidrops@ietf.org
References: <151064401825.5985.7789265592065530099@ietfa.amsl.com> <20171116103441.GB7247@tomh-laptop> <DBF4388A-820E-43CC-BE15-D1570C070FB9@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <DBF4388A-820E-43CC-BE15-D1570C070FB9@ripe.net>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Originating-IP: [203.119.0.128]
X-ClientProxiedBy: ME2PR01CA0005.ausprd01.prod.outlook.com (2603:10c6:201:15::17) To HK2PR04MB0754.apcprd04.prod.outlook.com (2a01:111:e400:5891::20)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b25322d2-8636-4168-2a8a-08d5772395b6
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:HK2PR04MB0754;
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0754; 3:qC/0pH+NR/fQmLYbIJPbGiBTouyojOhuE2D8Yto8Y8ShRAUWCkKRT/XIIs8uqVgkhNKappHo9JdSWVOMhyXSe2B2UZoIMWirfHvb1Hn33JxrFu2tNOGodOVLi7tLwWkZ72Ym395xzu0GCfOvDqfHZtu//ICww4jSEDcf3YjkBoQdjmyDRRo6FNJkzZT+JC50OWEox+K8hwKPT5hl53FE2aLAo64c1fUXEW6T8N5zc4fcK60jELVraWAfNcywCCfT; 25:28T4T56vfdh2J7UQBUpMwZSdwPKd/NVeKbKpGsjgjAWK01FLD1JWX81KxyFmMUIk6vVKW0xkDp/Rnz2HLuFQhOQ0lEyo7A4l6teWMw+0E99gMsFdj+jsG/q5DYSRv1XbSKQUTGt59WYCc4DQ1NxznyurdLsyDaHSEqDTL0W1v2B+nFrbZ+0Ers5AcXkHHbjRsrsepNfnIQyhnciPxEhKiDEIpzm9os8G4ltxWrF63rXyvvvlNTiR5lYoTTrS92wlH4FqB4jsoq3tBHZ6/l9IUPq+Vio5Y2VZR+ilROoU85PY4uDucWaOVpfLQUcteRe2tRhJTtNgkfA2Q198OoikdQ6mNItjXJ0De9N3vYDnSfk=; 31:Yl31yPMH6ysndj/r5v0XgNaV9ePsRcFMROlYRNId+7i84Y2JEelGJkmCxNqJfoAH5FuO8e7RDppTZiReiQKGjdagHaV5y7fdSCec+HjnT/HXRS6V341CTLDl35qn7aNaO1GzOiPYwTf+jNs1sm6wmehEoA/ThyRMAeKuyeBrEkbo5ln4vgr6jLfY2RQLpv5hWmY6nb6o8cIlFApDszmK0dFJCT4B9Z1c6OEhCrz3JpQ=
X-MS-TrafficTypeDiagnostic: HK2PR04MB0754:
X-Microsoft-Antispam-PRVS: <HK2PR04MB0754D00B687C23B013CA861DC0C90@HK2PR04MB0754.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231101)(944501161)(6041288)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:HK2PR04MB0754; BCL:0; PCL:0; RULEID:; SRVR:HK2PR04MB0754;
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0754; 4:khxr3Xd/ZMU+d8k8khkWBTg4FGJrM8Ru53Fg74csX5TAYcVTwrYQoRAWYrsHW8yDVcuzD6bDtsv0WqU8lNGDgAx95ILoNIo0cEFQfZDONKwqnuD/hSZ5QDfFhtYDkKhWV3YMqouIBFsZrR3jK7tx3b02ArHcDnE8K+TH5x1w9WMAS9Dx3sPBkhtsVXB9uNXUAXR5th0QcxVgDx/F6lc0DNvrQHG2Ly4fhrP/1q9C9D8te0yvMn5i2gg+VAm4Ldyvjj9x2MjgXcc6vVRWE2nRPw==
X-Forefront-PRVS: 058707456E
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(7916004)(39830400003)(39380400002)(396003)(366004)(346002)(376002)(189003)(199004)(51444003)(9786002)(33716001)(86362001)(83506002)(8676002)(81156014)(81166006)(8936002)(50466002)(97736004)(2906002)(2870700001)(1076002)(3846002)(122856001)(83796002)(6116002)(4326008)(23676004)(33656002)(105586002)(106356001)(57986006)(58126008)(52146003)(52116002)(2486003)(316002)(386003)(59450400001)(229853002)(76176011)(33896004)(9746002)(68736007)(26005)(2950100002)(6916009)(53936002)(186003)(9686003)(6306002)(7736002)(305945005)(6246003)(5660300001)(66066001)(46656002)(47776003)(478600001)(18370500001)(107986001); DIR:OUT; SFP:1101; SCL:1; SRVR:HK2PR04MB0754; H:tomh-laptop; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;HK2PR04MB0754;23:wD/7683kaTvwh8shsgDLr7gDDq7lWnYAwAMDuBnnMS9DNT5m5KcTwCWTtU81P+bO+6VpcJ6CZeIGGtunA0+XTnS0iAsnYurcjVAXfwtg3tV8uAhXzqy+rpXIiaNbm3lrfjILWaOOFic+d+0dWwGP8dbiFohRubb79l94w+MOvx+RkV8qSoOaYTTzscOUvmKjpoXrFhjZidFBf6t1FkKlVNnFmdOzYQ40KmqssPbCaDClQdvPsXpwpNumvnG1JGLRZXfw3uHrxMpM/pn1jEIk2GeGtF2E+N+jWhFq2xhfgZqroyQh0n+Xj515xd9vDd2wYOKFpP0MyFgM6k41uHL4RaaqDZ/ONjK+MQcTQAf94mqEd9HDVC1WGyRjbVXc8McV/y8nmIfGrce6VCTERknqcADHlELtGft1sdCQSp8bJg4ekycUhelrOMR8G9FEfSzb34JKlTANR3PeH0tGVou02eCj8GL1x1O9RkS/2433s3jtuqtSdcx3UbXAIiCj/VvOpFVTSabMY5TIcCqEtxki/Y3slK8dWO6gf1Kj9vFZxWD4QSn/vH3wvtYI0B+tUVOPQ4hefYhaOJiz0Y4B0Pl3HNwEOATeXq6jQ66y59YczeV5hs/h4xaKsl9Yfvt8vgNp4bUSx2kzbyV2PHNyWsOlY2g15CjdtgtAVCaEJ6Dr+ep9JTdRNO6T06+S9FEvHoatNL5h28b/6L1FfsKZ/fs+JZ7nrryLSfNpiZkt+BX46xx+iEfGID+B6QWr7zOkQHA3qTSoHXAqBGf37uKTPdJzpVwWKLFRjgwrvC7dI7TyTsBH4nExPF9FDiWEWDLCYnLSOeOICUll/iUqbmr9PDLMrTJOLZR6OrYl2j8TRR+0ViVpZ10d42mTpMmMz01ukgzSRumM6ZVyVSW1FCmkk5CGRq9r2SkMC/HD036ICE3jxIKtVOyWmgzKFhGzmJcke5EuHamhP19MXhLa6BiEE3VpR0n5BVSVVoC4Gvj8gvI/DQKxEALevHgunqA5MxN7jTrv4yvqvdXj1/pF/ITocP0DUQpG+illXQZbzgcqtThq613/GLhigr4BHn3qg5dtFw5O2AqZBL3iMki3UflneXPGKf1uVElydtjp6O4rHRWPS3gc4+jiqZ+nVsKxd1Hy27QwkDfv4QKv8X4jekSnjUZdy/eFuHC6wxVlcYnUlP7pe9pW4yZZutfzUUPGoh4gAFz5AD97ROu+TJoHo8TpOzBVvr9CMHxNTzRirlmb2eSgvFmdeORhhsHAQD1HOaq24VMsH3vCbD9ItDmfzmZqR0mQKDkdoLj+rprG9/hYla1cyEBfW44yKpKdRcWBcWvHvBcyfjIAj2yq4I0ARJjp3uzr54mjIiQ6ej5AbyB+a3sOvUz/RsVAxZzRF1eXriyyoeLB
X-Microsoft-Exchange-Diagnostics: 1; HK2PR04MB0754; 6:UncSODXUeC3XxMQtbSjlhseSYTVw/XzBZkWiz+rHpAcHdwaAR6AgJiAfBux0mm8zxBHZImWkIxsCEQHkahUiZKYYBNQs/lmvdg3fzE2KfKQCTNRbmpvkrT6ln0oyI8R4MjRw05KddhVeOzrnOSbN0VkC18KN7ECvXJK9QPMrEtvQYYTlPB93OjhaZDuDNSn9FVokItunjxWIaXtYj4iOz6hFDkVanIn3r+MK91uUtbmz3g7sNWnKZS/H8LRtBq3TCWCMsf9mjrXOCDyrRs2wZZKna6R3ltCgCBocjp9BdF/kYBmdg9FzSKoFBfvJDPAuWHtGRLJcFKk8AtSYSdyz3BfrvaVYhwYOKi/4+s3XYE0=; 5:c8adO6yKWNghyxGiy7bUVxZvhtT2yk2SLwRxPB2yDh7Kx9PKuflzs/MuqfVSyMUM6BdbsZgPzGmOfqS0Jfw73H0iglkGNblywuN2jrzpTTr3EKoYPU6rfEpkJhuAR3xHp23tt1dN//Nx4DMGiUg72FWEW/0zTdaNI+k98Ls1fNM=; 24:nFnuhR1x8wHZUVdApWmmYxusYoNGKq60LofjlvzXQtLqWOgikNnFQXc1Pm0w7LF1qRngeTlhyMalMRNgpUz5mHuN6+ZILt7wiNfmVjO6tWk=; 7:pPAFTw0F2ri0a7yNcu7+Zbq+TSzk0wTQFg8XPFMhjCu03kqmsZP4AFFhG3iXH7CUJBz41mNA2hAhVCGbbyhtjlkNgpKjA117go7kH+4CwvoPkuhC8zO1U3aLpMKU2rUDYnf4w535T2b6VrOWanDExrfFmHnRERnyrlTJhIdVVJbBoRegzQt7liAbEcszjhQd/9r0kaWGthrDgvrpn0ZlHGyQcl3XpfPa51vAGE8O2QfUVJfgVtg1OGzTgOP6JD+a
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2018 23:01:46.0378 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b25322d2-8636-4168-2a8a-08d5772395b6
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2PR04MB0754
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/_DibeOA2TbKThPmtVaUTuiwsobs>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Feb 2018 23:01:53 -0000

Hi Tim,

On Wed, Dec 06, 2017 at 02:59:51PM +0100, Tim Bruijnzeels wrote:
> I think that there may be merit in an explicit json, or XML (to be
> consistent with 6492 and 8181) format, e.g.:
> 
> <tal>
>    <uris>
>      <uri>https://rpki.example.org/rpki/hedgehog/root.cer</uri>
>      <uri>rsync://rpki.example.org/rpki/hedgehog/root.cer</uri>
>    </uris>
>    <subjectPublicKeyInfo>
>       ...
>    </subjectPublicKeyInfo>
> </tal>
> 
> A structure like this will make it easier to add tags or attributes
> to communicate other things.

This approach looks good.  Would this structure be specific to the
signed TAL, with the 'standard' TAL remaining as-is?

> If we need an explicit staging time, rather than require this
> implicitly by publishing it, then I think we are better off with a
> valid object and an XML structure like above with an additional tag
> like:
> 
> <notBefore>2019-01-01T00:00:00.000Z</notBefore>

Agreed, this approach makes more sense. 

>> Section 6.3 has "[t]he TA SHOULD preserve a Signed TAL for the old key
>> after the staging period as a hint for RPs that missed the key roll".
>> Although (I think) the only sensible way to read this is that the
>> signed TAL to which this is referring is that pointing to the new TA,
>> "for the old key" might make people think the signed TAL should be for
>> the deprecated key instead.  Something like "[t]he TA SHOULD preserve
>> the Signed TAL pointing to the new TA after the staging period..."
>> could work.
> 
> So, here there is a lot of implicit stuff again.
> 
> We could also think of this differently.. maybe extending the
> structure to something like this could help:
> 
> <ta>
>   <oldKeys>
>      <subjectPublicKeyInfo>MIIBIjANBgk…</subjectPublicKeyInfo>
>      <subjectPublicKeyInfo>MIIBIjdfkhjfd…</subjectPublicKeyInfo>
>   </oldKeys>
    ...
> </ta>
> 
> This way we can communicate explicitly which previous keys have been
> expired. And what the current key is at the time of publishing this.
> 
> If this is published by old keys in the form of long-lived objects
> and CRLs, then RPs could still find their way to the current key. An
> argument can also be made that RPs should not care about staleness
> of MFT/CRL or expired MFT/TAL EE certificates in this case.

What's the motivation for explicitly listing the previous keys in the
signed TAL?  If each deprecated TA publishes a long-lived signed TAL
that points to the TA that superseded it, then anybody who is using a
deprecated TA will be able to find the current TA, and I can't think
of other instances where knowing the previous keys would be useful.

>> I think 24 hours for the staging period is too short, mainly because
>> people who don't update their validators to support this may not take
>> action on the new validation error (something like "unknown type of
>> object: {name}.tal") within that short a time period.
> 
> Okay, it’s not clear to me that this is related to the staging period.
> 
> But, before any of this could be deployed we do need to be sure that
> RP software can be upgraded to support it, or at least not choke on
> it. If people do not upgrade their RP software they can still find
> out that a new TAL should be used through other means (e.g. mailing
> lists). And let me be devil’s advocate here.. if people never, ever
> upgrade their RP software, then breaking it and forcing them to
> upgrade could be considered a feature by some. Of course, after a
> reasonable time..
>
>> There are also other instances like this where manual action might
>> be required, e.g.  where operations staff insist that the validator
>> not have write access to its configuration and that all updates
>> happen manually.  A week or a month as a mandatory period would be
>> better.
> 
> I believe that we should insist that key rolls like this are fully
> automated and not done manually. I also believe that it would be
> prudent that if && when we agree on a mechanism for this, it is done
> regularly - at least in some environments to ensure that this works.
> In short: I think a planned key roll, signed by a trusted TA, should
> be a normal thing. If we leave this as paperware then there will be
> no guarantee that it works when we need it.

OK, sounds good.

> And as a final thought.. it would be good if the planned and
> unplanned key roll processes are similar.

One option here is for planned rollover to be handled by having the
'staging' key details include an additional 'transition date' field,
indicating that the TA operator expects to be using the staging key as
its TA key by that date.  That would allow the 'staging period' from
6.2 to remain as-is, while also providing for more advance notice to
be given by way of the 'transition date' field.

-Tom

v2.23.0 | Report a Bug | By Email