Re: [Sidrops] what to do when the CRL is hosed?

Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 26 February 2020 09:25 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EBF83A115E for <sidrops@ietfa.amsl.com>; Wed, 26 Feb 2020 01:25:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id agQPSqWWp-ws for <sidrops@ietfa.amsl.com>; Wed, 26 Feb 2020 01:25:24 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6523A115B for <sidrops@ietf.org>; Wed, 26 Feb 2020 01:25:24 -0800 (PST)
Received: from [IPv6:2001:981:4b52:1:e904:10f0:2e43:6a13] (unknown [IPv6:2001:981:4b52:1:e904:10f0:2e43:6a13]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 8F4C72B9E0; Wed, 26 Feb 2020 10:25:21 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1582709121; bh=k71F5j0xllqZD1VwoQDLw3Mozxph69L6aG0qs/W/Nes=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=a/mhNaVIbE2ZyyW0QV3+Q2hNhRJXAJ1jmV1D7xYnpDrbsLEjHcNZRZYF+mG6bcuZU ABwvkrJAI1zUtTcIoNnctzANLapMr/Cu7gUCiFZlwkuU6vRC0C3GqYj8BQP8AbcHSj 9Z1AnB7jmuBK5GBytARfuZK08ZsChfsAcK2oj2vE=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net>
Date: Wed, 26 Feb 2020 10:25:21 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/cCAY8WOcHnWhlWV1n3gQTQDXkKE>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 09:25:28 -0000

Hi,

> On 25 Feb 2020, at 17:55, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
> 
>> Further, the CRL is included in the manifest. So you can’t even replay
>> an old CRL without also replaying the old manifest.
> The discussion (in 6486) of what an RP should do when a current Manifest is not available, or when there are some discrepancies between what  the Manifest says and what has been retrieved allows for a lot of local policy discretion. As a result, an RP might well accept an old CRL and corresponding Manifest even though the Manifest appears to be stale.

To me this is the core of the issue.

I have searched through RFC 5280, and RFC 6487, but I cannot find clear guidance on what to do when there is no valid CRL available at all, or if the only available CRL is stale. RFC 5280 seems to say that one should use the best and latest valid non-stale CRL information to make a list and consider certificates revoked only if they appear on that list. But the language is hard to parse to me. 

We have had discussion about this in past meetings, and my interpretation of the outcome was that stale CRLs should be handled in the spirit of stale Manifest. But there is no written guidance, so it remains pretty vague and as a result I can see any of the following becoming local policy:
- disregard invalid CRL and consider nothing as revoked
- disregard stale CRL and consider nothing as revoked
- disregard invalid CRL and consider everything revoked (because it is now unverifiable whether they are)
- disregard stale CRL and consider everything revoked (because it is now unverifiable whether they are)
- use stale CRL as normal

I have always had issues with the amount of local policy in the manifest RFC (6486). Inevitably this leads to differences between RP implementations and possibly even between installations if software provides configuration options to users.

Again, and again, I find that operators expect that the validation outcome is the same everywhere. This is not the case. I am not talking about local exceptions, routing policy, or temporary differences. They expect the same rules to apply.

And I agree. We would be in a better place if we did have one clearly defined way to deal with all this.

One possible interpretation of the Manifest RFC, one that is used by most RPs, is the following:
- Reject the manifest if it is invalid: its EE cert expired, wrong signature etc.
- Warn if the manifest is valid, but it is stale (here implementations differ, some reject)
- Only consider objects listed on a valid manifest
- Reject any object for which the hash does not match the manifest

I understand that as written today there is no consensus on this. But if we could, finally, agree on a way here then I believe that that would simplify everything greatly - without impacting security.

RFC 6481 (Repository Structure) says that all currently valid objects must be published, and that invalid objects must not be published. So using the manifests as a signed statement of what is current and what must be regarded seems like a very plausible approach to me. The manifest EE is signed by the same key as the CRL - so unless you want enforce security through pedantry - there is no point in checking the CRL for objects that a valid manifest says are current.

There would be a use case for CRLs for anything published outside of the RPKI infrastructure - so I still see a theoretical use case there. I think that it should be applicable to yet to be defined object types, defined by OIDs and all, that are not intended for publication inside the normal RPKI structure. The CRLs would be much smaller, and would not need to be updated whenever a new manifest is published.

With regards to stale vs expired manifests: we discussed this many meetings ago. I like the idea of having things go stale, resulting in warnings that can alert people to fix things, before expiration. This could mean: next update in X hours - after which RPs would see a warning that replay attacks could be a problem, expiration in X days giving CA/repo operators time to fix things, X days being a hard limit on the replay window. But, more importantly, I think we should aim to agree on a common way to deal with this for all RPs.


Tim