IETF Logo Mail Archive

Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)

Geoff Huston <gih@apnic.net> Wed, 09 November 2022 18:06 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC1BC14F6EC for <sidrops@ietfa.amsl.com>; Wed, 9 Nov 2022 10:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YYikCSUJhVX for <sidrops@ietfa.amsl.com>; Wed, 9 Nov 2022 10:06:15 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2069.outbound.protection.outlook.com [40.107.108.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C624C14CE40 for <sidrops@ietf.org>; Wed, 9 Nov 2022 10:06:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NuDgQpgEZNoMiSfsb1b2ErRzDfucm3VTpCMYmhO1nqZ+m43x3hPtJmMeUOb/+hV8FJbhEAPhrnLWQMk9jX+D/HDbgXqFeHKSuII8lo48kFxN6EoFOiDjQysG9tMVNkZLVa/PNGzllucdoiky8O9Yr1g8M3QWZx1X4MVrtAGRv4g4q71mHJqPaVbCo1U0zF7DVbYSTU6a4jT/qT6zvNrsBAgh+RyKI9RZwvuxhCC6vLvoL6gz/6p3AO3/cYgW8vXQ9EPaIwdhx+5OLfJ9jEYMtfBBCvWoizzm92I8tQDm/WNncr0IJmKghCpv8wgflhNCnABEkXAofSP1KFSRAlyj7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VkwY6N9rsQu2Ibd2IpE/L6VP32sd5xRoP5irEeXWlTo=; b=GUhymLQd8nBOhPhIAe4RZZPQl/3WSHKbhZzrJKUE1jlEH4OzXv7QLEN1xUv6TnVRsHYss3REy+M1rGQ+/IsmUBxK4PjLgcJYKWDVH9G3nIlSbgM+uWinHmJROs+9qTXJHHDfPqEaEuUeRAaJhunSV4ib9FAYVqvWNfkCKK95gu9c3VW0LD48k2XeH+dtySIZYrKWoStBtRAUeozPKfF301Vu2NGuWTdjt3dNGElLsylRtkVpdJTNQ8P0MlMn3cl7UdrPZHthFCRQeDfQdMMKKipuusYyqcUiija5ney51w9m+LQy1ou/5nm4r29LMMhne4Yvpi1h4lSm274KkdF1yw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkwY6N9rsQu2Ibd2IpE/L6VP32sd5xRoP5irEeXWlTo=; b=dgEZb1AljhMReGVcftYfIosgAxYvkmLk1J99dDprhrg3V6aWw15gEGgySgihUq9e9H+Ikkti0Fx6OQR7h3dpNvOnS97Qt0dn35Agqm3E8k6ctwJt3djjNWWaTG+DctxBHEYevORYKSHNGd57kR/GtLQ671cAsygtVlP707MFwWw=
Received: from SY6P282MB3176.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:163::14) by SYCP282MB0494.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:88::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.27; Wed, 9 Nov 2022 18:06:09 +0000
Received: from SY6P282MB3176.AUSP282.PROD.OUTLOOK.COM ([fe80::1c26:300a:c3af:b749]) by SY6P282MB3176.AUSP282.PROD.OUTLOOK.COM ([fe80::1c26:300a:c3af:b749%3]) with mapi id 15.20.5813.012; Wed, 9 Nov 2022 18:06:09 +0000
From: Geoff Huston <gih@apnic.net>
To: RFC Errata System <rfc-editor@rfc-editor.org>
CC: "sra@hactrn.net" <sra@hactrn.net>, "kent@alum.mit.edu" <kent@alum.mit.edu>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, Warren Kumari <warren@kumari.net>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, Keyur Patel <keyur@arrcus.com>, "morrowc@ops-netman.net" <morrowc@ops-netman.net>, Ties de Kock <tdekock@ripe.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] [Technical Errata Reported] RFC9286 (7243)
Thread-Index: AQHY82XWGApZBf2kokC9oXVJW35Q8a425RKA
Date: Wed, 09 Nov 2022 18:06:09 +0000
Message-ID: <30A2528B-F435-49F4-9A7C-A7B15E07D558@apnic.net>
References: <20221107163523.04502C8AF4@rfcpa.amsl.com> <Y2o+HsUxcJnMX1gh@snel>
In-Reply-To: <Y2o+HsUxcJnMX1gh@snel>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY6P282MB3176:EE_|SYCP282MB0494:EE_
x-ms-office365-filtering-correlation-id: c9c50775-dfdb-401c-cd33-08dac27d141f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0mpCNZJZ/4JOpJn+0wLKmATKDPZpFTQHZu0NLWLAGl4KIBvnMc2OSFTxOeJ16CrKwG2snM0DWu4/xSrP+ywGBrkeOQeQfU8AGVTVZFvZUk2Iag6SR3oHz02WzEL6mVzwr7eEvxTdlMoEsLONTpgSt7jccGM/DINfMGIp7Uj6KnXdQTMrDRGGLetWiRnLqfUIXNdwq6dOEBPyH1uC2Uj61gS4I0vb0twFD4GCLsp0kGTRsbplJTEzrpAE0RdhHIsggVBYrXZjbO+KRlBMn8AS61f7C8ZhPFluNoAuQ0QVEfdlSMVJ3FINsUlUW1qmApK51YkzU0zgRI4FbRoTozMNu6XaRBz8F06pI8427y3Sn96NYOLNjIRCbtva7+A2PJ4kiorDYv2cQTdGvpdWSp+vBX+moQKY3seAfsPc+XuhpbGPh5+i1IE0PPMaG7zVoJ4xF6R7Tr0WY/ki/nkSykvcV1vRv/ByJKG0/Rdfg3MJJJKuxEV5cRWFUC36l7Di+WUWmIf+xPuPKmbZ6LzEbb517o2T6ypE/q5SQW0zAyfgzNRrxts/pOPbopY9LxQ2LNp0T5IdsTQaQAbr86TsB2gN0W3UBG0IIkoZ+x3fcaD0heUyOu64ySmcCqszSf+BKnhgyW2/7B0eniazt0ezm63WDNnLfNGSZhZhhU2qN5+xAFrvQ4jJKIkHhgA1v8cboCtleeypz33HCFwInRj3RH9LaT50b6SlOJ6UqLB/jtTxIHHvCeHu7VuImLKUN53ThnVAZGG5yezeWHMI/vWCviniaZvLJJoPXtfans/ihDS9fTl5doS514ufgY0SbGPmmH2aoosOhzlrgyu29h6zXZjQ580xmWzRY0FFjDj6gjDOuAs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY6P282MB3176.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(39850400004)(136003)(346002)(366004)(396003)(376002)(451199015)(36756003)(186003)(41300700001)(5660300002)(122000001)(2616005)(83380400001)(6916009)(8676002)(86362001)(8936002)(4326008)(33656002)(7416002)(2906002)(966005)(478600001)(6486002)(6506007)(54906003)(71200400001)(66446008)(38100700002)(53546011)(316002)(38070700005)(64756008)(6512007)(66946007)(76116006)(66476007)(66556008)(91956017)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: izyd6FdYHooihFfTqCdiO2hefX2ah739vhWOsFKGJaO0kQRR2671J2lq0Q4khwGi+ReEsiRNwOkrBQBd8gMnFZDo0R7g/oOnKGimFuhapI26TFl09bkIM/Jz3nYkfgMaApLbjgsAbhc+8tL75db+PBA6usWLobL5s+qOsTsCPrcstm9pgU03nRCNQABhXOLit13ePWngd+/FkE3rf2roaXN7C4a4nBFTFVV2IuPRT6nwh5YTxyyySLts778cPFEXXwFlP0R0/wCZqcfKEMJefrvdU7wlMjhwS0px9huVIzzI0LYjekfT6AHaV8Z04YKVanzQHhFVt0LoawVng+aPgJ/xEemDzt6cq97ZRZP4TW/JzVosJz1/v6hdED9uNKfxt8o557dGI7Xy/w7gkzUJOqWCoXq1RmHWV6OS/z4cQNqwKiWOHiA7ohU2LJQGSlClpQsLezCNwzyjMrK9JUuYHddgcJmhlIOYNI9otQAntnaZybRZGcRujqEEzC0Uu7bG6Ew+ukrxzg02AwVp+zeNPsLtLIxP4buS2jR3l6VEZjWBYzAhIl9GgbS836J35BjoAIw5FyHpxDe5E7rEWIDUclAcJ9gt0iUw0SMGzMUOOYMGqTmohmyUxhRLShtx2H7uTjYpo+TP3Ncnz1onvH+qA3rHNin7jkUbplEp7eKMStjNlhb1Q74ExjBVNZFIm8zyjleg3e7DQmbU44otdYIh0bZIfKxwtlgqrhsGnwurdR37ZXrrlyKWssItajwO5tPoTYt4ZjHo7y+1bVvgGgm0Fj/dYlGhsYX/lSJIQfwoPhUOzDkxkAhoU5k/3o3B9mQroskJHtYX0ANLqFSKhie43+TY+zK/Ve0cr13jQvfM4Szz+tc54ld3Tczk5DHdsyKQkz6D+oJtD3ZgmiVw/cUAu7vmE/4YWVksTL/OhHj7OufurI9FVPNItJcnex4JfQudH54GvqYrnCV8oF7MVg3R6tXBNPZLumXIDorZS7fEdOjvAWM47dbLDNs/EdDlLFY4/cqdAzLIUXyh7gUGJo2cIp8sVd6n51antOLIstCPGAt1Lgb59gm6tf1G0KKypm/bCfJJxC8iLv/3V8KM/3M+nGz624q1aOIu879aB6TWIYBGEJTuwd7fHTUkrusiPVU4GmKDGNT0LZVp4hu4+7YqoKFU4cSNI17sgafl06K4IHsI0mEHSLaC3HC6noYeL4MkyH9Gyf5dVV4ZRBIJRQilK1nnniAAfG6rQKv1MIloul9f0SGeLw4pIYLtlsKcBu6mVc1niZd8Hwz4rITReCICdRQNgL6Il25zpt5279ayEyjy1cHS9LBho+j4VlrTJ2+GmzJMO1HSW9aw/TjWgVt+cpAdwaH+Tpm+F577HDIIYMRVrp9jY/ryzFloOAMqZ5IhM4Nua08yaL5Enm0jVBmyP9LvoiNgVgD6LZRpN0JZ7hLjd+PcgnxZoK+kFIitvIOSRQw3yiXX1TAKOaE5HH8WwD0rhWokNEBMplzGl2b5HeCa8kYq+bxaenPf96aorHWkdQMPcPZ0Z0pSYp9Jzrg+3xVLyV1VyuOXBvUyPIQKTTlTDBCMwS76tvbVQbWZ3bBPTt0AA6eghyd4IGq3cQ46iNeUxF5ONro1sOUdNDcANT95ssX19s/c0JPL/HzkS6zW
Content-Type: text/plain; charset="utf-8"
Content-ID: <F7F12AAF6850C048AED16CE30A037433@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY6P282MB3176.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c9c50775-dfdb-401c-cd33-08dac27d141f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2022 18:06:09.0519 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 710mZ440tIo15cNmG7l1gAOjxiF2ZITEgEWDV/+5fC2ce4BeblrBmHlyqk3c7LGM
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCP282MB0494
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/dQa_5kEks2Q6dSWJYxQIi4KVSbM>
X-Mailman-Approved-At: Wed, 09 Nov 2022 11:32:42 -0800
Subject: Re: [Sidrops] [Technical Errata Reported] RFC9286 (7243)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 18:06:19 -0000

Rejected from me.


>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time.


? "thisUpdate: This field contains the time when the manifest was created."


I believe that this text an explicit statement to that effect, and does not contain an error.


>> 
>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second.


Yes,  multiple manifests issued at the same time will be rejected, according to the text in RFC 9286 and its predecessor RFC6486.

imho the proposed text does NOT correct an error in the original document. This proposed text proposes a different behaviour from the original text. This is therefore not an errata per se, but a proposed revision to the protocol’s described behaviour.


Geoff







> On 8 Nov 2022, at 11:31 am, Job Snijders <job@fastly.com> wrote:
> 
> Dear all,
> 
> I would recommend this errata be marked Verified.
> 
> When the specification was authored, I don't think it occurred to anyone
> that subscribers might end up hammering the APIs of CA implementations
> prompting issuers to issue more the frequently than once per second.
> 
> Although it seems somewhat unlikely for Relying Parties to see multiple
> manifests issued within the same second (subsequent updates to the same
> location probably coalesce); however, if an RP is faced with multiple
> valid manifests with identical validity windows, the monotonically
> increasing manifestNumber remains the strong tie-breaker.
> 
> The Errata's suggestion to substitute 'MUST be more recent' with "MUST
> be current time" combined with "must be equal or more recent" to me
> seems to be in spirit with the objective of adhering to a linear forward
> progression of time when issuing products.
> 
> Kind regards,
> 
> Job
> 
> On Mon, Nov 07, 2022 at 08:35:22AM -0800, RFC Errata System wrote:
>> The following errata report has been submitted for RFC9286,
>> "Manifests for the Resource Public Key Infrastructure (RPKI)".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid7243
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Ties de Kock <tdekock@ripe.net>
>> 
>> Section: 4.2.1.  Manifest
>> 
>> Original Text
>> -------------
>>   thisUpdate:
>>      This field contains the time when the manifest was created.  This
>>      field has the same format constraints as specified in [RFC5280]
>>      for the CRL field of the same name.  The issuer MUST ensure that
>>      the value of this field is more recent than any previously
>>      generated manifest.  Each RP MUST verify that this field value is
>>      greater (more recent) than the most recent manifest it has
>>      validated.  If this field in a purported "new" manifest is smaller
>>      (less recent) than previously validated manifests, the RP SHOULD
>>      use locally cached versions of objects, as described in
>>      Section 6.6.
>> 
>> Corrected Text
>> --------------
>>    thisUpdate:
>>      This field contains the time when the manifest was created. This
>>      field has the same format constraints as specified in [RFC5280]
>>      for the CRL field of the same name. The issuer MUST ensure that
>>      the value of this field is equal to the current time and higher or
>>      equal to the thisUpdate of any previously generated manifest. Each
>>      RP MUST verify that this field value is greater or equal to (as,
>>      or more recent) than the most recent manifest it has validated.
>>      Suppose this field in a purported "new" manifest is smaller (less
>>      recent) than previously validated manifests. In that case, the RP
>>      SHOULD use locally cached versions of objects, as described in
>>      Section 6.6.
>> 
>> 
>> 
>> Notes
>> -----
>> First of all: The previous text was not explicit that thisUpdate MUST contain the current time.
>> 
>> Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> can log in to change the status and edit the report, if necessary. 
>> 
>> --------------------------------------
>> RFC9286 (draft-ietf-sidrops-6486bis-11)
>> --------------------------------------
>> Title               : Manifests for the Resource Public Key Infrastructure (RPKI)
>> Publication Date    : June 2022
>> Author(s)           : R. Austein, G. Huston, S. Kent, M. Lepinski
>> Category            : PROPOSED STANDARD
>> Source              : SIDR Operations
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email