Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-06.txt
Job Snijders <job@fastly.com> Mon, 14 February 2022 15:48 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 709873A12D4 for <sidrops@ietfa.amsl.com>; Mon, 14 Feb 2022 07:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35hw6OjGyeqs for <sidrops@ietfa.amsl.com>; Mon, 14 Feb 2022 07:48:20 -0800 (PST)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 247D63A1194 for <sidrops@ietf.org>; Mon, 14 Feb 2022 07:47:47 -0800 (PST)
Received: by mail-ej1-x62c.google.com with SMTP id a8so38328182ejc.8 for <sidrops@ietf.org>; Mon, 14 Feb 2022 07:47:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=/XOg0J7rFuwM1mnB180zwdq3f7btQ/U2s3L8ZIvw5B4=; b=ZErensiFU3lbDGxPKAfEO2b/9dqFGholoCfl1ABz42isqyIDDvYAZFKpdKDZUNakdz b0EiUu/5hdWbThTWtRvkFRoS3JsmRPIWnouQdYFX7KTTq8BOPpmBaovUtHa+iSh7u/jt 8/OGXPoJ6EJJLKyFYXLkl4EqKrJA16REJ+YqI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=/XOg0J7rFuwM1mnB180zwdq3f7btQ/U2s3L8ZIvw5B4=; b=icVfHX9xnFRq2NfwxSfRjhD2PWGZdEoxilo2t++FBo31CnGDWAxgRvRB/wIwWcHG9h SCzE4Ay0vy2kifzofmIfL/BBGSBme/F6xgZ4/pmmmOgYqX2ian7bKZHE4CHaFDabNCm5 R6ae+YaKA2Djg2nTibOMkjER1SkbSPNmmeA/nBxwI6tPJiKekgqsej//HAcF1beZ1AGv 3BhOYLN/vkTQOcBqgbzE2PGuiEjH6vWCvSFxZE4a0gXRcEcsexJUROuQa0mNnXmliL0g XF8RLr6cH6z0P75MaSuwhyoly700/aDOLORPmHAEonzvlJWawIFmHhu7A5vDI8E4Lkhy wUFg==
X-Gm-Message-State: AOAM533toyqVtzaWTnIK+3qwvAi0BygatCXMY64n4ikeGkXgU9o4mLrH YqBL5Lr4FVzbgi40wAk95/txX+rCodaXXQ==
X-Google-Smtp-Source: ABdhPJwEpv5oDVgvELmkll5PdC999x/MgZQgv3jBn75nz2ayUaNPYZ6TVv5udsCM3LUId4nhNcnvUw==
X-Received: by 2002:a17:906:728a:: with SMTP id b10mr185206ejl.120.1644853664485; Mon, 14 Feb 2022 07:47:44 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id h8sm15411836edk.14.2022.02.14.07.47.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 07:47:44 -0800 (PST)
Date: Mon, 14 Feb 2022 16:47:42 +0100
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: sidrops@ietf.org
Message-ID: <Ygp5ntLVPIF2ZG9l@snel>
References: <164467776886.6200.12411287308620405950@ietfa.amsl.com> <E1F0280E-5212-42C3-9D16-75218E122943@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1F0280E-5212-42C3-9D16-75218E122943@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/diKwc9mzJALm2fT_cIokGxebN6w>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-06.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 15:48:34 -0000
Dear Ties, WG, Thanks for taking the time to review this draft and provide feedback. On Mon, Feb 14, 2022 at 09:47:47AM +0100, Ties de Kock wrote: > > This document defines a Cryptographic Message Syntax (CMS) profile > > for a general purpose listing of checksums (a 'checklist'), for use > > with the Resource Public Key Infrastructure (RPKI). The objective is > > to allow an attestation, in the form of a listing of one or more > > checksums of arbitrary digital objects (files), to be signed "with > > resources", and for validation to provide a means to confirm a > > specific Internet Resource Holder produced the Signed Checklist. The > > profile is intended to provide for the signing of an arbitrary > > checksum listing with a specific set of Internet Number Resources. > > While this draft discusses the validity of the RSC object in > isolation, it would probably be good to clarify and/or add constraints > on when a RSC object should be considered valid. > > I think this is especially important because a CA has no visibility > into what RSCs are out there for a private key (and there are multiple > solutions for this, e.g. certificate transparency for the EE certs or > requiring RSC objects to be on a current, valid manifest). In my mind the above 'problem' is not too dissimilar from what RPKI operators already face with all existing object types. So hopefully a CA keeps track of/keeps tabs on the subordinate CAs it allows to exist, and is in control of any RSC objects (or other object types) issued under its auspices? In this sense I see now difference to Manifests or ROAs (as in, I believe that the problem you describe is not unique to RSC, it also applies to MFTs or ROAs, no RP has full visibility, a CA could present different views to different RPs). As RSCs are distributed out-of-band, this means that - by design - general visibility is limited. About listing on current valid manifests, this is explicitly forbidden logically following from Section 2: """ RSC follows the Signed Object Template for the RPKI [RFC6488] with one exception. Because RSCs MUST NOT be distributed through the global RPKI Repository system, the Subject Information Access (SIA) extension MUST be omitted from the RSC's X.509 End-Entity (EE) certificate. """ (https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-rsc-06.html#section-2) It isn't feasible to add Certificate Transparency as a prerequisite to progress RSC, as CT in context of RPKI still is in its infancy. However, if in the years to come CT does become available, I suspect operations related to all Signed Object types could see improvement, including RSC. > For example, from the current draft, it is not clear if the CA > certificates that form the valid certification path from a trust > anchor to the EE certificate (6488) need to be on current, valid > manifests. I think they do, but clarification would help :). I'll contrast RTA and RSC to hopefully clarify: the RTA concept has the notion of carrying a chain of certificates and CRLs in the CMS Certificates & CRLs Fields, even up to and including the self-signed trust-anchor. This is a novelty in context of the RPKI ecosystem. The purported advantage of the RTA object design would be that all an RP needs to verify the RTA is a "fully populated CMS cert & crl enveloppe", and the Trust Anchor Locator with the Public Key of the TA certificate packed in the RTA CMS. However, the RTA Signed Object definition is the "odd duck" here, because RFC 6488 section 3 clearly stipulates that the SignedData field only contains one EE certificate. The RSC internet-draft does not deviate from the Signed Object template in this regard. RSC is similar to MFT, ROA, GBR: the CA must exist on a valid current manifest, because an RSC issuer can't put the intermediate CA certificate in the RSC itself. I'm hesitant to repeat (redundant) RFC 6488 information into the RSC draft. Consequently, any CA issuing a RSC EE cert, will be present in one or more of the global RPKI trees, on a valid current manifest. I think this characteristic makes implementation and debugging easier. > Furthermore, when evaluating a RSC at a point in time, you need > assurance that (a) the RSC itself is not backdated and that (b) the CA > path was in place at that point in time. I am not sure I follow the above paragraph: the moment a RP performs verification, the RSC's EE certificate must be 'current' (e.g. RP's notion of time must be within the RSC's EE certificate's validity window), and the RSC EE cert must not be revoked. Additional verification steps are outlined in draft-ietf-sidrops-rpki-rsc Section 5. > In practice, it may only be feasible to verify a RSC that "has been > signed recently" and is valid at this point [in time]. Only > considering the current state of the RPKI tree also solves the > problems posed by key-rolls, resource transfers, etc. Indeed, that is my understanding as well. This follows from RFC 6488 (mainly section 3). Is there any text in the current RSC -06 internet-draft that would suggest otherwise? Please let the authors know if the above answers your questions. Suggestions for text to improve the readability are welcome. Kind regards, Job
- [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders