Re: [Sidrops] 6486bis: referenced object validation

Job Snijders <job@ntt.net> Fri, 04 December 2020 11:17 UTC

Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E643A00D3 for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 03:17:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtrOuA4Ks3Ct for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 03:17:04 -0800 (PST)
Received: from mail4.dllstx09.us.to.gin.ntt.net (mail4.dllstx09.us.to.gin.ntt.net [128.241.192.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACC393A09C5 for <sidrops@ietf.org>; Fri, 4 Dec 2020 03:17:04 -0800 (PST)
Received: from bench.sobornost.net (mieli.sobornost.net [45.138.228.4]) by mail4.dllstx09.us.to.gin.ntt.net (Postfix) with ESMTPSA id 42617EE007B; Fri, 4 Dec 2020 11:17:03 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id cf4860e9; Fri, 4 Dec 2020 11:17:01 +0000 (UTC)
Date: Fri, 4 Dec 2020 11:17:01 +0000
From: Job Snijders <job@ntt.net>
To: Ties de Kock <tdekock@ripe.net>
Cc: sidrops@ietf.org, Martin Hoffmann <martin@opennetlabs.com>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Message-ID: <X8oarQL4yLjPuRxP@bench.sobornost.net>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net> <EF03D4E0-83EE-4C70-8E81-002DC8C38B95@ripe.net> <X8oUr+zsCbHk0Q3a@bench.sobornost.net> <78C30B6C-820E-49E9-BE88-6137A26F38E2@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <78C30B6C-820E-49E9-BE88-6137A26F38E2@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/fjULEjD8aE_3b6ch-Z6eJs_0q_o>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 11:17:07 -0000

On Fri, Dec 04, 2020 at 11:57:33AM +0100, Ties de Kock wrote:
> >> However, validating these requirements for just CMS objects (as per
> >> -03, instead of for CAs as well as per -00) leaves open the situation
> >> where only part of the objects for a CA apply. When the ROAs are
> >> correct, but the sub-CA is not, this can cause outages.
> >> 
> >> I don't have a preference on which way to go, but I would propose that
> >> we treat invalidation (time, c.f. because of semantic errors) for both
> >> CA certificates and other objects similarly.
> > 
> > I am not sure I follow, can you construct an example data set where the
> > 'situation left open' you describe appears?
> > 
> 
> Thanks for asking for clarification. I'll try to explain the scenario:
> 
> CA certificate with <AS64496, 192.0.2.0/24>
>   * Manifest, containing
> 	  * ROA: AS0, 192.0.2.0/24
> 	  * sub-CA, resources: <AS64496, 192.0.2.0/24>
> 	  	* Manifest, containing:
> 			  * ROA: <AS64496, 192.0.2.0/24>
> 
> We have "all or nothing" for ROAs. I argue that a similar situation is present
> for sub-CAs if the sub-CA expires.

You list two manifests, which means that software should:

round 1: process Manifest 1 containing AS0.roa + sub-CA.cer + crl
    check if as0.roa and sub-CA.cer + crl are present and if the hashes
    match

round 2: process Manifest 2 containing AS64496.roa + crl
    check if AS64496.roa + crl are present and if the hashes match

Now let's image sub-CA.cer is present and the hash match, but turns out
to be expired, it just invalidates sub-CA.cer and thus the software
would never even open manifest 2, because sub-CA.cer is expired.

If sub-CA.cer is expired the ROA for AS64496 indeed will 'disappear' (as
if never existed), leaving just the AS0 ROA. This is as the CA intended.

Kind regards,

Job