[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker

Russ Housley <housley@vigilsec.com> Thu, 20 June 2024 19:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678DEC151998 for <sidrops@ietfa.amsl.com>; Thu, 20 Jun 2024 12:56:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Hq3Zyr5eYEq for <sidrops@ietfa.amsl.com>; Thu, 20 Jun 2024 12:56:21 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E82A8C14CEED for <sidrops@ietf.org>; Thu, 20 Jun 2024 12:56:20 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id DAE411B1AC7; Thu, 20 Jun 2024 15:56:19 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id CBDB51B1AC6; Thu, 20 Jun 2024 15:56:19 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <66B885F2-9621-40EA-BA26-A71A81AB1426@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4D290D3F-77DC-4D19-80A7-5A909C938B2B"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Thu, 20 Jun 2024 15:56:09 -0400
In-Reply-To: <CAMFGGcB1zhLx6iE_0jA1yWCSgQq_LxCOO=CA0TttzGenhUzVSQ@mail.gmail.com>
To: Job Snijders <job@fastly.com>
References: <ZnNtl9d7cnkMtK-1@snel> <6CC9BD6A-8CF7-4647-9D3F-60AE0DEDC512@vigilsec.com> <CAMFGGcB1zhLx6iE_0jA1yWCSgQq_LxCOO=CA0TttzGenhUzVSQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=0a3UXDlvcwV0eSM9wjC6tA+9+zU932y2pJd/n0069LA=; b=PxtdcBrQza2CL8185DQUlr0JenVlMna89UsRVw+3+Hp2zKEprZssFXKLZTrYE2RNmM/Irbs4pnU6Kb5kUYqV2DmXe/6YwZQ5sq/VgobD7H/NZ3rzCQ6/7tKSO1zvQi82Zot1HgrNqDJA3PG2FEpfpawmmZ46Ap9SRsC2ZXaCBacyk9uIEvT2yezD9/zqL+sMEbilteWv+X9OblYWAd05ANr6dZwAyJ91wEn52hQNVkAMn4gO3qwjPIj8k8C9sWi7U/2cNZf9woW+Z808LTfPyapIttCI5zhG4cqY0uQnwSE4C7N5gBlPRjP3kYBp4p+CMISnJvRImeVJU2AfC/QvWA==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: HV5QHWE5I5FKGHV6IG2PH4LYZBHTDR4Z
X-Message-ID-Hash: HV5QHWE5I5FKGHV6IG2PH4LYZBHTDR4Z
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SIDRops <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gJUoIUM05fLj4jrrVMc-br-wwgo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Job:

You are correct, the part of RFC 6489 is about a CA:

   In order to perform the equivalent of a key rollover, the CA
   creates a "new" instance of itself, with a new key pair, and then
   effectively substitutes this "new" CA instance into the RPKI
   hierarchy in place of the "old" CA instance.

However, the point about renewal vs. rekey should still be discussed.

Russ

> On Jun 20, 2024, at 2:13 PM, Job Snijders <job@fastly.com> wrote:
> 
> Dear Russ,
> 
> Are you sure TA’s can rekey themselves using RFc 6489? I thought that’s a CA-only procedure.
> 
> Kind regards,
> 
> Job
> 
> On Thu, 20 Jun 2024 at 19:56, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> Job and co-authors:
>> 
>> I think that this document needs to be clear that this is talking about a TA renewing its own certificate.  If a TA does a rekey in accordance with RFC 6489, there is no need for tiebreaking.
>> 
>> Russ
>> 
>> > On Jun 19, 2024, at 7:45 PM, Job Snijders <job=40fastly.com@dmarc.ietf.org <mailto:40fastly.com@dmarc.ietf.org>> wrote:
>> > 
>> > Dear SIDROPS,
>> > 
>> > In context of Relying Parties maybe having acquired access to multiple
>> > different valid issuances of a Trust Anchor certificate, Ties de Kock
>> > pointed out potential issues relating to certification path validation.
>> > 
>> > An implementation to demonstrate a tiebreaking scheme in the presence of
>> > another TA certificate was instrumented in OpenBSD rpki-client, and we
>> > documented our effort in this internet-draft.
>> > 
>> > Your feedback is most welcome!
>> > 
>> > Kind regards,
>> > 
>> > Job
>> > 
>> > ----- Forwarded message from internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> -----
>> > 
>> > Date: Wed, 19 Jun 2024 16:11:54 -0700
>> > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>> > To: Job Snijders <job@fastly.com <mailto:job@fastly.com>>, Theo Buehler <tb@openbsd.org <mailto:tb@openbsd.org>>, Ties de Kock
>> >       <tdekock@ripe.net <mailto:tdekock@ripe.net>>
>> > Subject: New Version Notification for
>> >       draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt
>> > 
>> > A new version of Internet-Draft
>> > draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt has been successfully
>> > submitted by Job Snijders and posted to the
>> > IETF repository.
>> > 
>> > Name:     draft-spaghetti-sidrops-rpki-ta-tiebreaker
>> > Revision: 00
>> > Title:    Tiebreaking Resource Public Key Infrastructure (RPKI) Trust Anchors
>> > Date:     2024-06-19
>> > Group:    Individual Submission
>> > Pages:    7
>> > URL:      https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.txt
>> > Status:   https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-ta-tiebreaker/
>> > HTML:     https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ta-tiebreaker-00.html
>> > HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker
>> > 
>> > 
>> > Abstract:
>> > 
>> >   A Trust Anchor (TA) in the RPKI is represented by a self-signed X.509
>> >   Certification Authority (CA) certificate.  Over time, Relying Parties
>> >   (RP) may have acquired multiple different issuances of valid TA
>> >   certificates from the same TA operator.  This document proposes a
>> >   tiebreaking scheme to be used by RPs to select one TA certificate for
>> >   certification path validation.  This document updates RFC 8630.
>> > 
>> > 
>> > 
>> > The IETF Secretariat
>> > 
>> > 
>> > 
>> > ----- End forwarded message -----
>> > 
>> > _______________________________________________
>> > Sidrops mailing list -- sidrops@ietf.org <mailto:sidrops@ietf.org>
>> > To unsubscribe send an email to sidrops-leave@ietf.org <mailto:sidrops-leave@ietf.org>
>>