IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Stephen Kent <stkent@verizon.net> Tue, 24 March 2020 15:51 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 711333A0CE3 for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 08:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.563
X-Spam-Level:
X-Spam-Status: No, score=-3.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMORsIBed0JZ for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 08:51:51 -0700 (PDT)
Received: from sonic304-21.consmr.mail.ne1.yahoo.com (sonic304-21.consmr.mail.ne1.yahoo.com [66.163.191.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17D8E3A0CCD for <sidrops@ietf.org>; Tue, 24 Mar 2020 08:51:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1585065110; bh=AI0mD0HP9LwuPLkLuu124VrYThbTC/gq2SrcUzROm3Q=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=VEzNAMM1UdtAbvwgDAbSAJWeMHLMzUat8g+HG8ZxFFh2CAUOjMw9C2qeGebGmPYMhbZoCuExgvLjz9AfMjDgz2PpaiYsnEibET+UJm8FP39amRbrcghzdGG7kTgAfUzg4E4+UyC1hoOfYXYKhnTU55e/9IGn5uIXnnr+eJSyvrr4S1zLvtjxfFAXB2JUmHJNrPVkQ/gAb+aSBeK0sjpluleXUaGhu9Sgrq99sxrrciJFAvx50WgxxxZNtBL+PzXjZ5X3eLD98jxffAtuXjlI11OtNf+j5qSmIKlt0upuEhp+MasMETodikILTi9ui+uWFah2XJtZw9tNj97EFQLQog==
X-YMail-OSG: sdVKdnYVM1nXA2CbmrLVjNNC.5Rx7dV7u6yaWJ28Q7NIwpTXu8zANmcH5PpQnJ0 Zeybr1jGKHvyiZqXxM77mqYrai4KWH2ckmz_zETPynFQe0myXuRPj0HSsmJs6KdsYvwsLOkHpp8b jY8FWht6d46efu40kAwnPlLrnjVC9SlQEVGzNL2gQEF_ykDOqZcsAg71p96rUoxgzwg5aeZb12s. EHBCipreMAmVUJ77hZPU0ru5_l7bQrYyi3xKRpqxND8qpt.YV3bpYPBmRYfvi8PVVUhv0wLtN.Tu 9USUdVDkje0LG3EmqX902X6xC16M__iaV_Lq12ujf7dj37JV9mY7cqFJOLHd882RJOqfiR6G8hO0 TQXcMXZB.ykdCmakru.51HqS.MFZwsouU2Yqqu4nMRThRTeEisDb8.UYl9cBBFBmQh7jKTCamXN5 0RXCK0Fnb4MoUZCT_9E0QgSzRDkfgb72.Dyil6TishqtTaTv3Q.qQ.MvOO82XErP1IQDvEkEeKB0 1zbPYi2RX0uz6WrOgYkMfC40M0xD7l30WkQFiOIljIdVM1OxPYhaNbFKxgeEchog4gvBau5ZFkHC Rb9sZdB6ZRdY_ikFa6LyydDDIeUGWmWdAHoW.o7X7xqinA.AY80RR.oMvD0RZHXQALoS7bSR6LSd zh4mQx.IPhauxM8BLGWRdb..AbViQHfdvTdJd.O2kwRItF.aakMxopvOEzEZTA413Q00X7Sr2pSS cMaO1NpQZ8If7dDK473xrNpYvh_K0CqwJGV7JChRPfyEI.n0og6WIo_Z6lrVAkfIkTkXq339Z338 nEXTCRpcX4T90U3j_nI6PBmh.HiKvhXAdan.Vx0tSf0z9iLsRkVY0sakwWsa8XHwaTINSID.JWuR bIJK7vLXetwejXB8c3ZPyahhtZnVGbDZBIiyga4OaNoO2qMnmO9ognX8GRhBHxH3yMQk9TdvzaoC jpXkWt62z20LpHaDDY4khi8QUxLJwtMPd7g9ETvFboqP5udfT0sFRjIxEGE3xy0xJJ5R0DWSK5BQ 0ifE0tTeGVttzWGcHV.TUJ0JvRph4ETXbBxHrYhYvX4vug3o9VT57yBGhEpxaPyaL3nwPmDnRtJP CHlmkXsj4_SybWTRNNypXdGmnJW47TyeSK65teFMbU_vCZbf0GvYAvMT0plyWHlc5lyTXm8_hadn rxXE0kGrmx.mva0K_P1wk_VoMaONuELq9b_oobbuEuVlx.rKBnJf8.jzljKHt4Yy6b9SCUNkou_m xkp4vxZbJTpEVu1jzyNDNWSJ4lI1mHlf22UlH5Ccn7Pmbdl5.sfJNm4HUps9GnrecPvwx_bzS2YA bVlzaA.BTjuWwqoYt6TEO341y38j1No_lM0mdrnoEYLzVLqc4OaxvLOADSjgzyI4pMvcfUL1fzPG 9ft8ifUlmFxER5A--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Tue, 24 Mar 2020 15:51:50 +0000
Received: by smtp415.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID f2bc0085698b5c9c6e4bbadeef970e5e; Tue, 24 Mar 2020 15:51:48 +0000 (UTC)
To: sidrops@ietf.org
References: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net> <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl> <20200324151101.GH60268@vurt.meerval.net>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <7f54a255-643f-cd2d-12c2-da19562bbffa@verizon.net>
Date: Tue, 24 Mar 2020 11:51:46 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200324151101.GH60268@vurt.meerval.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.15518 hermes Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_242)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/iZnj63wMmKHhVKFfJk7YFAQBvMU>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 15:52:10 -0000

Job,
> On Tue, Mar 24, 2020 at 03:20:09PM +0100, Martin Hoffmann wrote:
>> Job Snijders wrote:
>>> I'm not sure I agree - routinator, fort and octorpki are trivially
>>> forced to use rsync if the attacker blocks TCP port 443.
>> At least Routinator does not fall back to rsync once it has
>> successfully completed accessing the repository via RRDP once. I am
>> open to strengthen this to not ever use rsync if there is a RRDP URI
>> in the certificate.
> I'm interpreting the willingness to attempt to make MITM attack slightly
> harder as an indicator that the described MITM partial
> withholding/corruption attack scenarios are valid and problematic. :-)
>
> I don't think a conclusion about the integrity of the DELTA snapshot can
> be derived from the fetch mechanism itself: just because it was
> retrieved over HTTPS doesn't mean there was no MITM attack. The
> diginotar situation comes to mind, and crazier things have existed in
> the wild.

Use of TLS, absent a CA compromise, protects against MITM attacks.

The CA compromise you cited (DigiNotar) was serious because of the Web 
PKI model, in which any trust anchor can issue a cert for any EE. Today, 
with the use of cert pinning and cert transparency logs, the likelihood 
of such attacks has very dramatically decreased in the Web PKI environment.

Can you provide an example of one of the "crazier things" (relevant to 
TLS and the Web PKI) hat have happened in the wild, and which are 
applicable here?

Steve

v2.23.0 | Report a Bug | By Email