IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt

Ties de Kock <tdekock@ripe.net> Fri, 19 January 2024 09:54 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB38AC14F70C for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 01:54:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOzP6yJDJVsq for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 01:54:06 -0800 (PST)
Received: from mail-mx-1.ripe.net (mail-mx-1.ripe.net [IPv6:2001:67c:2e8:11::c100:1311]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DD11C14F736 for <sidrops@ietf.org>; Fri, 19 Jan 2024 01:53:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=5BHo+FTM8VMClc83LQYbDIupl7OuXH879SI3tl1kqGc=; b=g4kH+gJjrvD6P8X8N+LRE2LU Ix+csPK9Jm3q9qaYIxrzW1HtMGDw3wdIhq4K0patIcsaeSWmGVTMu/30Yxr0Hz2wallF7vp9Gdaxk oQKVAJZvquN2vgAU1mMAq8HJheJVWbfApt7R4r+R/S5BVp08kXcecYWRtmkneDIhVAJTNilP8H9OR Uowv4Fd3tKrtzdDIY6E8xecu50yzfRuaTKmgvtHvaYnBZFIKdKah7unEE26j/zTqGvjNMFejzAMWJ w/vUl3OLe+sRPCkP3aeHv+xYZxoDqKPvo5WxVQtWJhlzAG9h1eq6yFQ8Tr0T4fJS+me8KfMJPIwKQ IqjshB4I4g==;
Received: from imap-01.ripe.net ([2001:67c:2e8:23::c100:170e]:38452) by mail-mx-1.ripe.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rQlYj-001kNU-1R; Fri, 19 Jan 2024 09:53:09 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by imap-01.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rQlYj-003yXp-19; Fri, 19 Jan 2024 09:53:09 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <ZamgKc5PTJPDcISD@snel>
Date: Fri, 19 Jan 2024 10:52:58 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C10EC4E3-9A59-4BBA-B5DC-DB4680AD0B0D@ripe.net>
References: <170561454824.54895.360140302624981870@ietfa.amsl.com> <ZamgKc5PTJPDcISD@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e12bd2ef61e819f5d2a8f48696259eae06
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/j9dL4EuPrJr_4WOfXcE2ZzC9Ul0>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 09:54:10 -0000

Hi Job,

> On 18 Jan 2024, at 23:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Dear all,
> 
> Another pass was made over the text to improve the structure of the
> document and complete the surgery updates to RFC 6488. The
> "Implementation Status" section was also updated.

Can you clarify why the document now mandates that binary signing is disallowed?

This has significant	impact on implementations that are fully conforming to
rfc6488 and has a significant impact on those implementations, effectively
invalidating their test set of objects.

It also invalidates objects generated by public CA implementations if a feature
is enabled.

Please elaborate on the improvement in security posture this gives iff any.

Kind regards,
Ties

> 
> Many thanks to everyone who reviewed the document this week!
> 
> As indicated, the authors would like to move towards WGLC.
> 
> Kind regards,
> 
> Job
> 
> On Thu, Jan 18, 2024 at 01:49:08PM -0800, internet-drafts@ietf.org wrote:
>> Internet-Draft draft-ietf-sidrops-cms-signing-time-03.txt is now available. It
>> is a work item of the SIDR Operations (SIDROPS) WG of the IETF.
>> 
>>   Title:   On the use of the CMS signing-time attribute in RPKI Signed Objects
>>   Authors: Job Snijders
>>            Tom Harrison
>>   Name:    draft-ietf-sidrops-cms-signing-time-03.txt
>>   Pages:   12
>>   Dates:   2024-01-18
>> 
>> Abstract:
>> 
>>   In the Resource Public Key Infrastructure (RPKI), Signed Objects are
>>   defined as Cryptographic Message Syntax (CMS) protected content types
>>   by way of a standard template (RFC 6488).  That template includes an
>>   optional CMS signing-time attribute, representing the purported time
>>   at which the object was signed by its issuer.  At the time when the
>>   standard template was defined, rsync was the only distribution
>>   mechanism for RPKI repositories.
>> 
>>   Since the publication of the standard template, a new, additional
>>   protocol for distribution of RPKI repositories has been developed:
>>   the RPKI Repository Delta Protocol (RRDP).  While RPKI repository
>>   operators must provide rsync service, RRDP is typically deployed
>>   alongside it as well, and preferred by default by most Relying Party
>>   (RP) implementations.  However, RP implementations also support
>>   fallback to rsync in the event of problems with the RRDP service.  As
>>   deployment experience with RRDP has increased, the usefulness of
>>   optimizing switchovers by RPs from one mechanism to the other has
>>   become apparent.
>> 
>>   This document describes how Publishers and RPs can use the CMS
>>   signing-time attribute to minimize the burden of switching over from
>>   RRDP to rsync.  Additionally, this document updates RFC 6488 by
>>   mandating the presence of the CMS signing-time attribute and
>>   disallowing the use of the binary-signing-time attribute.
>> 
>> The IETF datatracker status page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-sidrops-cms-signing-time/
>> 
>> There is also an HTMLized version available at:
>> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-cms-signing-time-03
>> 
>> A diff from the previous version is available at:
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-sidrops-cms-signing-time-03
>> 
>> Internet-Drafts are also available by rsync at:
>> rsync.ietf.org::internet-drafts
>> 
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email