Re: [Sidrops] Éric Vyncke's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
Job Snijders <job@fastly.com> Thu, 03 February 2022 14:43 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 164793A1C0C for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 06:43:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_UBXC7jsEui for <sidrops@ietfa.amsl.com>; Thu, 3 Feb 2022 06:43:18 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 050ED3A1C0E for <sidrops@ietf.org>; Thu, 3 Feb 2022 06:43:17 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id a8so9498359ejc.8 for <sidrops@ietf.org>; Thu, 03 Feb 2022 06:43:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=FJVKo0D/gkNKp25HxnVWh51gCv/jp+pHiMMmTKvd/pI=; b=Atb6vc8GZxgPfdudZwvo20RAfDUEjjE1KYJOfrKEDvVcpSgZrbPMLbsd0L51DSmCkc VCV/5lMoqwChgPjyRF5GW9vQ67LaovN4/yZe+Ey9c4N83REt5ETerF4kXnWiF9YXro8u 1xQQA+7sbt14uU0HP4WyqeeB83REuDo1Sy7K0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=FJVKo0D/gkNKp25HxnVWh51gCv/jp+pHiMMmTKvd/pI=; b=SxEGM7ddumAhwy6wFT0V5jx3cRMhBNpH2hnR5p8iN7dRYzdqceKibLL4EsobeiuqEP 4vt1PrUwj9RHLAm1o0vHWq8WdcnkvvubYF65hLmCekBiJ1RryB1OclhC8MUUHQUBlORP cUbNJBrLclpIfIHd48gGjBpybU4XHp3ml3p14KgRyDhET8hkemZw13SWKC/oz8iLBRhe DgFSF4Iiw+5hkKBlmTXigIrjFcTa/eeSIY/QrzQ5rtTTKYnx7pfA1Xm2TOHz3LDoMOm6 upnNd3UtZ/SszCl/yKGbDqo7VZDCAfb19SkrVAMYlnCJxe4z4hITNcYeUcQLBQRX9/fJ aQwA==
X-Gm-Message-State: AOAM532wkkp1WaIoKpnCRucerVRV4R3f2YCdOkdookcnNVzmp2QJUgaf 8Q+GTd3qRP08Ks1FBKgkmktCpR92dvRf4g==
X-Google-Smtp-Source: ABdhPJy/qE6y7+U2NkFG+oP9tsdehb0F/AY9O+kby6IBA+Ov3BftBx6kB9GfdTudP7atJilAc/Rtqg==
X-Received: by 2002:a05:6402:1705:: with SMTP id y5mr35359632edu.200.1643899384870; Thu, 03 Feb 2022 06:43:04 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id og23sm8810969ejc.186.2022.02.03.06.43.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Feb 2022 06:43:04 -0800 (PST)
Date: Thu, 03 Feb 2022 15:43:02 +0100
From: Job Snijders <job@fastly.com>
To: Adianto Wibisono <awibisono@ripe.net>
Cc: Christopher Morrow <christopher.morrow@gmail.com>, Russ Housley <housley@vigilsec.com>, SIDROps Chairs <sidrops-chairs@ietf.org>, SIDR Operations WG <sidrops@ietf.org>, Chris Morrow <morrowc@ops-netman.net>, IESG <iesg@ietf.org>, Eric Vyncke <evyncke@cisco.com>, draft-ietf-sidrops-6486bis@ietf.org
Message-ID: <Yfvp9jyEY8RB+G9u@snel>
References: <164362677155.28792.13241248233184382872@ietfa.amsl.com> <YfgLYqX1hQIVl9j9@snel> <6778460A-C69A-40B3-9295-A5AB8913C6FA@vigilsec.com> <CAL9jLaay0NMSoiFwr6CSdbz3TkWOPuuK5GbG5yFWE_+Dr8s+xw@mail.gmail.com> <ac7ca056-dd61-7359-7929-f28f6c2f86bf@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ac7ca056-dd61-7359-7929-f28f6c2f86bf@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/kdl-uftnXYy_06DMtlXDzaQUwkY>
Subject: Re: [Sidrops] Éric Vyncke's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2022 14:43:22 -0000
Dear IESG, SIDROPS, other interested parties, Logistics: In consultation with the authors & wg chairs I now hold the editoral token for this draft. I've uploaded the draft XML to github and adhere to a 'one sentence per line' style to make diff reading easier. Adianto - thank you for pointing out that the abstract and introduction didn't connect well. I've adjusted both slightly in hopes readability is improved. https://github.com/job/draft-ietf-sidrops-6486bis/commit/ce3c5bae1b8e6fdd6c1f55718fb86c7db44c313e A copy of the changeset for archival purposes is avaliable below: Kind regards, Job commit ce3c5bae1b8e6fdd6c1f55718fb86c7db44c313e Author: Job Snijders <job@sobornost.net> Date: Thu Feb 3 14:36:47 2022 +0000 Incorporate feedback from Adianto https://mailarchive.ietf.org/arch/msg/sidrops/38TER8ns8vGqTgfBObwYRg7gSos/ diff --git draft-ietf-sidrops-6486bis.xml draft-ietf-sidrops-6486bis.xml index f059e20..d262f29 100644 --- draft-ietf-sidrops-6486bis.xml +++ draft-ietf-sidrops-6486bis.xml @@ -69,7 +69,7 @@ A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. - Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect "stale" (valid) data and deletion of signed objects. + Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486. </t> @@ -80,8 +80,8 @@ <section title="Introduction" anchor="sect-1"><t> The Resource Public Key Infrastructure (RPKI) <xref target="RFC6480"/> makes use of a distributed repository system <xref target="RFC6481"/> to make available a variety of objects needed by relying parties (RPs). Because all of the objects stored in the repository system are digitally signed by the entities that created them, attacks that modify these published objects are detectable by RPs. - However, digital signatures provide no protection against attacks that substitute "stale" versions of signed objects (i.e., objects that were valid and have not expired, but have since been superseded) or attacks that remove an object that should be present in the repository. - To assist in the detection of such attacks, the RPKI repository system can make use of a signed object called a "manifest". + However, digital signatures alone provide no protection against attacks that substitute "stale" versions of signed objects (i.e., objects that were valid and have not yet expired, but have since been superseded), or in-flight attacks that remove an object that should be present in the repository. + To assist in the detection of such attacks, RPKI repository systems make use of a signed object called a "manifest". </t> <t> @@ -635,7 +635,7 @@ <section title="Acknowledgements" anchor="sect-10"><t> The authors would like to acknowledge the contributions from George Michelson and Randy Bush in the preparation of the manifest specification. Additionally, the authors would like to thank Mark Reynolds and Christopher Small for assistance in clarifying manifest validation and RP behavior. - The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of this document.</t> + The authors also wish to thank Tim Bruijnzeels, Job Snijders, Oleg Muravskiy, Sean Turner, and Adianto Wibisono for their helpful review of this document.</t> </section> </middle>
- [Sidrops] Éric Vyncke's No Objection on draft-iet… Éric Vyncke via Datatracker
- Re: [Sidrops] Éric Vyncke's No Objection on draft… Job Snijders
- Re: [Sidrops] Éric Vyncke's No Objection on draft… Russ Housley
- Re: [Sidrops] Éric Vyncke's No Objection on draft… Christopher Morrow
- Re: [Sidrops] Éric Vyncke's No Objection on draft… Adianto Wibisono
- Re: [Sidrops] Éric Vyncke's No Objection on draft… Job Snijders