Re: [Sidrops] require signing-time in draft-ietf-sidrops-signed-tal objects?
Geoff Huston <gih@apnic.net> Thu, 09 March 2023 22:26 UTC
Return-Path: <gih@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45080C16B5A4 for <sidrops@ietfa.amsl.com>; Thu, 9 Mar 2023 14:26:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qk8h3o5WrKkU for <sidrops@ietfa.amsl.com>; Thu, 9 Mar 2023 14:26:19 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01on20609.outbound.protection.outlook.com [IPv6:2a01:111:f403:7005::609]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19796C16B5A9 for <sidrops@ietf.org>; Thu, 9 Mar 2023 14:26:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bw4S6MH/bSMp69jijNbKvL6R5sLPPDxpdLIbqKIjyw0MkyYVy0ecuQxVNeTFewzIP7aMCRb9D+tTom8j8ua1JXb6/SOrGAbUmPUMsq6Kic4hBPllsgSTls70RLhI/URd3SiHZM7OUWlABMLgWn/mR3uzC/fbguvLodpnrqMTORH/7+CzJHcfJhVLvQW2jzEVMf6geaeA2sHBmOhzsub0Ca9hB/xNQ7BKEyXkjYXs4CDKfJo0pPpFiKJVwcma2GeuMf/jNAkmFTkhP6Eb2kmc7W9YtOthKzrVjM641S1TCd8xEJCIoJDDk8iuvCj5eb6Jwyx5P5k7F7iA93VjT8Toyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DGaHfz6+P7RwDm4DnFazwLcINdzoiZhrLFlCtRYen9s=; b=DuUFT8TwZ739JCBzQ5XR/5Pcmpa3OcHQfW5IirySmtIvbuo9CIiedet/4lumtL1K+enjMgY/bHUw1hYlyNkY322SUKaLWUHtE7MBAay3tVGmngpzO699jclB9KvHS/s81iPHv4ETiy8THOnjZeVBMMMAQe5CJ/lCyu6sT4tv0oZJxT0ci9SdFw5rPnYagB1N87lHzN8UaZbc00quB3FhRHPo5fvqg1hdVRGsIhRoEL2HpSfFIkuxLZm+JQ+i96DHtQZGkWNOO8Y3jtbya8cw4Rdy97G/Q2TSqIcXFIkj7F0E8bgqaxfhTJiBKibdeU54UFFmBVyAxLEHjA95y6yDZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DGaHfz6+P7RwDm4DnFazwLcINdzoiZhrLFlCtRYen9s=; b=nUHrj6w+s5bh5p5FId+s4qqZJp6hREHkyySNgu5E8wdPygxTa/31In30FJWYdXFce6Z5eSZsncrlNtjQZdY4Jc8aglEQE/wjHmdW7rrM98hcTyYByCpn5c4xYQn/4uKDxgiAeFtmIJediHhkGmux+ZhpcINQpNlvG0J6sLM4oOc=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by SYBP282MB4053.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:1a4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.19; Thu, 9 Mar 2023 22:26:13 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::5e40:6512:a08e:3674]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::5e40:6512:a08e:3674%6]) with mapi id 15.20.6178.019; Thu, 9 Mar 2023 22:26:13 +0000
From: Geoff Huston <gih@apnic.net>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
CC: Ties de Kock <tdekock@ripe.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] require signing-time in draft-ietf-sidrops-signed-tal objects?
Thread-Index: AQHZUbexWHK9Vr9mL06DVjf6cYeeR67wzQ2AgAADSQCAAAcTgIABarAAgADGugA=
Date: Thu, 09 Mar 2023 22:26:13 +0000
Message-ID: <74D70BE8-1B4E-4F5D-B93A-FEDDFFA8383F@apnic.net>
References: <ZAh8V8ilxAzy+TfV@snel> <5E34D9AD-89B3-411B-8B41-DBBB7578A076@ripe.net> <ZAiAGHAYzmQHruRk@snel> <ECBADD17-31AB-44FC-9EA6-3B8C9B2F9A56@ripe.net> <ZAm2RhMQlly1e5J4@snel>
In-Reply-To: <ZAm2RhMQlly1e5J4@snel>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3731.400.51.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SYZP282MB3169:EE_|SYBP282MB4053:EE_
x-ms-office365-filtering-correlation-id: 6189a901-f4a4-4702-74df-08db20ed4a6e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +ZHG7x+0ApejdBz/6c9SeKkjdBPOE70UH3t/9HDpIMXRsewxCp+huCcDq8ezQsNifDrt/zKQzMsjBbJovKnZqoecXOzRAZF06jowF+BKE3NKQVSe0KZ2hTCf/uxa5i83FLGc8+euPrrmZWuxDuQcBOXcMh+ak3apZHcwAsKrTXe8ueSb4CUiqxH5smsDTAELEPnlgXOEP3iTRzBxJOrUyp1Jf3+IVvyrhbq6acP+cGtZ9bvHf/D7Iq59N598uTakfUbUgOYrVpnkJEWlE+s1EuW5PN9rphrWcXy+hjstozNtooOnHgeRXGqw9pIO2JLLjOtwp8zyik0G+WUATjaViY94uUky3gvvITlPh2GclCp9VdjyWrDky4ZNu/MO+8p73kSwT2aGidAF925oHNEgKxu3FMVPRKB1UYS8Hdyl3aGnWpdKFQUFCsVSqJP28MEOleN0REHTcOXDhNHpDuUX5lMLMOF/FbThbB7TZ5OJ9i3cQdIi40oG9MseEpfyFfPaVviisih8eVtRd8c1wlVqyCdduL3fKjy3J1wyhGRwnOIPo/7y6cBTxpRv5uRJXNTj2HbbVfNTmyG+aYXHQ17qSNn1vPhGChnWvd7NCcw4DDBYl13ivg7vZ78MTSgjVmT70q3g/R6fjMp/JgY/vmqaFlyd9CPcfD1YUV9gixSQbjWUJAig/2+q4ckofZf6TY3JL5LmGbgfOyVIBcVflLzJdV3r3CGLimHsMlZwxsDU/A4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(4636009)(136003)(39840400004)(396003)(376002)(346002)(366004)(451199018)(5660300002)(8676002)(4326008)(4744005)(41300700001)(8936002)(33656002)(86362001)(36756003)(38070700005)(122000001)(2906002)(38100700002)(6486002)(478600001)(83380400001)(71200400001)(186003)(26005)(2616005)(6512007)(6506007)(64756008)(66446008)(66476007)(66556008)(66946007)(76116006)(54906003)(316002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6qgO7F4m2Kmz4cgKBAFnuqaDqOYqrukkgdPNYvU4nmkcS7DA9JQwjU2ohkdLiwMce5KSDZKOjkOWibv257mFTdRoAk7CRDwzb7qCvNZkLB1ZoKcqZ3hrbsHk8zU3sq9SwVNHF1szBRCjQXVVjBRgkVT6VA7KFpy8u/ZqQHv1ByDzZWF62BTRoIw1mPaS8hdwXQsUfjxyPIOgJCrkevkczNP3apidzgxALCfdkGLjQ8fhd9eAsbj4mGo+0TPBDihyv+Uq55gQLAbDpiZa4Bo16+kCJbh9raSJybLNIKBUro8AfxvfbH+Ztk1mlYjG8H5Rh0YP0I6KZ66T8U+Ll+xzYCQPd3zxjtdPv8ETRislNxQ4FoOlk9jmboe+5ZPNEZySVVJVtrfJvb4oFNycsAczNApXn9fHP8AAaNBITndKzxIA1adsx7IM2/2sSyxXd76a2FB2bi04VvXSM5+lZ7OAKvRv9PMJU1afYaHOvL/K3ZnseyekhjUSWPTAnUjHE/xJJxqWqaXh3Cvp8FjBbyN+Qp9QtiJwG+hsqY20ObpybZE+PPE97RuKZ9bd6FDjOb7kCV2acK49tdIjLMaPHWaAjCSG0NUU7jS955GROlbASUqE/PFZ+2qyqylxtuDKr4yoUKWk8HocnZVQytI83d8Y0sJG8Epkb3167JcV9+obJu1qpM4fsKf28nJhhBI3KILDiZD9MSjZMR/dGraDL3hd6i5QntZcVuFYILLMmkjl5ysJQrM6TQu6XcgZWH+IOylmyGejjwpdwk2aS5MpHTS13Qmj77eUjws0YQ3qZN3PciopLBlZrKbRe4CTS4mLQNp+Ji8+UjJKD6Apn7iuMiUhtHPZRQ5ZMpxA79DYvpQ9XGj3rpePrMqn3ImHMDJqN0MVAhpMaotYovm+TVlWkl69pzzaGMuT3ThCsnI8G/7YwLMskp0AVFr8QZ9kcYrqVOFLOzffViDhRueS8B7qoDekOle7IqZOfeEqwtg6o3bEBoBbSAbAO/7s3/iUllcNFG6AZINsbh1z7xuHClSu5bnHk1PLmZeaGHEno1qotkoG/aTh7nS/uY1sGpH2wr3C2tF0N0wz9/dwzwUmawRnKHLBm/JjnsfPofwre3+kFRRjGhbsbfphLyozM3CxzRxET4NotGIljeTQXSRtJeTqVpb0fX67tu0PcMVjc2xjKP2Tem/wDp4NGHROrjM7NiU+G8TY2KsqnoDYwd2fCdwvCrrq+f0b88Bl5L/jGOeOoSY7u15y/fVJLc/i8Ig7m3cY/noEtJoBDKQUaqk6sjHCK1r/E2jlu8MusamJ4z8XMJPDioWCJgrBGs8oOZkDjJDSk2ihUgfBYi1PfCshTqekDKKLEpYLFYWflGjb68ucbFNnvFmcz+HRWbz0++wXg8wzZsa8PQtYgO+gATr6tJRR+nH7rgcfv9lLe5uZOArM5/eYc8p/onO4S/R4/3Rjeb9DjFHvSmKzLQUK6yxnqpFqZQnlWhCrRvLFWA6v+7DvpnTZ5Mym+3j/XuW2URKKOVk5pvcJUoNZmXmsUQnEVhCa1OYt8t6wDnyFRUuLz0v4MJbUFHRQV+aeM9vIeeHP5ggbAyN/
Content-Type: text/plain; charset="utf-8"
Content-ID: <8390A69E71F9F64A968AB60AE426B085@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6189a901-f4a4-4702-74df-08db20ed4a6e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2023 22:26:13.0991 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DcfxoorgfKq0f9lATTmn4is50CysScv7W5z42kuA9T0dWXV+NJawJyPcsRGhWv3R
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBP282MB4053
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/p6ewfZTzTrVfvU7-nShAlhrRPLA>
Subject: Re: [Sidrops] require signing-time in draft-ietf-sidrops-signed-tal objects?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 22:26:23 -0000
I have a few concerns here around the general theme that adding more information into these objects can be a source of additional fragility rather than additional robustness. What is a relying party meant to do with this CMS signing time? Does it in any way alter the relying party’s handling of the object, or the trust that the relying party is placing in the object? What if the CMS signing time is stated to be AFTER the X.509 Not After time? Or even after the X.509 Not Before time? IN the unlikely event that a relying party has managed to collect two signed tal objects that differ in CMS signing time attributes is one more or less trusted, or more or less preferred, than the other? If it's purely intended to be some comment on the CMS wrapper, then why include it at all? I would’ve thought that the path to a robust framework includes the consideration to eschew all non-essential information and avoid all instances of information duplication. thanks, Geoff
- [Sidrops] require signing-time in draft-ietf-sidr… Job Snijders
- Re: [Sidrops] require signing-time in draft-ietf-… Ties de Kock
- Re: [Sidrops] require signing-time in draft-ietf-… Job Snijders
- Re: [Sidrops] require signing-time in draft-ietf-… Ties de Kock
- Re: [Sidrops] require signing-time in draft-ietf-… Job Snijders
- Re: [Sidrops] require signing-time in draft-ietf-… Geoff Huston
- Re: [Sidrops] require signing-time in draft-ietf-… Job Snijders
- Re: [Sidrops] require signing-time in draft-ietf-… Job Snijders