Re: [Sidrops] proposed, revised text for Section 6

Oleg Muravskiy <oleg@ripe.net> Wed, 06 May 2020 12:36 UTC

Return-Path: <oleg@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B083A0A05 for <sidrops@ietfa.amsl.com>; Wed, 6 May 2020 05:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1bvIW3swcxy for <sidrops@ietfa.amsl.com>; Wed, 6 May 2020 05:36:05 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F0123A0A24 for <sidrops@ietf.org>; Wed, 6 May 2020 05:35:22 -0700 (PDT)
Received: from bufobufo.ripe.net ([193.0.23.13]) by molamola.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1jWJGj-0003g0-Mr; Wed, 06 May 2020 14:35:21 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::516]) by bufobufo.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1jWJGj-0002pX-Hg; Wed, 06 May 2020 14:35:21 +0200
Content-Type: multipart/alternative; boundary="Apple-Mail=_0D2216A0-0B35-493A-B960-4C0C0D416992"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Oleg Muravskiy <oleg@ripe.net>
In-Reply-To: <557f0928-c7b1-4b8d-b3b6-078733f7ef8a@verizon.net>
Date: Wed, 6 May 2020 14:35:20 +0200
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Message-Id: <1065C1CC-191A-4CFF-A87C-4F1CB165F303@ripe.net>
References: <557f0928-c7b1-4b8d-b3b6-078733f7ef8a.ref@verizon.net> <557f0928-c7b1-4b8d-b3b6-078733f7ef8a@verizon.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-ACL-Warn: Delaying message
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b741eb87e01f4d6ad15ba135d51b513e5cc
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vYPJkRJX2_HZvETyuLpwTJ_T2JE>
Subject: Re: [Sidrops] proposed, revised text for Section 6
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 12:36:08 -0000

Hi Steve,

I have some comments inline:

> On 4 May 2020, at 22:08, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
> 
> 6.1. Determining Manifest State & Object Acceptance
> 
>  
>    For a given publication point, and given CA instance, an RP MUST perform 
>    the following tests to determine the manifest state of the publication
>    point. (Note that, during CA key rollover [RFC6489], signed objects for
>    two or more different CA instances will appear at the same publication 
>    point. The tests described below are to be performed for a specified CA
>    instance, i.e., a the manifest’s EE certificate was issued by that CA.)
>  
>    1. Select the CA's current manifest (the "current" manifest is the 
>        manifest issued by this CA  having the highest manifestNumber among 
>        all valid manifests (as defined in Section 4.4).

Without additional context (the discussion we've had here on the list), it would not be clear for the reader where the possible multiple candidates for the “current”  manifest come from. The CA certificate contains a link (rsync URL) to a manifest, which is only one file, so how could there be multiple options to “select” from? I guess you refer to a possible use of a cache, or a difference between contents of rsync and RRDP repositories?

>  
>       If the publication point does not contain a valid manifest, proceed
>       as described in Section 6.2. (Lacking a valid manifest, the following 
>       tests cannot be performed.)
>  
>    2. Check that the current time (translated to UTC) is between
>       thisUpdate and nextUpdate.
>  
>       If the current time does not lie within this interval, proceed 
>       as described in Section 6.4.
>  
>   3. Acquire all objects at the publication point associated with this 
>      CA instance, i.e., the CRL and each object containing an EE 
>      certificate issued by the CA. If there are files listed in a manifest 
>      that do not  appear at the publication point, then proceed as
>      described  Section 6.5.

Wouldn’t we miss all the subordinate Resource Certificates if we only look at objects containing an EE certificate?
I think it would be enough if we say

	Acquire from this publication point all files listed in a manifest and verify that they are issued by this CA instance.

Although it would be better to expand the “verify” part.

Also, we should probably mention explicitly what the “publication point” is (see my later remark about possible discrepancy between different URLs from the CA cert).

>  
>  
>    4. Verify that the listed hash value of every file listed in the
>       manifest matches the value obtained by hashing the file at the
>       publication point.
>  
>       If the computed hash value of a file listed on the manifest does
>       not match the hash value contained in the manifest, then proceed
>       as described in Section 6.6.
>  
>    5. If a current manifest contains entries for objects that are not
>       within the scope of the manifest, then the out-of-scope entries
>       MUST be disregarded in the context of this manifest.  If there
>       is no other current manifest that describes these objects within
>       that other manifest's scope, then see Section 6.2.
>  
>  
>    Note that there is a “chicken and egg” relationship between the 
>    manifest and the CRL for a given CA instance. If the EE certificate 
>    for the manifest is revoked, the CA or publication point manager has
>    made an error. In this case all signed objects associated with the CA 
>    instance MUST be ignored. Similarly, if the CRL for the CA instance
>    is not listed on a valid, current manifest, all signed objects 
>    associated with the CA instance MUST be ignored, because the CRL is
>    missing.
>  
>  
> 6.2.  Missing Manifests
>  
>    The absence of a current manifest at a publication point could occur
>    due to an error by the publisher or due to (malicious or accidental)
>    deletion or corruption of all valid manifests. 
>  
>    When no valid manifest is available, there is no protection against
>    attacks that delete signed objects or replay old versions of signed
>    objects. To guard against the adverse impact of processing an 
>    incomplete set of signed objects, an RP MUST treat all signed objects
>    associated with the missing manifest as invalid. (These objects are 
>    all issued by the same instance of a CA.) RP software MUST issue a
>    warning when there is no current manifest for a CA instance.
>  
>    An RP may have access to a local cache containing a previously 
>    issued manifest that is still valid. It is RECOMMENDED that the RP
>    not make use of this data, to ensure consistent a consistent outcome
>    in when a manifest is missing. 

The end of last sentence should have some duplicate words removed.

>  
> 6.3.  Invalid Manifests
>  
>    The presence of an invalid manifest at a publication point could
>    occur due to an error by the publisher or due to (malicious or
>    accidental) corruption of a valid manifest.  An invalid manifest MUST
>    never be used, even if the manifestNumber of the invalid manifest is
>    greater than that of other (valid) manifests.
>  
>    If there is no valid, current manifest available at the publication 
>    point for the CA instance, an RP MUST treat the signed objects at the
>    publication point as indicated above in Section 6.2. A warning MUST 
>    be issued when an invalid manifest is encountered.
>  
> 6.4.  Stale Manifests
>  
>    A manifest is considered stale if the current time is after the
>    nextUpdate time for the manifest.  This could be due to publisher
>    failure to promptly publish a new manifest, or due to (malicious or
>    accidental) corruption or suppression of a more recent manifest.
>  
>    All signed objects at the publication point issued by the entity that
>    has published the stale manifest, and all descendant signed objects
>    that are validated using a certificate issued by the entity that has
>    published the stale manifest at this publication point, MUST be
>    treated at invalid and a warning MUST be issued.
>  
>    The primary risk in using such signed objects is that a newer
>    manifest exists that, if present, would indicate that certain objects
>    have been removed or replaced.  (For example, the new manifest might
>    show the existence of a newer CRL and the removal of one or more
>    revoked certificates).  Thus, the use of objects from a stale
>    manifest may cause an RP to incorrectly treat invalid objects as
>    valid.  The risk is that the CRL covered by the stale manifest has
>    been superseded, and thus an RP will improperly treat a revoked
>    certificate as valid. 
>  
>  
> 6.5.  Mismatch between Manifest and Publication Point
>  
>    If there exist valid signed objects associated with a CA instance and
>    they do not appear in any current, valid manifest for this CA instance,

This should probably be the “the current, valid manifest”, not “any” (as we only consider one manifest as the current in 6.1/1)?

>    these objects MUST be ignored by an RP, and a warning MUST be issued.
>  
>    If there are files listed on the manifest that do not appear in
>    the repository, then these objects have been improperly deleted from
>    repository (via malice or accident).  A primary purpose of manifests is 
>    to detect such deletions.  Therefore, in this case, an RP MUST ignore 
>    all signed objects associated with this CA instance.
>  
> 6.6.  Hash Values Not Matching Manifests
>  
>    A file appearing on a manifest with an incorrect hash value could
>    occur because of publisher error, but it also may indicate that an
>    attack has occurred, e.g., one in which an older version of an object
>    has been substituted for a newer version of the object. In this case
>    an RP cannot know the content of the missing object, and thus all
>    signed objects associated with this instance of the CA MUST be ignored 
>    by the RP, and a warning MUST be issued.
> 


I wonder how far we should get with listing all possible inconsistencies in this document, but from my developer’s perspective I think  we should list as much as possible, if we want RP software to behave in the same way.

Going through what we described in RFC8488, one of such inconsistencies is when manifest contains more than one CRL entry.

Another is when the manifest is not in the publication point of a CA certificate. There are two distinct links from the CA certificate – one to the publication point, and one to the manifest. Technically, the manifest link could contain different directory than a publication point link. If you discover a manifest by following the manifest link, and follow the rules applied above, using the link from the CA cert (and not the location of the manifest), you would not catch this discrepancy.
Also note  that similar discrepancy could exist with the CRL location (as it also has its own link from the cert), but that one is covered by the new text above.

Cheers,
Oleg