IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-07.txt

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 30 July 2021 15:54 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9CC3A2E1B for <sidrops@ietfa.amsl.com>; Fri, 30 Jul 2021 08:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ppq8eWgLqRQ6 for <sidrops@ietfa.amsl.com>; Fri, 30 Jul 2021 08:54:02 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4373A2E15 for <sidrops@ietf.org>; Fri, 30 Jul 2021 08:54:02 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id D282F52; Fri, 30 Jul 2021 15:53:58 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1627660438; bh=o2cLBZY3OqlQXCczUnbAO3HrY0VYty/HdU5yzT+m/do=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Spqusxtid/c8Cf/+W/F6ZgKyBuuFRvJQugipKejMuuMybRV06bmgBpfkHe4iawCbh 4bbEgu8F+7WKNC6abOsnY/lmDK9lPqJzWtBd/BKlAKFQo62KlgGCHaOMSkjIE+sMPY FXiix2tDWO2AvR3WheytXFb4nWvCM6TMIuG9RNh4u2bpWijqzJ4z1xnIwxXLMdeDse MQtO9ZYdaxTbacLuD4E0VICJ1L7zjfudZK70ixQZJ1hzJTStgRxOeDOgtSJXjMn5OE wBJ4nC4m8dqxHVj4NcFpx78f3cPK39lzycXBLMrCKRl/siXVB3YUXALNFjMOi+9BJm TJBb/qZhqnb/g==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m2im0tm43k.wl-randy@psg.com>
Date: Fri, 30 Jul 2021 17:53:55 +0200
Cc: Russ Housley <housley@vigilsec.com>, SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ECDE5B4F-AC84-4205-800B-928CAF749947@nlnetlabs.nl>
References: <162397132033.32149.10121553443259737639@ietfa.amsl.com> <20210728214216.vuyds2blfjoqyjcw@benm-laptop> <2CFB0083-BCD3-4B7B-A55F-B0C7439C281C@vigilsec.com> <B868D5D0-C8B4-466F-9923-579365E45DD9@nlnetlabs.nl> <20210729130659.klftuj5kk7qgbkzb@benm-laptop> <m2o8alm5qb.wl-randy@psg.com> <4920CF7C-E1E9-4047-8219-218B759BFA2B@vigilsec.com> <m2im0tm43k.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vrhjxiRhA7O-8cOpyRYY2xXt78o>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 15:54:08 -0000


> On 29 Jul 2021, at 19:17, Randy Bush <randy@psg.com> wrote:
> 
>>> is there something useful which can be said about dealing with
>>> compromise?  e.g. the classic sign new with old far in advance
>>> comes to mind.  i yield the floor to russ.
>> 
>> I like the mechanism described in RFC 8649.
>> 
>> This requires the trust anchor to generate the next key in advance,
>> and store the hash of it in the current self-signed certificate.  This
>> allows the relying party to recognize the successor TA when it gets
>> published.
> 
> wfm

RPKI RPs do not ship with TA (CA) certificates. They get the latest certificate for each validation run based on the TAL (RFC 8630).

Including an optional non-critical extension like this for a new key in that certificate could be done, but I am not sure that all RPs will ignore the extension if they don't understand it. This would have to be tested.

Furthermore, what is then the next step? If we would simply replace that TA certificate with one for the new key, then this could work for RPs which support the extension and have seen the hash of the new key. They would find a certificate that does not match the TAL, but they could accept it because they had learned the key. But it would not work for RPs that do not support this, or fresh installations (without prior state) using an old TAL (with the fingerprint of the previous key).

Please correct me, but I guess it implies a process like:
- generate the new key
- include the hash in the old key certificate

When the time comes to use the new key:
- operate both keys in parallel
- distribute a TAL for the new key, ask for it to packaged with new RPs

When the time comes to remove the old key:
- perhaps start publishing the new key's CA certificate on the old key's TAL location
- RPs which learned the new key hash earlier could accept it
- Accept that out-of-date RPs, or RPs which do not support the extension, will be left behind at this point

The main advantage that I can see is that we would not need a new signed-tal object type. But the drawback is that we can not leave way pointers for outdated RPs. The proposal as written suggests to keep these around as pointers for outdated RPs. The security assumption / caveat is that the old key is not compromised, preferably was kept in an HSM, and is destroyed when it is no longer used. And that an attacker cannot derive the old private key (brute force?) and has access to the old key's CA certificate publication point.

So, with signed-tal if the old key is compromised then old RPs with old TALs can be fooled. But I think the same can be said if we used the hash approach - RPs with outdated TALs could then be misled as well.

To be clear: I am not opposed to better ideas than the signed-TAL approach described now, but I want to understand how and why they are better, and what the consequences and trade-offs are.



Tim








> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email