IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt

Ties de Kock <tdekock@ripe.net> Fri, 19 January 2024 13:20 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E89AC151080 for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 05:20:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYpJQwJ3Dwn2 for <sidrops@ietfa.amsl.com>; Fri, 19 Jan 2024 05:20:13 -0800 (PST)
Received: from mail-mx-2.ripe.net (mail-mx-2.ripe.net [IPv6:2001:67c:2e8:11::c100:1312]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA78AC15109F for <sidrops@ietf.org>; Fri, 19 Jan 2024 05:20:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id:From ; bh=ifoO6W1kwGTXO9j/C8wPEH3q4i8ZsJRs2sebRVkWlyg=; b=U0X2jCSQVYdxdd8p/IHobC4H I2OkkWeBCzQe4hi1cvM5QGRJBk3Oey4DjHNioTQ8zwKklNiZnIOtqXA/hz4dCsgfxu90NRIDthNyZ mhPomc5V2Mj8nPVb1pGvI0+2B4tLvD+V3QHCodKBnXlqWujuacYEAui2IbC3C/fCC2xFlKoB+oR8V C78FZ7YGEBJjmo3XdqaX3hXmKajFsDDEiLSstPQdrDCKnvlvJP7GPucN1LnszH2/mfKjHnhZj+DZR zicV9VwXZMxVmY3SkjYhNl6QSjxQqFfU0zK7+5ZrHjvDuFLUoIKo2TGuh8RlkvYWR8zUgtIqjAaEJ BUD1G3APmA==;
Received: from imap-01.ripe.net ([2001:67c:2e8:23::c100:170e]:58274) by mail-mx-2.ripe.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rQon2-000ZKz-1F; Fri, 19 Jan 2024 13:20:08 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by imap-01.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rQon2-004GmI-0w; Fri, 19 Jan 2024 13:20:08 +0000
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <5AF9DD6B-A4F0-4C20-9E0E-62144D013D44@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_72FDBFEB-B8C8-4999-92AF-B835D35B9889"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Fri, 19 Jan 2024 14:19:57 +0100
In-Reply-To: <ZapoTxRlSvSSVqk_@snel>
Cc: sidrops@ietf.org
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
References: <170561454824.54895.360140302624981870@ietfa.amsl.com> <ZamgKc5PTJPDcISD@snel> <C10EC4E3-9A59-4BBA-B5DC-DB4680AD0B0D@ripe.net> <ZapR2qVBAu7lECFB@snel> <7547BE09-8FF6-40F4-BC6E-388BAEFE6CD6@ripe.net> <ZapoTxRlSvSSVqk_@snel>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e1463f9976347ba22465ccf2c6df01eaea
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xD35DmhQnj9PoGQq7iqrL2NN-lI>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-cms-signing-time-03.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 13:20:15 -0000


> On 19 Jan 2024, at 13:17, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Fri, Jan 19, 2024 at 12:25:56PM +0100, Ties de Kock wrote:
>>>> This has significantimpact on implementations that are fully
>>>> conforming to rfc6488 and has a significant impact on those
>>>> implementations, effectively invalidating their test set of
>>>> objects.
>>> 
>>> Indeed, RFC 6488 is updated and simpified. Preventing invalidation
>>> of a set of private objects which solely exist for regression
>>> testing seems a non-goal to me? It seems unsurprising to me that a
>>> full coverage test suite for 6488 objects may need to be updated if
>>> 6488 is updated.
>> 
>> I am fine with mandating the existence of signing time. That provides
>> value now that we have found a goal for that attribute that was unused
>> until last year.
>> 
>> Based on the document, the reason to go further than mandating signing
>> time is aesthetics imo. In my opinion, based on the document, we lack
>> motivation for the further changes.
> 
> On the contrary - while revisiting 6488's formal signing time
> requirements, it makes a lot of sense to simplify closely related data
> fields. For example removing the requirement for RPs to (if both of
> these attributes are present), check whether they provide the same date
> and time is a welcome simplification. On top of that the binary
> signing-time attribute does not appear in the global RPKI, so no CAs
> become noncompliant, making this an easy win.
> 
>>>> It also invalidates objects generated by public CA implementations if
>>>> a feature is enabled.
>>> 
>>> Extensive long-term quantitative research showed that no public
>>> Certification Authorities issue and publish Signed Object with a CMS
>>> binary signing-time attribute. The complete absence of the binary
>>> signing-time attribute in the global RPKI is a positive signal that it
>>> is feasible to formally disallow the attribute. I suspect that lack of
>>> support for binary signing-time in commonly used libraries contributed
>>> to binary signing-time's lackluster fashionability in the field.
>> 
>> I agree that implementations of 6488 have generally skipped the checks
>> mandated on signing time.
>> 
>>> 
>>>> Please elaborate on the improvement in security posture this gives iff
>>>> any.
>>> 
>>> There are more angles to consider than just security posture:
>>> disallowing the binary signing-time attribute simplifies implementations
>>> on both the signer and the RP side: instead of enumerating, parsing,
>>> checking for duplicate attributes, and also comparing the encoded
>>> timestamps against each other for both normal & binary signing-time
>>> attributes; after publication of this draft RPs merely need to confirm
>>> the absence of the binary signing-time attribute. To me this seems is a
>>> welcome simplification.
>> 
>> Now we are getting to the core of what confuses me. My read of the
>> draft is that binary signing time can still be present, just not in
>> the set of signed attributes (this would not comply to RFC6019, but
>> implementations have ignored RFC6019 in general so far). This draft
>> may even introduce malleability this way.
>> 
>> How about:
>>  * Mandating that the binary signing time attribute MUST NOT be
>>    present (signed or unsigned). Yes, this is in RFC6019. But we no
>>    longer refer to that. And as you said, some RPs have not implemented
>>    those MUSTs because of a lack of library support.
> 
> RFC 6488 section 2.1.6.7 already forbids the presence of unsigned
> attributes entirely. The draft at hand does not change this requirement.
> Rpki-client checks for the presence of unsigned attributes and treats
> objects as invalid if the count is non-zero.

I was going off my memory here. Our implementation of PRKI parsing in rpki
commons (and thus the ripe validator if anyone still runs that, if so: migrate
from this unsupported software ASAP) treats CMS with unsigned attributes as
invalid as well.

For those using the BBN conformance objects,
538 SigInfoUnSigAttrs        # has unsigned attribute 6488#2.1.6.7

I could easily update a test environment to use unsigned attributes in the top
level manifest if there is any interest in that.

> 
> Additionally, RFC 6019 forbids binary signing-time to be an unsigned
> attribute, unauthenticated attribute, or unprotected attribute.

Iff people implemented RFC 6019 there would be no downside in having either
type possible.

We effectively live in a world where, for most implementations, RFC 6019 does
not exist. That makes that I would not want to rely on anything in that
document.

> 
> RFC 5652 section 11.3 explicitly forbids normal signing-time to be an
> unsigned attribute, unauthenticated attribute, or unprotected attribute.
> 
> I don't see how malleability is introduced.
> 
>>  * Clarifying in security considerations that the previous profile
>>    allowed objects to have ambiguous singing time if the implementation
>>    was not standard compliant and this document prevents objects from
>>    having ambiguous signing time?
> 
> Aren't all bets off when implementations are noncompliant? :-)
> 
> I think I agree with the gist of what you're saying, but I'm not
> entirely sure what to add that's not already covered by existing
> literature.

Let’s add the local improvement somewhere in the doc, maybe security
considerations? “the status quo is that most implementations are not compliant
with RFC 6019, this causes signing time to be ambiguous when interoperating
between implementations"

v2.23.0 | Report a Bug | By Email