Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
Job Snijders <job@fastly.com> Fri, 09 July 2021 11:24 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605F03A1DB7 for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 04:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM6Ew_LCiqsK for <sidrops@ietfa.amsl.com>; Fri, 9 Jul 2021 04:24:44 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 153003A1DB9 for <sidrops@ietf.org>; Fri, 9 Jul 2021 04:24:43 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id m17so13280061edc.9 for <sidrops@ietf.org>; Fri, 09 Jul 2021 04:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=jyJ6lGhVpUmHQkCYVqhezRloCABvbcIJsCDccV79wBE=; b=aUfzPyh4TAjTRV/g7z1jyotes6gt7HJRAftOc7y+1qUbHad/x4NBS/00D0ElNNJqVr zXB1Via3WTdLCj0kenPJHj/sxib4jIMALgQtCXpncCDQdcy1vy458hsypTEx3tghj/fD mwGJNsgtUF0Sym49jd6l0GIcRp12fh6nFjT7M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=jyJ6lGhVpUmHQkCYVqhezRloCABvbcIJsCDccV79wBE=; b=a7ir3Rc4k6rvcdx1XajLtXZWllkF5uVqdBZ9pvDFb5xrfIPT91CTu07tRzQwLtdBXR 2+KNP2onMBJK9RpQFJz8mr3Zp6kv6cRjOI1wbudzIUV8CEel0Qe6Fh4KKwtKYA0vcH3x VCWa7MRWnw4jVB4hvtP+7K2PkZ9fc4Be++SgkquS5WyS3TaUEVs4p3TKzksSyEw2XV/c 26Qo1KGd2yJ5B2UNAWob+24C2jwMB3kKEzOgYov5UqH/IgjnzUoNVxl8K1lygb/iAC52 czozbMYXi4A93oANEb3UImFv2um7gW0QPgG3wUxek4O2y+U2Zyg+n7cvSJNhW60chohL fmzg==
X-Gm-Message-State: AOAM532AQrMUm0KF2fHgONiszayDy6OnvLXfBPGAv0/5DLU8kYDoreuy 55i7WIQbjcQ/GbSiZp9Vx59Eaw==
X-Google-Smtp-Source: ABdhPJwO2Opo4Lex+T1GvH4wEDv8PNg/hrc0wCpwDLIIsmWWdZZ0UZnJnmWbwmcmvqZaWRkdmzSW4A==
X-Received: by 2002:aa7:d4d4:: with SMTP id t20mr19910378edr.190.1625829880048; Fri, 09 Jul 2021 04:24:40 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:21e:c2ff:fefb:f388]) by smtp.gmail.com with ESMTPSA id j6sm2981390eds.58.2021.07.09.04.24.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jul 2021 04:24:39 -0700 (PDT)
Date: Fri, 09 Jul 2021 13:24:38 +0200
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <YOgx9mLDtQODfSf2@snel>
References: <162574988984.26098.17271669200254285008@ietfa.amsl.com> <YOc/X/fqp5RepPQD@snel> <3077EE58-C035-4A0D-91C7-AB44B33025D1@nlnetlabs.nl> <YOgsGYWF/E/s2Dwq@snel> <D89D1B55-66CD-4D85-9C31-B94AADB6C43E@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <D89D1B55-66CD-4D85-9C31-B94AADB6C43E@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/yAkKMrxdFv2p-ok7bSO-dwZgRTE>
Subject: Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 11:24:48 -0000
On Fri, Jul 09, 2021 at 01:14:15PM +0200, Ties de Kock wrote: > > Can you elaborate on your concern related to NTP and the need for > > backdating? > > I would suspect that Tim’s concern is that a certificate is > effectively published and read by an RP before its validity period > starts according to the local clock of the RP. > > I have encountered this when using a VM where the clock had drifted. > > I would expect that there is a fair amount of clock drift between RPs > and issuing at the ‘current’ time gives a risk of objects being > rejected by (a few) RPs. I would argue that's the type of problem those few RPs need to overcome themselves If the RP clock is wrong, the RP clock is wrong, which (in my opinion) is not something the CA should try to resolve on their side. :-) Even if the RP rejects some objects (because the RP's clock drifted), the chances of the RP accepting the objects at the next validation run are very high, because the RP will come back in 10 to 60 minutes. Backdating to me seems a practic that'll cause confusion down the road, and without backdating time-drifted RPs are likely to pick up the objects a few minutes later anyway. Any log messages about 'not yet valid objects' might help encourage the RPKI operator to fix their clock. Masking such error messages through backdating is not entirely helpful. Where in WebPKI there might be an incentive for slight backdating (even though it is consider a bad practise), inherent in the application of the TLS technology stack there is no requirement 'to try again later', in the RPKI technology stack we have clear requirements and expectations about RPs periodically polling the CA repositories. This difference in application and difference in timing parameters prompts me to caution against backdating. Kind regards, Job
- [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-… internet-drafts
- [Sidrops] mft/ee validity time window alignment i… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Ties de Kock
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Julian Reschke
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Russ Housley
- Re: [Sidrops] mft/ee validity time window alignme… Job Snijders
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels
- Re: [Sidrops] mft/ee validity time window alignme… Stephen Kent
- Re: [Sidrops] mft/ee validity time window alignme… Tim Bruijnzeels