IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 24 March 2020 14:05 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4C23A047F for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 07:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhbpmQQ2xE-W for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 07:05:14 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C4D3A077D for <sidrops@ietf.org>; Tue, 24 Mar 2020 07:05:13 -0700 (PDT)
Received: from [192.168.1.6] (unknown [177.37.212.238]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 0A36A21600; Tue, 24 Mar 2020 15:05:10 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1585058711; bh=TTA5Onb7ZxrBo7TCn+yV4oR80zqctl7vo6UKYdmR63k=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ij4lcYTBy8tPwf9wGpXtwPq7gcApPeNnTEMCJA6fH+9v1tmmuh9d2qIOH+HmVmbX6 ceH2pUPpr8vCBihIj/dIFeMNVM59K6O9PQeyYnypworeaobVrvednynKPknUXkzHAi BDtTeuY2OUn9AmcWnwQ66NWrMb+j6aKjgkrKJjxk=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <BBE92EA7-5017-462B-A071-2F0F72F2C06D@nlnetlabs.nl>
Date: Tue, 24 Mar 2020 11:05:09 -0300
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9860FAC3-5473-42EE-B2DC-BBBEF3E1A2FB@nlnetlabs.nl>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <BBE92EA7-5017-462B-A071-2F0F72F2C06D@nlnetlabs.nl>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ztREfLd0_9qr_yMzTKF5rSYMCBw>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 14:05:16 -0000


> On 24 Mar 2020, at 11:02, Tim Bruijnzeels <tim@nlnetlabs.nl> wrote:
> 
> 
> 
>> On 23 Mar 2020, at 10:33, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
>> 
>> Tim,
>>> In general I agree. Which is why I mentioned the example of objects one might find published outside of the context of the RPKI repository, and *not* listed on a manifest. Such objects have yet to be invented but theoretically one can think of signed structures under an existing RPKI CA cert (e.g. using their own embedded EE) - which is shared out-of-band between parties. 
>> That's a very forward-looking perspective, one I had not considered.
>>> What I am suggesting is that we *could* update 6486 and make validation more restrictive regarding manifests:
>>> - all objects on a manifest must be present and accounted for (I agree with Job regarding partial withhold attacks)
>>> - all objects on a manifest need to be validated
>>> - objects that are not on a manifest can be considered invalid
>>> 
>>> This is in-line with the specifications defined in RFC 6481 (A Profile for Resource Certificate Repository Structure), which essentially says that all current objects must be published, and that no invalid objects may be published.
>> agree.
>>> Then, if the manifest is already a signed statement of everything that is current, at least regarding the currently defined object types, as defined in RFC 6481, then what is gained by checking that CA was also capable of generating a CRL - using the same authoritative key and publication method - that confirms that the objects that are current according to the manifest are indeed not revoked?
>> 
>> I agree that with strict Manifest processing, CRLs provide redundant info. But, by that argument, why bother checking to see if certs are expired, since that too is redundant in a strict Manifest processing scenario?
>> 
>>> Requiring the CRLs just feels like unnecessary brittleness to me (again in the context of RFC 6486). It creates multiple loci for bugs in CA implementations, and complicated error conditions that need to be checked by RPs. This is what I meant with the perhaps poorly chosen word 'pedantic'. Maybe I should have used the word 'redundancy'. Redundancy may seem like a good idea in general, but in this case it really only allows for the possibility of two conflicting signed messages. Thus it seems that this does not increase security, but provides more ways for things to break.
>> 

One more thought.. specifically on this:

>> redundancy is often beneficial in security systems. it helps prevent a single error from having terrible consequences.


It's the same engine that signs both CRLs and MFTs. I believe that this increases the chance of bugs in signing, and orchestration of publication. And a failure in any of these cases can lead to bad results.



>> But, this strategy works only if one is flexible when responding  to an inconsistency between redundant pieces of info.
>> 
> 
> But, redundancy also introduces more moving parts which can break, and corner conditions to check.
> 
> Now it's fairly easy to get temporary inconsistencies. If CAs publish objects one by one, or in case rsync is used as a fetch mechanism (I believe that objects might change during an rsync 'session'). RRDP can resolve this, but only if CAs indeed publish their change set as a single delta.
> 
> But even with all that, my inner engineer would like to see as few moving parts as we safely get away with.
> 
> Failing that I believe one agreed on way to deal with each possible corner case between MFT and CRL is needed.




> 
> 
> 
> 
>> Steve
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email