Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
Hi All, I see this erratum went to sidr@ but not sidrops@. I suspect there is considerable overlap between the two lists, but just in case, I thought I’d add sidrops before any disposition is decided for the erratum. The discussion so far is at https://mailarchive.ietf.org/arch/msg/sidr/7ZwQsV9gsqEgZurkf1nAtCvlZes/ If you do have an opinion and haven’t chimed in yet, now would be a good time. Thanks, —John > On Nov 4, 2022, at 7:38 AM, RFC Errata System > wrote: > > The following errata report has been submitted for RFC8182, > "The RPKI Repository Delta Protocol (RRDP)". > > -- > You may review the report below and at: > https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid7239__;!!NEt6yMaO-gk!Hmh7ECsx8QBjyj3iaVOY12TDeyhe2F4SPyvBI49N5TT_-a7Coy9Z9a_jFJ4nat5SkUTodPX9IcgXbnT_H_fC5A$ > > -- > Type: Technical > Reported by: Job Snijders > > Section: 3.2 > > Original Text > - > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Corrected Text > -- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in CA resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Notes > - > Between draft-ietf-sidr-delta-protocol-04 and > draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps because > it was considered redundant). But, unfortunately that snippet helped > establish important context as to what types of certificates are expected to > contain the id-ad-rpkiNotify accessMethod inside the Subject Information > Access extension. The text that was removed: > > """ > Relying Parties that do not support this delta protocol MUST MUST NOT > reject a CA certificate merely because it has an SIA extension > containing this new kind of AccessDescription. > """ > > From the removed text is is clear that id-ad-rpkiNotify was only expected to > show up on CA certificates. However, without the above text, Section 3.2 of > RFC 8182 is somewhat ambiguous whether 'resource certificates' is inclusive > of EE certificates or not. > > RFC 6487 Section 4.8.8.2 sets expectations that only id-ad-signedObject is > expected to show up in the SIA of EE certificates "Other AccessMethods MUST > NOT be used for an EE certificates's SIA." > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify in the SIA > of the EE certificate of all signed objects they produce (such as ROAs). The > RIR indicated they'll work to remove id-ad-rpkiNotify from all EE > certificates their CA implementation produces. > > It should be noted that the presence of id-ad-rpkiNotify in EE certificates > is superfluous; Relying Parties can't use the rpkiNotify accessMethod in EE > certificates for any purpose in the validation decision tree. > > (Verifying this Errata does not block a future transition from rsync to > https; as RFC6487 Section 4.8.8.2 leaves room for additional instances of > id-ad-signedObject with non-rsync URIs) > > Instructions: > - > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -- > RFC8182 (draft-ietf-sidr-delta-protocol-08) > -- > Title : The RPKI Repository Delta Protocol (RRDP) > Publication Date: July 2017 > Author(s) : T. Bruijnzeels, O. Muravskiy, B. Weber, R. Austein > Category: PROPOSED STANDARD > Source : Secure Inter-Domain Routing > Area: Routing > Stream : IETF > Verifying Party : IESG ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
In response to Russ: On Thu, Dec 08, 2022 at 10:20:54AM -0500, Russ Housley wrote: > RFC 5280 defines the SAI extension, and it says: > >This profile defines one access method to be used when the subject is >a CA and one access method to be used when the subject is an end >entity. Additional access methods may be defined in the future in >the protocol specifications for other services. > > I think it is pretty clear that new access methods are expected to com > along over time. Sure, but that's not what RFC 8182 intended to accomplish in context of RPKI EE certificates. RFC 8182 did not update RFC 6487 section 4.8.8.2. RPKI EE certificates only contain one or more instances of id-ad-signedObject in their SIA extension. The point of this Errata is to clarify that only CA certificates are expected to (optionally) contain an instance of the rpkiNotify AccessDescription; EE certificates are not expected to contain an instance of rpkiNotify. Preparing for future extensibility is easier in a tidy house. Kind regards, Job ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
RFC 5280 defines the SAI extension, and it says: This profile defines one access method to be used when the subject is a CA and one access method to be used when the subject is an end entity. Additional access methods may be defined in the future in the protocol specifications for other services. I think it is pretty clear that new access methods are expected to com along over time. Russ > On Dec 7, 2022, at 12:22 AM, Tom Harrison wrote: > > On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >> The following errata report has been submitted for RFC8182, >> "The RPKI Repository Delta Protocol (RRDP)". >> >> -- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7239 >> >> -- >> Type: Technical >> Reported by: Job Snijders >> >> Section: 3.2 >> >> Original Text >> - >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Corrected Text >> -- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in CA resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Notes >> - >> Between draft-ietf-sidr-delta-protocol-04 and >> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >> because it was considered redundant). But, unfortunately that >> snippet helped establish important context as to what types of >> certificates are expected to contain the id-ad-rpkiNotify >> accessMethod inside the Subject Information Access extension. The >> text that was removed: >> >> """ >> Relying Parties that do not support this delta protocol MUST MUST NOT >> reject a CA certificate merely because it has an SIA extension >> containing this new kind of AccessDescription. >> """ >> >>> From the removed text is is clear that id-ad-rpkiNotify was only >>> expected to show up on CA certificates. However, without the above >>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >>> 'resource certificates' is inclusive of EE certificates or not. >> >> RFC 6487 Section 4.8.8.2 sets expectations that only >> id-ad-signedObject is expected to show up in the SIA of EE >> certificates "Other AccessMethods MUST NOT be used for an EE >> certificates's SIA." >> >> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >> in the SIA of the EE certificate of all signed objects they produce >> (such as ROAs). The RIR indicated they'll work to remove >> id-ad-rpkiNotify from all EE certificates their CA implementation >> produces. > > I agree with this report. (APNIC is the RIR referred to in this > paragraph, and we also found the text to be unclear when we were > implementing this specification.) > > -Tom > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: > The following errata report has been submitted for RFC8182, > "The RPKI Repository Delta Protocol (RRDP)". > > -- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7239 > > -- > Type: Technical > Reported by: Job Snijders > > Section: 3.2 > > Original Text > - > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Corrected Text > -- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in CA resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Notes > - > Between draft-ietf-sidr-delta-protocol-04 and > draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps > because it was considered redundant). But, unfortunately that > snippet helped establish important context as to what types of > certificates are expected to contain the id-ad-rpkiNotify > accessMethod inside the Subject Information Access extension. The > text that was removed: > > """ > Relying Parties that do not support this delta protocol MUST MUST NOT > reject a CA certificate merely because it has an SIA extension > containing this new kind of AccessDescription. > """ > >> From the removed text is is clear that id-ad-rpkiNotify was only >> expected to show up on CA certificates. However, without the above >> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >> 'resource certificates' is inclusive of EE certificates or not. > > RFC 6487 Section 4.8.8.2 sets expectations that only > id-ad-signedObject is expected to show up in the SIA of EE > certificates "Other AccessMethods MUST NOT be used for an EE > certificates's SIA." > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify > in the SIA of the EE certificate of all signed objects they produce > (such as ROAs). The RIR indicated they'll work to remove > id-ad-rpkiNotify from all EE certificates their CA implementation > produces. I agree with the correction provided in this report. -- Oleg Muravskiy ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
Hi, I agree with this report. The clarification should have been included. CA certificates were intended - RPKI object retrieval is irrelevant in the context of the EE certificates in RPKI signed objects. And as Job pointed out the addition of the access description would not be allowed there. Speaking for myself only I have used the term "resource certificate" in the RPKI colloquially to refer specifically to RPKI CA certificates. It seems that leaked into this specification unintentionally. Tim > On 7 Dec 2022, at 13:30, Cobenian wrote: > > I agree that the proposed errata would be a good clarification. > > Thanks, > Bryan > > >> On Dec 7, 2022, at 12:22 AM, Tom Harrison wrote: >> >> On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >>> The following errata report has been submitted for RFC8182, >>> "The RPKI Repository Delta Protocol (RRDP)". >>> >>> -- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid7239 >>> >>> -- >>> Type: Technical >>> Reported by: Job Snijders >>> >>> Section: 3.2 >>> >>> Original Text >>> - >>> Certificate Authorities that use RRDP MUST include an instance of an >>> SIA AccessDescription extension in resource certificates they >>> produce, in addition to the ones defined in [RFC6487]: >>> >>> Corrected Text >>> -- >>> Certificate Authorities that use RRDP MUST include an instance of an >>> SIA AccessDescription extension in CA resource certificates they >>> produce, in addition to the ones defined in [RFC6487]: >>> >>> Notes >>> - >>> Between draft-ietf-sidr-delta-protocol-04 and >>> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >>> because it was considered redundant). But, unfortunately that >>> snippet helped establish important context as to what types of >>> certificates are expected to contain the id-ad-rpkiNotify >>> accessMethod inside the Subject Information Access extension. The >>> text that was removed: >>> >>> """ >>> Relying Parties that do not support this delta protocol MUST MUST NOT >>> reject a CA certificate merely because it has an SIA extension >>> containing this new kind of AccessDescription. >>> """ >>> From the removed text is is clear that id-ad-rpkiNotify was only expected to show up on CA certificates. However, without the above text, Section 3.2 of RFC 8182 is somewhat ambiguous whether 'resource certificates' is inclusive of EE certificates or not. >>> >>> RFC 6487 Section 4.8.8.2 sets expectations that only >>> id-ad-signedObject is expected to show up in the SIA of EE >>> certificates "Other AccessMethods MUST NOT be used for an EE >>> certificates's SIA." >>> >>> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >>> in the SIA of the EE certificate of all signed objects they produce >>> (such as ROAs). The RIR indicated they'll work to remove >>> id-ad-rpkiNotify from all EE certificates their CA implementation >>> produces. >> >> I agree with this report. (APNIC is the RIR referred to in this >> paragraph, and we also found the text to be unclear when we were >> implementing this specification.) >> >> -Tom > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
I agree that the proposed errata would be a good clarification. Thanks, Bryan > On Dec 7, 2022, at 12:22 AM, Tom Harrison wrote: > > On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >> The following errata report has been submitted for RFC8182, >> "The RPKI Repository Delta Protocol (RRDP)". >> >> -- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7239 >> >> -- >> Type: Technical >> Reported by: Job Snijders >> >> Section: 3.2 >> >> Original Text >> - >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Corrected Text >> -- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in CA resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Notes >> - >> Between draft-ietf-sidr-delta-protocol-04 and >> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >> because it was considered redundant). But, unfortunately that >> snippet helped establish important context as to what types of >> certificates are expected to contain the id-ad-rpkiNotify >> accessMethod inside the Subject Information Access extension. The >> text that was removed: >> >> """ >> Relying Parties that do not support this delta protocol MUST MUST NOT >> reject a CA certificate merely because it has an SIA extension >> containing this new kind of AccessDescription. >> """ >> >>> From the removed text is is clear that id-ad-rpkiNotify was only >>> expected to show up on CA certificates. However, without the above >>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >>> 'resource certificates' is inclusive of EE certificates or not. >> >> RFC 6487 Section 4.8.8.2 sets expectations that only >> id-ad-signedObject is expected to show up in the SIA of EE >> certificates "Other AccessMethods MUST NOT be used for an EE >> certificates's SIA." >> >> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >> in the SIA of the EE certificate of all signed objects they produce >> (such as ROAs). The RIR indicated they'll work to remove >> id-ad-rpkiNotify from all EE certificates their CA implementation >> produces. > > I agree with this report. (APNIC is the RIR referred to in this > paragraph, and we also found the text to be unclear when we were > implementing this specification.) > > -Tom ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] [Technical Errata Reported] RFC8182 (7239)
On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: > The following errata report has been submitted for RFC8182, > "The RPKI Repository Delta Protocol (RRDP)". > > -- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7239 > > -- > Type: Technical > Reported by: Job Snijders > > Section: 3.2 > > Original Text > - > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Corrected Text > -- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in CA resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Notes > - > Between draft-ietf-sidr-delta-protocol-04 and > draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps > because it was considered redundant). But, unfortunately that > snippet helped establish important context as to what types of > certificates are expected to contain the id-ad-rpkiNotify > accessMethod inside the Subject Information Access extension. The > text that was removed: > > """ > Relying Parties that do not support this delta protocol MUST MUST NOT > reject a CA certificate merely because it has an SIA extension > containing this new kind of AccessDescription. > """ > >> From the removed text is is clear that id-ad-rpkiNotify was only >> expected to show up on CA certificates. However, without the above >> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >> 'resource certificates' is inclusive of EE certificates or not. > > RFC 6487 Section 4.8.8.2 sets expectations that only > id-ad-signedObject is expected to show up in the SIA of EE > certificates "Other AccessMethods MUST NOT be used for an EE > certificates's SIA." > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify > in the SIA of the EE certificate of all signed objects they produce > (such as ROAs). The RIR indicated they'll work to remove > id-ad-rpkiNotify from all EE certificates their CA implementation > produces. I agree with this report. (APNIC is the RIR referred to in this paragraph, and we also found the text to be unclear when we were implementing this specification.) -Tom ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
