Re: [sidr] two stranded docuemnts - stake time

2016-08-01 Thread Stephen Kent 

Tim,





Although I appreciate that Randy is trying to explain the case in 
terms anyone can understand, it would be preferable to keep it general.

agreed.


(Including a parenthetical note about the historical precedent of a 
Dutch court order involving RIPE is relevant and might be included.)


If there was such a precedent, but there isn't. I have raised this 
before, but again...
I am familiar with the incident. While it is true that the court did not 
order RIPE to do anything with RPKI data, the precedent it set has often 
been cited as an indication of what might happen in the future. That's 
why the adverse actions document identifies the following cause for some 
types of actions:


   There is also the possibility that a CA or repository operator may
   be subject to legal measures that compel them to generate "bogus"
   signed objects or remove legitimate repository data.

This is the sort of more formal language I have encouraged Randy to use 
in the LTA use cases doc, to no avail.


Steve
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] two stranded docuemnts - stake time

2016-08-01 Thread Tim Bruijnzeels 
Steve,


> On 01 Aug 2016, at 14:42, Stephen Kent  wrote:
> 
> Tim,
> 
> 
>> 
>> Although I appreciate that Randy is trying to explain the case in terms 
>> anyone can understand, it would be preferable to keep it general.
> agreed.
>> 
>>> (Including a parenthetical note about the historical precedent of a Dutch 
>>> court order involving RIPE is relevant and might be included.)
>> 
>> If there was such a precedent, but there isn't. I have raised this before, 
>> but again...
> I am familiar with the incident. While it is true that the court did not 
> order RIPE to do anything with RPKI data, the precedent it set has often been 
> cited as an indication of what might happen in the future. That's why the 
> adverse actions document identifies the following cause for some types of 
> actions:
> There is also the possibility that a CA or repository operator may be subject 
> to legal measures that compel them to generate "bogus" signed objects or 
> remove legitimate repository data.
> This is the sort of more formal language I have encouraged Randy to use in 
> the LTA use cases doc, to no avail.

You will notice that I did NOT object to this being raised as a possibility as 
such.

I object to presenting a different case altogether as a precedent to support 
the impression that it's not a question of if, but when this will happen.

This is not constructive.

It would be lot more constructive to explain to law enforcers how such an 
action would be ineffective, and ultimately counter productive. Wording like 
this might help:

Law enforcement would be ill-advised to take this cause of action as it 
will degrade the trust that
operators place in the global RPKI. Not only can operators use local policy 
to circumvent the "bogus"
objects - making it an ineffective measure, abuse of this power will also 
lead to operators choosing
not to use RPKI at all. This in turn will mean that critical internet 
infrastructure will remain
vulnerable to hijacks.

In short it should be made clear to "law enforcement" that there is no 
precedent, and that this is very much against their own interests. If they want 
to ban some traffic, there are much more reliable methods at their disposal, 
with much less collateral damage.

Tim

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] two stranded docuemnts - stake time

2016-08-01 Thread Stephen Kent 

Tim,

I agree that the preferred approach is to persuade law enforcement folks 
to not view the RPKI as a new tool for taking down sites. However, I 
have already encountered folks in the law enforcement community who 
viewed it as such. I have argued that this wold be bad, but ...


Given the nature of the cited court case I think it's hard to argue that 
a CA in the RPKI will _never_ be compelled to take action by law 
enforcement (or by national intelligence agencies, etc.). Thus I fear it 
really is a case of when, not if.


Steve
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] two stranded docuemnts - stake time

2016-08-01 Thread Randy Bush 
you may, or may not, notice that the current i-d does not mention
ripe/ncc

randy

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] Validation reconsidered and X.509v3 extension OIDs

2016-08-01 Thread Sean Turner 
> On Jul 21, 2016, at 06:36, Tim Bruijnzeels  wrote:
> 
> Hi Russ,
> 
> Thank you for the pointers. I am traveling now but I will get back to it.
> 
> Thanks
> Tim
> 
>> On 21 Jul 2016, at 10:56, Russ Housley  wrote:
>> 
>> 
>> On Jul 19, 2016, at 9:14 AM, Rob Austein  wrote:
>> 
>>> At Tue, 19 Jul 2016 08:43:00 -0400, Russ Housley wrote:
 
 Does this apply to the Certificate Policy OID too?  If memory is
 correct, the current CP has a normative pinter to RFC 3779.
>>> 
>>> Good catch.
>>> 
>>> Not sure a policy OID change is necessary, although might be simplest.
>>> If there's a reference, we either need to change the OID or change the
>>> definition of what the OID means.
>>> 
>>> IIRC, the OpenSSL library code doesn't do anything RFC-3779-specific
>>> for the policy OID, it just follows the usual rules; it's the RP code
>>> built on top of the library that demands that particular policy OID.
>>> So at least in the OpenSSL case, changing the policy OID may not have
>>> any noticeable effect on correctness of software behavior.
>> 
>> During the SIDR session today, there seemed to be some confusion about which 
>> OIDs we are taking about.
>> 
>> The first two are from RFC 3779.  They appear here in the IANA registry:
>> http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
>> 
>> The two OIDs are: 
>>  1.3.6.1.5.5.7.1.7   id-pe-ipAddrBlocks
>>  1.3.6.1.5.5.7.1.8   id-pe-autonomousSysIds  
>> 
>> In addition, RFC 6484 assigned an OID for the certificate policy.  It 
>> appears here in the IANA registry:
>> http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.14
>> 
>> The OID is:
>>  1.3.6.1.5.5.7.14.2  id-cp-ipAddr-asNumber
>> 
>> I think this is a very good candidate for early IANA code point allocation.  
>> I think that our AD can assist with that.
>> 
>> Russ

To make sure I’m following along, to address the "Updates: 3779, 6484, 6487 (if 
approved)" changes would the follow changes work:

0) RFC6484-related changes

If we’re going with two OIDs (one for the original “strict" validation and one 
for new “relaxed” validation), then I’m hoping that we can just define a new 
OID in s1.2 of RFC 6484 and be done with it (i.e., I hope we don’t also have to 
update s4.1.1, s4.5.1, and s4.7.1 where RFC 3779 is mentioned).  Here’s some 
text for a new section:

#.#  Updates to RFC 6484

This section replaces s1.2 of [RFC6484] with the following:

The name of this document is "Certificate Policy (CP) for the Resource PKI 
(RPKI)”.

This policy has been assigned the following two OIDs:

   id-cp-ipAddr-asNumber OBJECT IDENTIFIER ::= { iso(1)
 identified-organization(3) dod(6) internet(1)
 security(5) mechanisms(5) pkix(7) cp(14) 2 }

   id-cp-ipAddr-asNumber-v2 OBJECT IDENTIFIER ::= { iso(1)
 identified-organization(3) dod(6) internet(1)
 security(5) mechanisms(5) pkix(7) cp(14) TBD }

id-cp-ipAddr-asNumber and the extensions defined in [RFC3779] indicate that the 
original certification path validation rules are to be used.  
id-cp-ipAddr-asNumber-v2 and the extensions defined in [this document] indicate 
that the validation reconsidered certification path validation rules defined in 
[this document] are to be used.


1) IANA registrations

We need to register some OIDs with IANA.  Here’s an IANA considerations section 
(assumes we’re registering a new CP OID - [] references will be to whatever 
section # it ends up being):

6. IANA Considerations

IANA is to register the following five OIDs:

- id-cp-ipAddr-asNumber-v2 from [insert Section and #] in the SMI Security for 
PKIX Certificate Policies registry.

- id-pe-ipAddrBlocks-v2 and id-pe-autonomousSysIds-v2 from [insert Section and 
#] in the SMI Security for PKIX Certificate Extension registry.

- IPAddrAndASCertExtn-v2 and IPAddrAndASCertExtn-2010v2 from [insert Section 
and #] in the SMI Security for PKIX Module Identifier registry.

RFC EDITOR: There are two ASN.1 modules both include the same assignments for 
id-pe-ipAddrBlocks-v2 and id-pe-autonomousSysIds-v2, i.e., the assignments are 
made by IANA once and the values are included in the two modules.  Please 
delete this prior to publication.


2) RFC3799-related changes

As far as RFC 3779 updates go, we probably need to update s2.3 and s3.3 as well 
as add new ASN.1 modules.


2.1) I haven’t got text off the top of my head for the s2.3 and s3.3 changes.


2.2) As far as the ASN.1-related changes go here’s two ASN.1 module(s).  The 
modules define the new OIDs and imports the syntax from RFC3779/RFC6268.  The 
basic idea is to keep the modules as short as possible.  The 2nd module is for 
the ’08 ASN.1 that was defined in RFC 6268 to be used with RFC5911/5912.

#.#  ’88 ASN.1 Module

IPAddrAndASCertExtn-v2 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5)