Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
draft-ietf-sidrops-https-tal-08
Yes
Warren Kumari
No Objection
Éric Vyncke
(Alissa Cooper)
(Alvaro Retana)
(Deborah Brungard)
(Ignas Bagdonas)
(Magnus Westerlund)
(Martin Vigoureux)
(Suresh Krishnan)
Note: This ballot was opened for revision 07 and is now closed.
Warren Kumari
Yes
Roman Danyliw
No Objection
Comment
(2019-04-10 for -07)
Sent
Thanks for the easy to read diff with RFC7730. A minor nit: (1) Section 2.1, Typo. s/implementors/implementers/
Éric Vyncke
No Objection
Adam Roach Former IESG member
Yes
Yes
(2019-04-10 for -07)
Sent
Thanks to everyone who worked on this document. --------------------------------------------------------------------------- I find it curious and somewhat problematic that there is not a section, equivalent to the existing section 4, that deals with RSYNC considerations. In particular, the attack described in the first paragraph of section 4 appears to be unavoidable when the TAL contains an RSYNC URI. Minimally, this document should draw attention to that fact, at least in the Security Considerations section. Ideally, it would deprecate -- or at least discourage -- the use of RSYNC URIs for this reason. [This would be a discuss-level comment if this were a green-field document, but I don't want to stand in the way of improving an existing mechanism, so I'm only leaving it as a comment. The authors may choose to move forward without fixing this issue] --------------------------------------------------------------------------- §2.2: > In this document we define a Trust Anchor URI as a URI that can be > used to retrieved a current Trust Anchor certificate Nit: "...to retrieve..."
Alexey Melnikov Former IESG member
No Objection
No Objection
(2019-04-10 for -07)
Sent
Thank you for this well written document. I have a few relatively minor comments (and questions) which I think you should address: 1. Introduction This document obsoletes [RFC7730] by adding support for HTTPS URIs in a TAL. If this document obsoletes RFC 7730, then I think you need to have "Changes since RFC 7730" section (Is this a BIS document?). If it only updates it, then the above (and the obsolete header at the top of the draft) is not correct. 2.2. Trust Anchor Locator File Format In this document we define a Trust Anchor URI as a URI that can be used to retrieved a current Trust Anchor certificate. This URI MUST be either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]. I think the first mention of URI still needs a reference to RFC 3986. The TAL is an ordered sequence of: 1. an optional comment section consisting of one or more lines each starting with the '#' character, followed by human readable informational UTF-8 text, and ending with a line break, Unless you think you want to use ASCII and Unicode Control characters in this field, I think you should recommend usage of RFC 5198 here. 2.3. TAL and Trust Anchor Certificate Considerations The trust anchor MUST contain a stable key. This key MUST NOT change How does "MUST contain a stable key" differ from "key MUST NOT change"? when the certificate is reissued due to changes in the INR extension(s), when the certificate is renewed prior to expiration, or for any reason other than a key change. This reads funny: “you must not change the key unless you decide to change the key”. Maybe talk about key compromise and key strength no longer being adequate instead? 4. HTTPS Considerations o This protocol does not require the use of SRV-IDs. o This protocol does not require the use of URI-IDs. I suspect this was copied from another RFC, but "does not require" is not right here, as it doesn't prevent it as an option. I think you should change "does not require the use" to "does not use"
Alissa Cooper Former IESG member
No Objection
No Objection
(for -07)
Not sent
Alvaro Retana Former IESG member
No Objection
No Objection
(for -07)
Not sent
Barry Leiba Former IESG member
No Objection
No Objection
(2019-04-07 for -07)
Sent
I realize that this document inherits the text in Section 3 from RFC 6490, but can you tell me why there are SHOULDs and not MUSTs? Why would one NOT do it the way Section 3 specifies? Then I’ll ask the same question for the new https text in Section 4, especially about TLS certificate and host name validation.
Benjamin Kaduk Former IESG member
No Objection
No Objection
(2019-04-09 for -07)
Sent
Thank you for keeping the diff from RFC 7730 tidy! Abstract their CA certificate. In particular it allows TAs to change the set of Internet Number Resources included in the RFC3779 extension of their certificate. Neither "Internet Number" nor "Number Resources" appears in RFC 3779 that I can see. (On a quick skim, I'm still not sure if we mean AS number or IP address/prefix.) Section 2.1 the trust anchor per se. In the RPKI, certificates contain extensions that represent Internet Number Resources (INRs) [RFC3779]. (As above, I don't see INRs mentioned in RFC 3779.) Since comments are new in this rev of TAL, do we want to caution consumers that implementations may not necessarily support comments yet? Section 2.3 The trust anchor MUST contain a stable key. This key MUST NOT change when the certificate is reissued due to changes in the INR extension(s), when the certificate is renewed prior to expiration, or for any reason other than a key change. (This seems a bit tautological...) If an entity wishes to withdraw a self-signed CA certificate as a putative trust anchor, for any reason, including key rollover, the entity MUST remove the object from the location referenced in the TAL. Certain classes of attacker could continue to publish the last-known certificate as a trust anchor and prevent this withdrawl from taking effect; we should probably cover that in the security considerations. Section 2.4 We say that it's RECOMMENDED to have different domains (so as to get different IP addresses) but this example shows only a single domain. Section 4 Note that a Man in the Middle (MITM) cannot produce a CA certificate that would be considered valid according to the process described in Section 3. [...] I think the key part is that the attacker cannot produce a *new* CA certificate that differs from a legitimate one, but they can MITM the HTTPS connection and present a legitimate (but potentially stale) CA certificate. o DNS names in Repository Server certificates SHOULD NOT contain the wildcard character "*". Would a Relying Party ever reject the HTTPS connection (and thus, the delivered TA) if a wildcard certificate is presented for the HTTPS connection? Section 5 This TAL does not directly provide a list of resources covered by the referenced self-signed CA certificate. Instead, the RP is referred to the trust anchor itself and the INR extension(s) within this certificate. This provides necessary operational flexibility, but it also allows the certificate issuer to claim to be authoritative for any resource. Relying parties should either have great confidence in the issuers of such certificates that they are configuring as trust anchors, or they should issue their own self-signed certificate as a trust anchor and, in doing so, impose constraints on the subordinate certificates. Are there any external databases that a RP could consult to affect the decision of whether to believe that a TA should actually be claiming the indicated resource(s)? (It would be a bit silly, given that this is the RPKI already, but still...)
Deborah Brungard Former IESG member
No Objection
No Objection
(for -07)
Not sent
Ignas Bagdonas Former IESG member
No Objection
No Objection
(for -07)
Not sent
Magnus Westerlund Former IESG member
No Objection
No Objection
(for -07)
Not sent
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -07)
Not sent
Mirja Kühlewind Former IESG member
No Objection
No Objection
(2019-04-03 for -07)
Sent
Usually we recommend to have a "Changes since RFC7730" section in bis documents... however, maybe the changes are small enough in this doc that that is not needed.
Suresh Krishnan Former IESG member
No Objection
No Objection
(for -07)
Not sent