Hi Tim, On 09/10, Tim Bruijnzeels wrote: > > > > On 10 Sep 2021, at 11:57, Job Snijders <[email protected]> wrote: > > > > On Fri, Sep 10, 2021 at 11:39:39AM +0200, Tim Bruijnzeels wrote: > >> I think all would agree that transparency is good. > >> > >> A key difference between RPKI and most other PKIs is that in the RPKI > >> all objects are published in the open for all the see. > > > > Small nitpick: all objects are SUPPOSED to be published, in the open, > > for all to see. However it is important to keep in mind we cannot assume > > all objects were published in a way for all to see. > > > >> As you mentioned your RPKI validator may miss intermediate state > >> changes if it retrieves objects using rsync, but the RRDP protocol > >> supports deltas, see [1]. > >> > >> I believe that transparency can most easily be achieved by ensuring > >> that these deltas are preserved, and that they cannot be modified. > > > > RRDP is an unauthenticated and unsigned protocol. It is possible for a > > Publication Point to present different RRDP deltas to one RP compared to > > what they present to another RP. Archiving RRDP deltas is interesting, > > but IMHO happens too late in the pipeline for TA/CA audit purposes. > > > > RRDP is not a replacement for Certificate Transparency, both > > technologies solve different problems. > > I did not say that it was. > > I just suggested that *in the context of RPKI* RRDP can be used as a basis > to keep track of all historic public changes. > Archiving the RRDP deltas can certainly provide information as to what was observed at the publication points, but the security of the RPKI system lives at the object-signing layer, and so an audit log needs to capture activity at that layer: issuance actions by the CA.
Comparing a CT log to RRDP delta archive could certainly be useful in many cases, but that's exactly because they say things about different parts of the infrastructure. Cheers, Ben
signature.asc
Description: PGP signature
