Hi John, all, Hoping to clarify my reasoning why I think this is validation approach provides a significant quick win..
On 29 Oct 2014, at 00:17, John Curran <[email protected]> wrote: > On Aug 11, 2014, at 11:58 AM, Tim Bruijnzeels <[email protected]> wrote: >> ... >> The *one* thing I (and I believe we..) challenge is whether the an >> overclaimed resource should invalidate a complete certificate, instead of >> invalidating just the resources at hand, but allowing the remainder. >> ... >> The following two we may be able to mitigate technically, because we are >> dealing with co-operating parties: >> @1 There is a mis-timing in certificate shrinking in a transfer between >> co-operating parties. >> @2 There is a mis-timing in the parent publishing a cert with extended >> resource, and issuing it to the child, and the child using those resources >> in turn. >> >> But this is the one that has me scared. It is not the issuing CA being >> sloppy, it’s a problem between them and *their* parent: >> @1 The *grand*-parent shrinks the *parent* certificate without the parent >> knowing about this, and some of these resources appear on the, now >> overclaiming, child certificate. The grand-parent and parent are not >> involved in an active transfer process. They may not agree that the resource >> in question should be removed, or the grand-parent may have shrunk these >> resources in error. >> >> By rejecting the overclaiming child certificate completely I think we are >> being too harsh, or pedantic even. We know better, so we are just not going >> to trust this one. But.. there is a very real possibility that we actually >> *do* know better than the issuing CA at this point. So, what exactly is the >> problem with accepting the remaining resources? i.e. the intersection >> between the parent certificate’s resources and this certificate. We know the >> context, this evaluation is very easy and well-defined. If the CA really >> intended that the remaining resources should not be tied to the certificate, >> they would have revoked. If the grand-parent really intended that those >> resources should not be certified anymore, they would have removed them as >> well. > > I'm certain there is a simple answer for this question, but it alludes me > at the present time… I would very much like to learn the answer to that question though, taken from above: >> So, what exactly is the problem with accepting the remaining resources? I believe we are rejecting ROAs or router certificates under strict rules for reasons that concern other objects. I just do not see a scenario where an RP could be led to accept a ROA or router certificate that *could* not be valid if strict rules are followed. The fix is higher in the chain. By claiming fewer resources, not more. And the exact same object would be considered valid. If someone can come up with a scenario where a truly over claiming ROA or router certificate is considered valid under reconsidered rules, then I agree that it’s not option. As it stands in my understanding though, this is an easy quick fix to limit the impact of problem of over claiming certificates to just *those* objects that refer to the resources. So even if it then doesn’t solve those other issues, I believe we will have made a very significant improvement. Tim _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
