Speaking as regular ol’ member: On Dec 1, 2015, at 9:42 AM, Andrei Robachevsky <[email protected]> wrote:
> Tim Bruijnzeels wrote on 01/12/15 14:55:
>>>
>>> Tim, I am not sure I understand this. If the parent of the EE cert has a
>>> shrunken set of resources, will it invalidate the EE or only the
>>> non-overlapping subset?
>>
>> If the parent has a shrunken resource set this would lead to the EE
>> certificate being accepted only for the intersection of its resources, and
>> the parent. Because there is a requirement that all prefixes on a ROA are
>> included (and accepted in reconsidered) in the resource set of the EE
>> certificate the ROA will be considered invalid.
>>
>
> Thank you Tim, this makes sense. Otherwise we will be changing the
> semantics of ROA, which is tricky. Could you please point me to the
> place where the requirement is specified?
In RFC6483, page 5, section 4. ROA Validation:
o The IP address delegation extension [RFC3779] is present in the
end-entity (EE) certificate (contained within the ROA), and each
IP address prefix(es) in the ROA is contained within the set of IP
addresses specified by the EE certificate's IP address delegation
extension.
Quibble.
In the current algorithm, the EE cert that mentioned some of the removed
resources will be invalid. That makes the ROA that mentioned some of the
removed resources be invalid.
Under validation reconsidered, the EE cert will be valid, but not all the
resources contained in it will be valid. However, the EE cert still "contains"
the removed resources, so the ROA “contained within” test would still succeed.
So a ROA that mentioned some of the removed resources would still be considered
valid. (I would say that’s bad.)
Under validation-reconsidered, we would need to make sure this section said
something about the validity of the resources in the valid EE cert.
Just in case it is not obvious:
Suppose the EE cert always contained more resources than the ROA mentioned.
Suppose the ROA did not mention the resources that were removed. In that case
the shrinking of the parent causes a shrinking of the set of resources that are
contained in the EE cert that are considered valid under
validation-reconsidered. The valid subset of the resources contained in the
valid EE cert (i.e., the shrunken resources) would still cover the resources
mentioned in the ROA. So a ROA whose resources were contained exclusively
within the retained resources would be valid. (I would say that’s good.)
—Sandy, speaking as regular ol’ member
(We’ve overloaded “Valid” a couple of different ways valid certs, valid ROAs,
valid origins, valid Signature_Blocks, …) - it might be nice to readers and
users to come up with a different adjective here for the subset of the
resources that are contained within the certificate, rather than yet another
use of “valid”. Before we have to talk about valid certs with invalid
resources.)
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
