Re: [Rescert] Notes from RPKI security review

To: Rob Austein <sra@hactrn.net>
Subject: Re: [Rescert] Notes from RPKI security review
From: Randy Bush <randy@psg.com>
Date: Tue, 19 Jun 2007 14:14:17 -1000
Cc: Resource Cert List <rescert@apnic.net>
Delivered-to: rescert@clove.apnic.net
In-reply-to: <20070619235532.EBA5622828@thrintun.hactrn.net>
List-archive: <http://www.apnic.net/mailing-lists/rescert>
List-help: <mailto:rescert-request@apnic.net?subject=help>
List-id: <rescert.apnic.net>
List-post: <mailto:rescert@apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=unsubscribe>
References: <20070612212938.1D32222828@thrintun.hactrn.net> <46785C05.4070305@apnic.net> <20070619235532.EBA5622828@thrintun.hactrn.net>
User-agent: Thunderbird 2.0.0.4 (Windows/20070604)

>> The CMS certs are the "Business" certs that are exchanged as part of the
>> establishement of a business relationship between the parent and child.
>>
>> Can you elaborate on the TLS certs here?
> 
> They might come from the same business PKI that generated the CMS, or
> might not.  There's been a bit of follow-up discussion between me,
> Randy, and the security guys since NANOG on a few issues around TLS
> certs, this is one of them.

the cms certs are between the two *IRs which have an allocation business
relationship.  the tls certs are between two rpki service hosting
providers, who contracted to provide rpki services to the two *IRs.

> Note that the security guys told us to use TLS client certificates
> too, which is one of the reasons why I think we really might want the
> TLS certificates to tie into the same business PKI as the CMS
> certificates.

may not be able to.  see above and add restriction of one cert per
server (alt names are wobbly in my experience).

> Also note that we don't currently say anything about CRLs in the
> business PKI universe.

not our business.  can't have parent reaching through child's irbe to
biz key back end to check a crl.  irbes should check crls for the biz
certs in their back ends, innuendo intended.

>>> Russ noted that there's an optional seconds-since-epoch representation
>>> for timestamps in CMS which we might prefer over the default, but it
>>> may not be implemented in OpenSSL yet.  I may implement it if it's not
>>> a lot of work but it doesn't look like anything that's on our critical
>>> path.  The new timestamp format is in RFC 4049.
>> Given an understanding that in CMS the timestamp is optional

is not optional.  think audit

randy

Follow-Ups:
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>

References:
- [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Geoff Huston <gih@apnic.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>

Prev by Date: Re: [Rescert] Notes from RPKI security review
Next by Date: [Rescert] list problems..
Previous by thread: Re: [Rescert] Notes from RPKI security review
Next by thread: Re: [Rescert] Notes from RPKI security review
Index(es):
- Date
- Thread