Re: [Rescert] Notes from RPKI security review

To: Rob Austein <sra@hactrn.net>
Subject: Re: [Rescert] Notes from RPKI security review
From: Randy Bush <randy@psg.com>
Date: Tue, 19 Jun 2007 14:51:11 -1000
Cc: Resource Cert List <rescert@apnic.net>
Delivered-to: rescert@clove.apnic.net
In-reply-to: <20070620003814.AE9B422828@thrintun.hactrn.net>
List-archive: <http://www.apnic.net/mailing-lists/rescert>
List-help: <mailto:rescert-request@apnic.net?subject=help>
List-id: <rescert.apnic.net>
List-post: <mailto:rescert@apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=unsubscribe>
References: <20070612212938.1D32222828@thrintun.hactrn.net> <46785C05.4070305@apnic.net> <20070619235532.EBA5622828@thrintun.hactrn.net> <46787159.2060508@psg.com> <20070620003814.AE9B422828@thrintun.hactrn.net>
User-agent: Thunderbird 2.0.0.4 (Windows/20070604)

>> the cms certs are between the two *IRs which have an allocation business
>> relationship.  the tls certs are between two rpki service hosting
>> providers, who contracted to provide rpki services to the two *IRs.
> 
> Hmm.  Not where I thought the conversation two weeks ago was going,
> but perfectly reasonable.  Ok, take two.
> 
> Your analysis of the trust relationships above sounds right.

and now you know why i was uncomfortable with how tls certs got
distributed.  sk will immediately think of a iana certified hierarchy of
 rpki service providers :)

> I've been using subjectAltName heavily for several years now and have
> seen no problems.  Doesn't make you wrong, but OpenSSL and Apache
> clearly can deal with it and I was assuming we'd support it in our
> client and server code.

i occasionally get whacked by a client saying "you have a cert for foux
when i want one for barre" when the cert has an altname of barre.

>>> Also note that we don't currently say anything about CRLs in the
>>> business PKI universe.
>> not our business.  can't have parent reaching through child's irbe to
>> biz key back end to check a crl.  irbes should check crls for the biz
>> certs in their back ends, innuendo intended.
> Mumble.  Agree about not reaching through somebody else's IRBE.  Had
> been thinking of publishing CRLs via HTTP in some boring fashion, but
> that has potential network partition issues.  I suspect you're right
> but it seems a bit lame somehow.

A can not ask B's irbe to check the cert because that is trusting B,
whose very cert you are trying to validate.

randy

Follow-Ups:
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>

References:
- [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Geoff Huston <gih@apnic.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>

Prev by Date: Re: [Rescert] Notes from RPKI security review
Next by Date: Re: [Rescert] Notes from RPKI security review
Previous by thread: Re: [Rescert] Notes from RPKI security review
Next by thread: Re: [Rescert] Notes from RPKI security review
Index(es):
- Date
- Thread