Re: [Anima] Moving forward with draft-ietf-anima-autonomic-control-plane

Benjamin Kaduk <> Tue, 23 June 2020 03:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 313BC3A171E for <>; Mon, 22 Jun 2020 20:31:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PXw-585OtgJn for <>; Mon, 22 Jun 2020 20:31:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ECB813A171D for <>; Mon, 22 Jun 2020 20:31:41 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 05N3VGpL002570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 22 Jun 2020 23:31:18 -0400
Date: Mon, 22 Jun 2020 20:31:16 -0700
From: Benjamin Kaduk <>
To: "Eric Vyncke (evyncke)" <>
Cc: Anima WG <>, Stephen Kent <>, Eric Rescorla <>, "" <>, "" <>, "" <>, "" <>, "" <>, "Joel M. Halpern" <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
Subject: Re: [Anima] Moving forward with draft-ietf-anima-autonomic-control-plane
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jun 2020 03:31:43 -0000

Hi Éric,

On Mon, Jun 22, 2020 at 10:43:00AM +0000, Eric Vyncke (evyncke) wrote:
> As the shepherding AD for this document, I am happy to see recent technical discussions on this document. OTOH, I do not observe any convergence to remove the pending DISCUSS.
> The 2nd IETF Last Call was completed 2 months ago in April 2020. Joel Halpern did the review for routing directorate and found a couple of issues (zone-ID, loopback definition) and it seems that there is now an agreement within the community for updated the text.
> In order to progress the document, a revised I-D is needed to fix Ben’s DISCUSS points:
> - Use of rfc822Name rather than otherName: the ‘easy’ fix is indeed to use otherName (even with the section 6.1.2 justifications)

Russ has been helping reach out to more of the PKIX community; one
suggestion that came up so far is to consider defining a dedicated URI
scheme and using a uniformResourceIdentifier SAN -- did the WG consider
that in the initial discussions?

> - “MTI cryptographic mechanisms are under-specified” that should not be controversial and easy to fix

Toerless has been doing an incredible job reaching out to the IPsec
community and getting this text nailed down.  There are still a couple
points still under discussion but I'm confident that we will have something
good here (and IIRC the TLS stuff has already been polished).

> - Clarification about the RPL root

I'm pretty sure this is already done -- note that my latest ballot position
is only for the -19, so I think I just didn't update it yet.

> Unsure whether Eric Rescola’s DISCUSS are still applicable (as they were on -16); but, this would be a plus to fix these points.

Indeed.  I expect the current SEC ADs to review those when the document
comes up on a telechat again.

> I understand that the authors have worked on this for 6 years and may be bored but I would love to see this I-D going forward. Again, as many others I fail to see the reason of using rfc822Name and the fix would be to use otherName.

I do not want to put words in anyone's mouth, but my understanding is that
the "obvious alternatives" to otherName are believed to suffer from strong
deployment difficulties, whether one attempts to use an existing
(commercial, or so-called "public" CA) or COTS CA software to run one's own
CA.  (There is some question as to whether the "public CA" route is
advisable at all, given the legal agreements and policy documents
surrounding such CAs and whether issuing certificates intended for ACP use
is compatible with those policy documents.  Sean's review alluded to some
of these topics, and if you manage to catch Ryan Sleevi when he has time,
he can talk about them at length.)


> May I also suggest to the authors to add new co-authors in order to have ‘fresh blood’ and energy ?
> Regards
> -éric