Re: [babel] [Babel-users] key rotation take #2

Toke Høiland-Jørgensen <toke@toke.dk> Wed, 28 November 2018 12:09 UTC

Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47649130DCE for <babel@ietfa.amsl.com>; Wed, 28 Nov 2018 04:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZEtrdf1J2hu for <babel@ietfa.amsl.com>; Wed, 28 Nov 2018 04:09:08 -0800 (PST)
Received: from mail.toke.dk (mail.toke.dk [IPv6:2001:470:dc45:1000::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9533812D4EF for <babel@ietf.org>; Wed, 28 Nov 2018 04:09:08 -0800 (PST)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1543406947; bh=utqmb/zJJoKkU/1GiZEwNU5FQ/ettjSXjE4Zd8+Iqg4=; h=From:To:Subject:In-Reply-To:References:Date:From; b=gbWMax1cVerM7mcXqRyLoKW9xS0ffOazJPMmwj+oooyHzyTLBVDwoLOFtX99Rkzi/ draDGt/RB1vQlV5VRLodT5DzoWWNYmXv2e3NeQJyMfKy0QmsjRcx7SCrVRbMYgY2gs AW+/N2OXlEJ9BEzBhDT/X1eTjE1mn2vkWTifyo6lmniWPpQNvPmg436/+rMfU6XsXc Nn4lCKWESqySt+GnNCuO+gKWN71XqcgoZjD0kRlgi3XSS6J84DR5Or9FINbddCDjgY rEcfCyy66mh8wjh4lqhrwjE6QwzdMMUSttiFTjM82uDIdErduhat9YcGgl8fc2QUzO 5BSRnQXVRUCPw==
To: Dave Taht <dave@taht.net>, babel@ietf.org, babel-users@lists.alioth.debian.org
In-Reply-To: <87in0h1ppd.fsf@taht.net>
References: <87in0h1ppd.fsf@taht.net>
Date: Wed, 28 Nov 2018 13:09:05 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87efb5v1y6.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/wLxEKVKB-dHHUZVffP8VXt62RSw>
Subject: Re: [babel] [Babel-users] key rotation take #2
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 12:09:10 -0000

Dave Taht <dave@taht.net> writes:

> so we invent a new keyword "serial".

So what you're trying to express here is the notion of a "receive-only"
key that is not used for signing outgoing packets, right? If so, I think
it would be better to express that explicitly as a property of the key
config that can be changed on a per-key basis. For one thing, 'serial'
is misleading as it sounds like something that affects the wire format,
and for another with your proposal it becomes difficult to re-instate a
previously retired key (say, if you want to restore connectivity to an
old router that dropped off while you were changing keys).

-Toke