Re: [sidr] Last Call: <draft-ietf-sidr-rpki-oob-setup-04.txt> (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
Rob Austein <sra@hactrn.net> Fri, 06 January 2017 19:10 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7BF129D9C; Fri, 6 Jan 2017 11:10:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWW5ObuqUaGw; Fri, 6 Jan 2017 11:10:53 -0800 (PST)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7917E129611; Fri, 6 Jan 2017 11:10:53 -0800 (PST)
Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id CD2DD13998; Fri, 6 Jan 2017 19:10:51 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 74B334602216; Fri, 6 Jan 2017 14:10:41 -0500 (EST)
Date: Fri, 06 Jan 2017 14:10:41 -0500
From: Rob Austein <sra@hactrn.net>
To: "t.petch" <ietfc@btconnect.com>
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rpki-oob-setup-04.txt> (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
In-Reply-To: <00a001d26840$e5194580$4001a8c0@gateway.2wire.net>
References: <148226796672.23778.11324483834700038816.idtracker@ietfa.amsl.com> <01f101d260f9$dee15c00$4001a8c0@gateway.2wire.net> <20161229231547.4552D456B7F2@minas-ithil.hactrn.net> <00a001d26840$e5194580$4001a8c0@gateway.2wire.net>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170106191041.74B334602216@minas-ithil.hactrn.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/BCd2UYM-zDgXuCS_tP5z1EwOc44>
Cc: Rob Austein <sra@hactrn.net>, Chris Morrow <morrowc@ops-netman.net>, sidr-chairs@ietf.org, sidr@ietf.org, draft-ietf-sidr-rpki-oob-setup@ietf.org, ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 19:10:54 -0000
At Fri, 6 Jan 2017 17:15:04 +0000, t.petch wrote: > > Looking some more at this, I would not want to try and troubleshoot this > protocol with such a limited range of error messages. > > Not something I am likely to be doing but were I to, I would like to see > an indication of the nature of the error (eg in attribute, element, > certificate) and where the error was found (the relevant name) and for > authentication errors, well, look at the certificate related TLS Alerts > which suggest to me the level of detail that has found to be needed in > at least some quarters. And bear in mind that you are making no > recommendation about most of the certificate options, just that you > expect them to be the usual ones:-) > > As it is, I would not know where to place most errors into the three > possibilities provided. Sort of agree, but.... The <error/> PDU is optional, and in practice has not been used much to date. In practice, diagnosing errors generally involves looking in some server log file, and errors to date have usually been reported via email or voice. We included the <error/> PDU because an earlier reviewer insisted, but we don't have enough experience using with it to know what kind of detail would really be useful. That being the case, my preference would be to leave the schema alone for now and wait for experience, after which we can revise the protocol if we see an opportunity for serious improvement. YMMV. FWIW, the three current error codes translate, roughly, to: * "I don't understand what you want me to do"; * "I think I understand what you want me to do and am willing but I hit an authorization problem while trying to do it"; and * "I don't feel like playing this game". I don't see all that much ambiguity between these three very broad categories, but I'm also not all that worried about it, because I don't expect the current simplistic version of the <error/> PDU to replace two human being having some kind of conversation after looking at log files. Again, YMMV.