[saag] RFC 5011 to IS question

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 28 November 2012 17:31 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C41A21F84B2 for <saag@ietfa.amsl.com>; Wed, 28 Nov 2012 09:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.561
X-Spam-Level:
X-Spam-Status: No, score=-102.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1wf0Od1g+0Y for <saag@ietfa.amsl.com>; Wed, 28 Nov 2012 09:31:09 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 67B7221F8472 for <saag@ietf.org>; Wed, 28 Nov 2012 09:31:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6E39FBE5D; Wed, 28 Nov 2012 17:30:47 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FB0sFPHtLfv; Wed, 28 Nov 2012 17:30:46 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:9999:53ef:87e7:8281] (unknown [IPv6:2001:770:10:203:9999:53ef:87e7:8281]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8B612BE5C; Wed, 28 Nov 2012 17:30:46 +0000 (GMT)
Message-ID: <50B64A46.5050903@cs.tcd.ie>
Date: Wed, 28 Nov 2012 17:30:46 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: "saag@ietf.org" <saag@ietf.org>, dns-dir@ops.ietf.org
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Michael StJohns <mstjohns@comcast.net>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: [saag] RFC 5011 to IS question
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 17:31:10 -0000

Hi,

The IESG recently are considering a request to move
RFC 5011 [1] to Internet Standard. This is a fine RFC
but I have one question and I'd be interested if
anyone here has input.

Should we re-think any of the timer values here in
the light of the fact that it took a few weeks to
find out about diginotar?

In particular the 30 day add hold-down timer might
arguably be better off at ~90 days if additions are
planned well ahead of time and there are no bad side
effects of a longer timer and we assume that gossipy
protocols might detect bad new trust points in a few
weeks, but not necessarily sooner. (Say if detection
needed a clueful traveller to go to place X, see the
bad new trust point and return to somewhere where the
bad new trust point isn't seen.)

I think the answer is "its still ok" and plan to
remove my discuss on this shortly, but wanted to
check in case others who know more about DNSSEC
think differently. (Note - nobody brought this up
during IETF LC, its just me asking.)

Thanks,
S.

[1] http://tools.ietf.org/html/rfc5011