Re: [secdir] Secdir review of draft-ietf-sidr-algorithm-agility-08

Brian Weis <> Fri, 14 December 2012 19:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3812C21F8B4C; Fri, 14 Dec 2012 11:36:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.398
X-Spam-Status: No, score=-110.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lfxz9FmQElGo; Fri, 14 Dec 2012 11:36:49 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4CBBA21F8B44; Fri, 14 Dec 2012 11:36:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=8147; q=dns/txt; s=iport; t=1355513809; x=1356723409; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=MmHNeSD3Cyc6Etfev7k5YV+2rb8T5WKJH1hVu+BbktM=; b=jW9dOmO+nBoHE4hBu3yHSn1/deEQUod3smVVfCx+566y1DzyLg1wZnHT 2DUk5P0MfWSMMifkwres5oydymHHzUiylEAViNy0JE0Ra4tE3xKdyPYth iqckdPCOfKAY3Yd+y/ry/cK2jOoZbiLv1CjILPxwb5kDYZUUdLqI+wP30 k=;
X-IronPort-AV: E=Sophos; i="4.84,282,1355097600"; d="scan'208,217"; a="63479364"
Received: from ([]) by with ESMTP; 14 Dec 2012 19:36:48 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id qBEJa4hn013902 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 14 Dec 2012 19:36:48 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_D0D40E2E-AC02-4845-9D80-276D85ECDA58"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Brian Weis <>
In-Reply-To: <>
Date: Fri, 14 Dec 2012 10:05:00 -0800
Message-Id: <>
References: <> <>
To: Roque Gagliano <>
X-Mailer: Apple Mail (2.1499)
Cc: "<>" <>, The IESG <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-algorithm-agility-08
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Dec 2012 19:36:50 -0000

Hi Roque,

Replies are inline below.

On Dec 14, 2012, at 3:25 AM, Roque Gagliano (rogaglia) <> wrote:

> Hi Brian,
> Thanks for your review. See my answers inline.
> Cheers!
> Roque
> On Dec 14, 2012, at 3:00 AM, Brian Weis wrote:
>> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
>> This document describes a mandatory algorithm transition procedure for the RPKI. It describes a single method, comprised of four phases and six milestones. Each phase discusses a strategy for rollback of the new algorithm. The algorithm transition procedure seems complete, and the security considerations section is adequate.
>> One statement in the discussion of Phase 4 is confusing (Section 4.7). It first states:
>>  "RPs MAY validate signed product sets
>>   using Suite C. However, RPs SHOULD NOT assume that the collection of
>>   Suite C product sets is complete."
>> Later it notes that Suite A could be deprecated, and states:
>>  "At this stage, RPs are still capable of processing Suite
>>   C signed products, so the RPKI is still viable."
>> But if the Suite C product sets may be incomplete, how is the RPKI still viable? This should be clarified.
> One clarification is that the first piece of text that you quoted is the normal agility process while the second quoted sentence refers to what to do when the new algorithm suite is deemed unsuitable and the algorithm change process needs to be canceled.
> That said, what about this clarification text?
> If the Algorithm Suite A (former Algorithm
>    Suite B) is deemed unsuitable, the algorithm transition timeline and
>    the algorithm specification documents MUST be replaced, the
>    Algorithm Suite A MUST be deprecated using the process described in
>    Section 10 and CAs MUST NOT remove Suite C product sets. At this stage, RPs are still capable of processing Suite C signed products, so the RPKI is still viable.

This sounds like a good clarification. Whereas Suite C product sets may be incomplete (due to expiration of certificates) they are still considered valid until Phase 4 has completed. The only suggestion I might have is to change "remove" to "remove or revoke".


>> Nits:
>> - Section 3, "Corresponds" definition: s/Resoureces/Resources/
>> - Section 4.1, "End Of Life (EOL) Date definition: s/is MUST/MUST/
>> - Section 7, last paragraph. The final sentence would be clearer if it read "Since Suite C products are being deprecated during Phase 4, a CA may revoke certificates issued under Suite C without revoking them under Suite A." Ignore if you don't agree.
> Thanks! Will Change for next version.
>> Brian