Re: [secdir] Secdir review of draft-ietf-sidr-rpki-algs-04

Brian Weis <bew@cisco.com> Mon, 28 March 2011 21:18 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1CB828C118; Mon, 28 Mar 2011 14:18:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.473
X-Spam-Level:
X-Spam-Status: No, score=-110.473 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktWUpP07Qy6B; Mon, 28 Mar 2011 14:18:35 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 4EB113A6954; Mon, 28 Mar 2011 14:18:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=9454; q=dns/txt; s=iport; t=1301347213; x=1302556813; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=cMpfJyjkIuNKLIjW5z/9gXfQGPILP4l8hOrM+XqeBVI=; b=BfpJtokq1GKwlCVDtnugb3F2gcNcvIXlErGmKLDJrwOJh2g6TG2lLwDV hOEPQ1hn+yX4Lue+bG6ZwwBSwnZlHdcN2Vi5TR/nRQfycQIi182yensJk rFzHgIMsoUVdvMMLHABwErgxLXg0fLtWErXB9EyWuKRMEpoAAye33h0Ny M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAOP6kE2rRDoI/2dsb2JhbACCYaJjd4hroBKcLoMWglMEhTqHPQ
X-IronPort-AV: E=Sophos; i="4.63,257,1299456000"; d="scan'208,217"; a="672062641"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by sj-iport-6.cisco.com with ESMTP; 28 Mar 2011 21:20:12 +0000
Received: from sjc-vpn2-140.cisco.com (sjc-vpn2-140.cisco.com [10.21.112.140]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p2SLJEAJ031612; Mon, 28 Mar 2011 21:20:10 GMT
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: multipart/alternative; boundary=Apple-Mail-32-917462481
From: Brian Weis <bew@cisco.com>
In-Reply-To: <p0624080bc9b617cf5725@[130.129.71.125]>
Date: Mon, 28 Mar 2011 14:20:09 -0700
Message-Id: <90CFECDF-0291-49A3-87FE-B1BBC91CF399@cisco.com>
References: <BC4FD686-8AE2-472C-9677-B7DA1FA10060@cisco.com> <p06240804c9b5ec3f841b@[130.129.71.125]> <18783D32-D6AD-48AF-853D-3A6B67B9F9FE@cisco.com> <p0624080bc9b617cf5725@[130.129.71.125]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1082)
Cc: sidr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-sidr-rpki-algs@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-rpki-algs-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 21:18:36 -0000

On Mar 28, 2011, at 9:19 AM, Stephen Kent wrote:

> At 1:38 AM -0700 3/28/11, Brian Weis wrote:
>> ....
>> >
>> > There will be another profile that will define two sets of algs, current and next.  See daft-sidr-algorithm-agility-00.txt for the description of how alg migration is anticipated to work.
>> 
>> I had looked through the algorithm-agility document before commenting but didn't see that it declared that a new profile would be generated. Your description of ("two sets of algs, current and next") seems to match the intent of Section 5, such that it would be an update to this same profile. Here's the text in question:
>> 
>>   "It is anticipated that the RPKI will require the adoption of updated
>>    key sizes and a different set of signature and hash algorithms over
>>    time, in order to maintain an acceptable level of cryptographic
>>    security to protect the integrity of signed products in the RPKI.
>>    This profile should be updated to specify such future requirements,
>>    as and when appropriate."
>> 
>> When I read 'updated' I assume it means it adds to the same profile, and the subsequent 'update' will be published under the same name as the original. Is that your intent?
> 
> yes, although "update" is the wrong RFC term. It should say "replace."  we shoud make that change, to the text.
> 
>> > I hesitate to put a (normative) reference to that doc in here, because it is not yet approved and might slow down the
>> > set of SIDR docs that rely, normatively, on the doc that you reviewed.
>> Understood, and I didn't mean to imply a normative reference was needed -- just an informational explanation of why a different profile might be needed rather than an update to this one. But if that isn't actually expected, then I was questioning why the title implied there would in fact be independent profiles.
> 
> OK.  And I agree that we probably should change the name to be "The Profile for Algorithms and Key Sizes ..." since we anticipate a replacement for this doc when we adopt new algs.

Sounds great. I had no other concerns.

Thanks,
Brian

> 
> Steve


-- 
Brian Weis
Security Standards and Technology, SRTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com