IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-opsawg-9092-update-09

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 29 January 2024 15:17 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A001C18DB96; Mon, 29 Jan 2024 07:17:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMNZVvHm4sMs; Mon, 29 Jan 2024 07:17:36 -0800 (PST)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2127.outbound.protection.outlook.com [40.107.93.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23553C18DB92; Mon, 29 Jan 2024 07:17:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y94ttk9mbFJhD8IUqiS4AFOcNHJNKC2U0jVOz0PmCZbRpHakgQ3OyYqIyZtAbzTEDbQbDRYjMgyFV3rii7lHrfiLJeUvYffBoba5HX6K6vCn9q/th6vjsRM5lp8ZyWE34m7r/B2NkRmwwGJ5qO+WSjRzowwoi6XTb3yUvEu8oXVVKWthAKYAhygZIoTkrTpLuwojhi2oYZRMHXhrI7DCKGsnZVATHQdYKG1JCIQ3s6iAEEiA9f0WciNSuU64Cwel+m424ipO0jZ8SaR6qfJ0HDX9BEJLcR5Ks7eMz7aR+gqL7VmhQjRlllMBw1iMs7JZgLWvN1QhydUTnpIqP7H8wA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IDeWm+xAJOfz5Y+H3/GyfM/ZIMZqxhYmAv/FhKzbda0=; b=QTykiHynk6OAzkOv5OslSU7MHi7QSVLjxFJ68qApkZr8Hq2s8X46A5w6XXRCsW5NNqrpmOtVbK1fkAENDeI52N7XJj2ZQzNnADI71WKnE9F5mF0NT96B4609H8T8QCd0laOe6cU5aNphu27WdUZ9Y7JNvdMkgF1g/QDwoQVkrzNChgjmv6seamXa5Zl1bGp2YJ46mP1wVZJ8A14N3Yir4Mz3BjoRZ+BbC7oKUPeCxz0k3KQVVXjPuYGcanZL08xzOsLID/OPC8rN1053pMjLqXywAjHw5iTNXUo2b3WHC8K2rupYJ7Ca+fmBCc7f9TMXf1PckpcDSv/1AfmjLmG/3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IDeWm+xAJOfz5Y+H3/GyfM/ZIMZqxhYmAv/FhKzbda0=; b=I92DKmX68WceWkpSGClL0kW4u7hz5/OaJPxxyj7GsP2ylr6L4DiZwHh3PzUZYnjVz1GP23iX4a9vb37dEWV1+mCSozOgx4n5DOWf7dAHBKLvfVf/9yz/RC3LvXZ86faAZz7SMSQxoD6FPbi0lBltjOFLYB+FBT8XKWL9ESy38HyDRLmGR5Qa7koyj18+EX8pRDSYiEozwOUHkuHsErF7LqMt74vdrF2V6elUR+7kAKfXSRA7cVy2dT+hBNPhGLQJWG7OnPpZfcMvmIG+ZwBXXqC7J+MhjidkWrpLziWhmCdG/UKsSIKCDuTbOggxwVAVK94K4FoSNaodncSjBRz9wQ==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by PH0PR14MB4342.namprd14.prod.outlook.com (2603:10b6:510::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.32; Mon, 29 Jan 2024 15:17:33 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7342:6ba1:7470:6412]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7342:6ba1:7470:6412%5]) with mapi id 15.20.7228.029; Mon, 29 Jan 2024 15:17:33 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Russ Housley <housley@vigilsec.com>
CC: Randy Bush <randy@psg.com>, IETF SecDir <secdir@ietf.org>, "draft-ietf-opsawg-9092-update.all@ietf.org" <draft-ietf-opsawg-9092-update.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [secdir] Secdir last call review of draft-ietf-opsawg-9092-update-09
Thread-Index: AQHaUJ8Hhy2df2nsXkK/U+pQBg7s4rDsn8UAgAAA+9CAAXDMgIAC2Vsw
Date: Mon, 29 Jan 2024 15:17:33 +0000
Message-ID: <SN7PR14MB6492ED1CD6BF227868BF55D9837E2@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <170630439954.44192.9928224870265226250@ietfa.amsl.com> <m2ede3ai1d.wl-randy@psg.com> <SN7PR14MB6492750F047C232DD642552283792@SN7PR14MB6492.namprd14.prod.outlook.com> <F9B7B572-1E6A-406C-A83D-B911832F8842@vigilsec.com>
In-Reply-To: <F9B7B572-1E6A-406C-A83D-B911832F8842@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|PH0PR14MB4342:EE_
x-ms-office365-filtering-correlation-id: 3f2da3f2-58f2-40f8-a4be-08dc20dd6ae0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: poERsfAYaZhtC1n/vnsX1JybeMP1qvk9vXr7FYt3PKT1sUaDIiOK38cLMcrImrBc+JMAUByJm4tRohYhIQMVLgrX9h9HqTfkEfMhsEttx4l3mm388CcB4W0OMo6ZWDh66YlpR72U8D2WDxaFJ5CH4wErJEpAQaBGaVQNZ8h86Zriowu9eAc3QPeVCN9g4H5EJZCNgOBcbRD4AKCDqcWQj/ujQvJQitwZG63qUXfrBIhEchBCD/TKOUeAiyFJHQMd6pOsuCbC5sqtTN9hu4UQZi9FqivsuLdYIEvrLKcvDwF1dZ9c6nijQoPHhkseffOxXFDWaTCFdrc8VAtv7s0hBzv53m6uOul95+39B8eQhpVpENB2M8/iUP2+X5VY1eY2Lx6H4NtqBDLJVIqX9BYqDvUbO9+r/c7zNNDR60QLeOHWyuKmCGJh64lY1YACksvsqCf7+oPuF2PTI4NYfKRPVkMD85g09/2fBUqnFmpMj7DjEvRUi74bW05X17DJ0wlkSYPcCCrT9PJ/liWLyfVqk6VRy2Rv67uEo0EzefBfQ0S9gXNNDFRAR7D6FfWs0BXRe3D8wuxdwqkUPAw65f6I6lV5Nd7WU9Z7A0ZROJ6Mr+u8dnSe8xk3UtfPxX4nyLsI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(39850400004)(376002)(136003)(346002)(366004)(230922051799003)(451199024)(186009)(1800799012)(64100799003)(55016003)(41300700001)(26005)(6916009)(66446008)(316002)(38070700009)(64756008)(54906003)(478600001)(71200400001)(6506007)(53546011)(7696005)(9686003)(83380400001)(38100700002)(122000001)(99936003)(66476007)(66556008)(15650500001)(5660300002)(76116006)(66946007)(86362001)(33656002)(2906002)(8936002)(8676002)(44832011)(4326008)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wAZW9ku2T5G+QVFe/Wz4gOKodygsJmgQF32RiLRLOXCzLBNW0uzEY0TttkRYh2Tq2R7G7NslT6ziDoulQq9n8kwB7dIYl0iwgAkCwGFWOVKwsgvhj1t04FJsilrTWMRphfa1WqTtXXqxVE9JmcEeufnfJywyEzhX2GC0Nsj1Tj6VrE2kTAFiQJhUaymmRY4fhtc3QTKWTudP7pXIxprsgA0hDBe8iqYhyhBiAwse/42aTDIcGTIcvJxW7FnsAKHqh9wl7cIWxNyWwWgic0VmH8OKG9MXXF/fXZP4jZpONA77pJ0Z/cueM0uj4GyGHiZearJbz5W2UXTlGROwkXXKPl2kC4Zuowb1uckQ97Sa1+9RUKZAGG92hL7VoXVtDqhe4WZrXqiUXNbxWMTKzr3J461Ccwvb6f6G0zrBoyLIaT0TAQPiCmNltRXOOVLJl9ZK12EpSWvElYCxj7g3Ldk4qzrHZseCD72t6qDYf04hiwOugDnaNDrBtneSY+Xnfn3vepe3JdubjEqH5EjLdo8wp/pkUtcNbjfgIahyaPDPxCHeuG519y6QjilTyrbsIgrnKBVwfGkG1B9EKJmVUqxnWfAu8SxTUI4KS2cFRjCQYrne5kcYOMyK/z7yPPH4F/ahe4TkmkzcXDGHQmvcu9QeISnohlDxm5ptlXGZYEDiGVPavLhVld/ARMPhTUbyij2AJGeKH2jKT/VVmZFpHPBXYzQZLsNhIhqD+pn1UbszokjqsUnBjGujZOMMlr8UQp9KY+xVS2mpuv0rJVZCdiLZyfbKwMjx+NtlN9rR1lLlS3vGuyE96oY46SObnAXD3E0ATfPX/r2LjFSXhsMV/cAVt8fuZH1qRtsOg5LdZHD6ZwG4O9awbWew7S6C1cneuOrfBvV2ivTxKB6/ZE4+DWmlRdOLEUod3RtdavKl9tOTPH2cVUO5zb6swCjFE2g/i2F8MBHt2FW7v3In0E0EDkX97zUgazkNXg99kUV4mQGj4omWoUldl7M1hPEpNVj4WYOv6RKLgGfaltMXgKw8gr0n4XjAiGVFJYEjRyiusoAPJuHh79nBQox9v04Ew4ok6LJwNy18s+x/72i7CLBWkPGFXxnSlV0yqvXCrItg2IPb+ymLXvcyYKBVoSIJn/rIhbcULTl6RIp+giEcVT3F7e7KbNmJztR2n7930DHy2uwVHl5LIYDUENOtvXfXtDkRZqVw17anjjKBuJIFzp0aGAhCoyouv4x3wLr3wBCr0t+ec1DSIhRVRbSD3a2vVa6RGZPrYPP1afIud35H4ce52YFf+NLjVSSsN21qnWfvez7urgaM4V87slYshLKpILDT1aABZml0JOn8nJkUAEO/dQAo3MJognUuNeDaxMvxmtS/mRfxi26yrRD8ioQ+nqvGSXtmZOnbsKsDnPXJ+R5x8KrRVyFMlQvaaxcORTaodpmOQFIc5r7X9+T7b1j+SG6tROJisr8Jy2P5TwkFdPTPaDAYAu6vNzYHtr/dw816J02PPYa4nmTErOXeXpktastiocN2w73OqQozDQyNz/OxK7KG5CYhRemvrkXAHdv7mEdmhyoi4HeMs1IgexhpEPlWyzM1rbgjqnG33Nhxq8ufvY+iLA==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_000E_01DA529C.5E4B2610"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f2da3f2-58f2-40f8-a4be-08dc20dd6ae0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2024 15:17:33.2648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jWZL+aC88ozSqx349Ckh9t4BCAMDTJaydeR7nhffpqpbMvrBgRBiNNp0D5HFxEjaJ4CnaWkx8/TuOYB+z22EOz+ZJaDKLnkfR72pNlGZF1I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR14MB4342
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/rkM8LSbPOuITLgyMHpqpJhq6S_k>
Subject: Re: [secdir] Secdir last call review of draft-ietf-opsawg-9092-update-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jan 2024 15:17:40 -0000

Yep, in this particular case it means the same thing as an English word and
as a requirement.  I'd personally have a slight preference for "MAY", as it
is more assertive in granting permission, but the authors can do what they
want.

 

-Tim

 

From: Russ Housley <housley@vigilsec.com> 
Sent: Saturday, January 27, 2024 2:46 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Randy Bush <randy@psg.com>; IETF SecDir <secdir@ietf.org>;
draft-ietf-opsawg-9092-update.all@ietf.org; last-call@ietf.org;
opsawg@ietf.org
Subject: Re: [secdir] Secdir last call review of
draft-ietf-opsawg-9092-update-09

 

Tim:

 

(2) Section 6, paragraph 5: is this intended to be a RFC 2119 "MAY"?
If so, capitalize.  If not, avoid the word.


took me a moment.  i think it is para 6, this one, yes?

  It is good key hygiene to use a given key for only one purpose.  To
  dedicate a signing private key for signing a geofeed file, an RPKI
  Certification Authority (CA) may issue a subordinate certificate
  exclusively for the purpose shown in Appendix A.

that 'may' should probably be 2119ed.  russ, opinion?

 

I actually think this is fine either way.  In this case, the text is saying
that an RPKI CA might choose to create a subordinate CA solely for issuing
these certificates.

 

Russ

v2.29.0 | Report a Bug | By Email | System Status