IETF Logo Mail Archive

Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)

Tim Bruijnzeels <tim@ripe.net> Wed, 18 May 2016 14:32 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B3F312D520; Wed, 18 May 2016 07:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrEGtbFoR3lD; Wed, 18 May 2016 07:32:49 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDB8012D515; Wed, 18 May 2016 07:32:49 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <tim@ripe.net>) id 1b32Wg-0004kd-UG; Wed, 18 May 2016 16:32:44 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-125.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1b32Wg-0005Wn-PE; Wed, 18 May 2016 16:32:42 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net>
Date: Wed, 18 May 2016 16:32:42 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <35AEF9F7-FFAD-470B-9D0D-1D7BE7C7FE90@ripe.net>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net>
To: Brian Haberman <brian@innovationslab.net>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points: -10.8 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719597cea4b71085b338f53798a69ee467a
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/-BmbrIVDJ7Irbm3AjI0ZktxxTXU>
Cc: draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, "Sandra L. Murphy" <sandy@tislabs.com>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 14:32:51 -0000

Hi,

> On 18 May 2016, at 15:08, Brian Haberman <brian@innovationslab.net> wrote:
> 
> Hi Terry,
> 
> On 5/17/16 11:37 PM, Terry Manderson wrote:
>> Terry Manderson has entered the following ballot position for
>> draft-ietf-sidr-rpsl-sig-11: Discuss
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> Thank you for putting substantial effort into this document.
>> 
>> I have a few discusses. I hope they can be resolved quickly.
>> 
>> In Section 2.1. The reference to the aligned certificate  which has the
>> same private key that signed the RPSL object is mandatory, and defined by
>> a RSYNC URL or a HTTP(S) URL. My question surrounds the "or". The
>> architecture of RPKI (IIRC) is centered around RSYNC, and thus SIA/AIA
>> values MUST have a RSYNC URL, and MAY have other types. By this are you
>> leaving it to the issuing party to control the RPKI Distribution
>> mechanisms of the Replying Party? I am quite comfortable with "or"
>> personally, however this facet of fetching the RPSL Certificate to
>> validate the private key usage is seemingly orthogonal to the RPKI
>> architecture of RSYNC preferred and should be called out if 'or' is the
>> clear intention. Or, has the consensus of the WG moved on from being
>> wedded to RSYNC?
> 
> I am not aware of the WG moving away from their rsync leanings...

My take on this: for the moment I would stick to rsync as it's required and EE certificates appearing in the rsync repository, and leave out http(s).

Work is being done on RRDP. In time this may replace rsync altogether. This is speculation at this time, but.. one way to look at this could be to have AKI and a reference to a TA or an RRDP publication point (notification file) where the signing EE certificate is supposed to be found. Just shooting from the hip here, bottom line: this is a discussion and decision for a later time, and is probably best addressed in a -bis.

Tim

v2.23.0 | Report a Bug | By Email