Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rfc6485bis-04: (with DISCUSS)
Terry Manderson <terry.manderson@icann.org> Fri, 20 November 2015 04:00 UTC
Return-Path: <terry.manderson@icann.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF131A0013; Thu, 19 Nov 2015 20:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.006
X-Spam-Level:
X-Spam-Status: No, score=-4.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4h9z7Iu309To; Thu, 19 Nov 2015 20:00:20 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 736951A000D; Thu, 19 Nov 2015 20:00:20 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 19 Nov 2015 19:59:57 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Thu, 19 Nov 2015 19:59:57 -0800
From: Terry Manderson <terry.manderson@icann.org>
To: Sandra Murphy <sandy@tislabs.com>
Thread-Topic: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rfc6485bis-04: (with DISCUSS)
Thread-Index: AQHRIaYqmsaHDHQziEW3bXSM/x1U8J6kMreAgAFHjQA=
Date: Fri, 20 Nov 2015 03:59:56 +0000
Message-ID: <D274CFE7.7267B%terry.manderson@icann.org>
References: <20151118020907.790.34242.idtracker@ietfa.amsl.com> <938892D5-919F-4C61-B518-7145CB40A05B@tislabs.com>
In-Reply-To: <938892D5-919F-4C61-B518-7145CB40A05B@tislabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3530872792_46719018"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/1-NJhKP-VrzInuBPQq8HytnL_DE>
Cc: "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "draft-ietf-sidr-rfc6485bis@ietf.org" <draft-ietf-sidr-rfc6485bis@ietf.org>, The IESG <iesg@ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rfc6485bis-04: (with DISCUSS)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 04:00:22 -0000
Hi Sandy, On 20/11/2015 4:27 am, "Sandra Murphy" <sandy@tislabs.com> wrote: >A bit of history here. > >After RFC6485 was published, it was discovered that it incorrectly used >the same OID for all RPKI crypto uses, which conflicts with CMS specs and >is inconsistent with known implementations. I am aware of that. > >The wg decided to create RFC6485bis, to correct the OID problem and the >OID problem only, with emphasis on the ³only². Timeline leap is not your friend here. 6485 pre-dates 6916. 6485 is minimalist (and from a point of view, wrong) about algorithm changes. > >The ³SHOULD² language in section 5 is inherited from RFC6485, except for: > > The recommended > procedures to implement such a transition of key sizes and algorithms > is specified in [RFC6916] > >RFC6916, which was published a year after RFC6485, is "Algorithm Agility >Procedure for the Resource Public Key Infrastructure (RPKI)². It >describes the procedure to follow in transitioning from one algorithm/key >size to another. Correct. It was this text that drew me to the section. And since the text pre-dates 6916, which takes a more encompassing view of an algorithm/profile change with a security section that adequately warns of invalidity due to a RP not supporting the new certificate profile, I view 6916 as more 'with the times' (YMMV). > >Does RFC6916 satisfy your concerns about a change of algorithm? It does a better job that allowing a CA or RP to opt out and fracture the RPKI. > >Would you prefer that RFC6485bis remove the inherited ³SHOULD² language >and point only to RFC6916? Yes, That is certainly one way to address this. And I would be OK with that. Cheers Terry > >Sandy > >On Nov 17, 2015, at 9:09 PM, Terry Manderson <terry.manderson@icann.org> >wrote: > >> Terry Manderson has entered the following ballot position for >> draft-ietf-sidr-rfc6485bis-04: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to >>https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6485bis/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> I'm not so sure that this will be an easy DISCUSS to work through as I >> view this in light of future sustainability/deployability of RPKI and >>any >> protocol wedded to it (eg BGPSEC). >> >> Section 5 "Additional Requirements" suggests that both CAs and RPs >> "SHOULD" be capable of supporting a transition and thus able to support >> multiple RPKI alg. and key profiles. To me this "SHOULD" seems like it >> invites fragility in any such transition. An immediate example would be >> the root DNSSEC ksk rollover. An rather large amount of work is underway >> to ascertain the impact. By leaving the SHOULDs in place is this walking >> the same path? >> >> Let me ask another way. Under what situations is it actually appropriate >> for a CA or RP to be able to ignore the requirement of being able to >> support a phased introduction/deprecation of new/different RPKI >>algorithm >> and key profiles? And if they ignore such a recommendation does this >>make >> the entire RPKI infrastructure a fractured PKI by algorithm? >> >> >> >> >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] Terry Manderson's Discuss on draft-ietf-si… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Sandra Murphy
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Sandra Murphy
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Sandra Murphy
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Sandra Murphy