IETF Logo Mail Archive

Re: [sidr] WG adoption poll for draft-huston-rpki-validation-01

Matthew Lepinski <mlepinski.ietf@gmail.com> Sat, 10 May 2014 03:08 UTC

Return-Path: <mlepinski.ietf@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5B51A0135 for <sidr@ietfa.amsl.com>; Fri, 9 May 2014 20:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NexyFerOM8k for <sidr@ietfa.amsl.com>; Fri, 9 May 2014 20:08:35 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 308821A011A for <sidr@ietf.org>; Fri, 9 May 2014 20:08:35 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id u57so4776037wes.32 for <sidr@ietf.org>; Fri, 09 May 2014 20:08:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=taCL6vBmrTZA2zioU2AsspD5d22Ri5WbHbaX4s2NAMo=; b=c/tnP04PnoqpKiX+uGwF3l7EylIRF6WxbMAoM0gJU42EDDVNnvCzggrnlQ05hWyLn4 Rf6dxBOwHabbKXbMSEiVHl357E5NDdcbw47gB6sniiEdxKx22+T+ZIx3QQHehya9PWHq ZfJXtDSC4/YipHGjYfOzHkF+iNyJxyXJ6i7fBXhqUdM5JcSeDAXyhiBUMQ96xMQ+c5Ha F5p+XIFsG3Kxl+E+4E/S8wU34yLVEeeSUZtNeEHB3UqQPFtquZ0hJc0eiio4t3JZstDp lqwQFZP/JWzra44+E8WTS3K0vvk7EfyvXs3v+vEmux/8bXLxKn+Aeaa77LSyaqL5px6G 4oYA==
MIME-Version: 1.0
X-Received: by 10.180.93.163 with SMTP id cv3mr5848783wib.3.1399691309665; Fri, 09 May 2014 20:08:29 -0700 (PDT)
Received: by 10.216.100.197 with HTTP; Fri, 9 May 2014 20:08:29 -0700 (PDT)
In-Reply-To: <20140429220119.47384C6B182@minas-ithil.hactrn.net>
References: <BBA7CCE4-1A6C-4D06-A5DC-54B93A1D2202@tislabs.com> <20140429220119.47384C6B182@minas-ithil.hactrn.net>
Date: Fri, 09 May 2014 23:08:29 -0400
Message-ID: <CANTg3aBJshyVq2wcuyLQa6Vx8QQ1hWyi6Y6eN=_0NAXDmx2Z0w@mail.gmail.com>
From: Matthew Lepinski <mlepinski.ietf@gmail.com>
To: Rob Austein <sra@hactrn.net>
Content-Type: multipart/alternative; boundary="f46d043895394ed40604f90307f1"
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/17qy_GPHDUv6BwWMpK2mYM9J80M
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] WG adoption poll for draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 May 2014 03:08:41 -0000

I think that Rob makes an excellent point.

I have no problem with making this draft the focal point of discussions
about changing RPKI path validation. Indeed, I greatly appreciate the
effort that Geoff and George have put into articulating the operational
concern with RFCs 3779 and 6487. There is clearly a CA operational concern
here and I think it is good for the working group to take these types of
concerns seriously.

However, I am not yet sold that the solution outlined in this draft is
necessary (or is the best way of addressing the problem).  I think it is
possible that the cost [in complexity, risk, changes to deployed code] of
the proposed solution is not worth the benefit.

At this point in time, I think it is important to prematurely commit to a
solution. (Indeed, based on discussions on the list, I think there was -
even quite recently -- some confusion about the problem that needs to be
solved.)

Personally, I don't think it is especially important whether or not we
adopt the draft, as long as adopting the draft isn't interpreted as
consensus that the particular solution specified in the draft is definitely
the best way forward. That is, Adoption is generally a commitment by the
working group to spend time working on a particular topic and a transfer of
change control to the working group. Both of these I am comfortable with.

- Matt Lepinski


On Tue, Apr 29, 2014 at 6:01 PM, Rob Austein <sra@hactrn.net> wrote:

> Unfortunately, the binary adopt-or-not question is insufficiently
> nuanced for a case like this.
>
> I think the WG needs a work item to explore the issue of decoupling
> RFC-3779-style[*] path validation from certificate validation.  It may
> be that at the end of that process we will decide not to change the
> base specification, but in addition to whatever sympathy the WG might
> feel for CA operators near the root of the tree, I think there may be
> some real issues lurking here with respect to out-of-order validation
> problems and we need to explore them further.
>
> I really do not know at this point whether the result of the work we
> need to do on this will be a publishable document or not.
>
> I do not support the addition of joins in the RPKI tree, full stop.
>
> The WG chairs asked a couple of specific questions:
>
> > You are asked to indicate if you think that this is work that the wg
> > should be doing
>
> Yes, with the proviso that the end result may be a decision to leave
> well enough alone, in which case the only thing we might publish would
> be a history of our decision not to change anything.
>
> > and whether this draft is an acceptable starting point.
>
> As a problem statement, yes.  With no intent to give offense, it's
> nowhere near being suitable as an amended specification, but such a
> document would be premature at this stage in any case.
>
> Starting with a problem statement seems appropriate, so long as we
> retain the option of keeping the current specification.  Yes, this
> might end up meaning that, after years of work, the WG concludes that
> we should not change the specification.  Sometimes you have to work on
> something for a while before you know whether you should be doing it.
>
> [*] "RFC-3779-style" because, if we change it, it won't be RFC 3779
>     anymore.  It might well reuse all of RFC 3779's syntax and most of
>     RFC 3779's semantics, but since there is deployed code that thinks
>     it knows how to validate with the current semantics, at minimum I
>     would want the hypothetical new thing to use different extnID OID
>     values to flag the change.  So, strictly speaking, this would be a
>     new set of X.509v3 extensions that just happen to look exactly
>     like the ones from RFC 3779.
>
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>

v2.23.0 | Report a Bug | By Email