IETF Logo Mail Archive

Re: [Sidr] V3 draft of SIDR Charter

"william(at)elan.net" <william@elan.net> Mon, 28 November 2005 12:08 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EghoJ-0008G8-A7; Mon, 28 Nov 2005 07:08:43 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EghoG-0008G0-Ut for sidr@megatron.ietf.org; Mon, 28 Nov 2005 07:08:41 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA24345 for <sidr@ietf.org>; Mon, 28 Nov 2005 07:07:57 -0500 (EST)
Received: from sokol.elan.net ([216.151.192.200]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Egi87-0002kU-Lf for sidr@ietf.org; Mon, 28 Nov 2005 07:29:13 -0500
Received: from sokol.elan.net (sokol [127.0.0.1]) by sokol.elan.net (8.13.1/8.13.1) with ESMTP id jASC8PSa002246; Mon, 28 Nov 2005 04:08:26 -0800
Received: from localhost (william@localhost) by sokol.elan.net (8.13.1/8.13.1/Submit) with ESMTP id jASC8Gs5002237; Mon, 28 Nov 2005 04:08:25 -0800
X-Authentication-Warning: sokol.elan.net: william owned process doing -bs
Date: Mon, 28 Nov 2005 04:08:16 -0800
From: "william(at)elan.net" <william@elan.net>
To: Geoff Huston <gih@apnic.net>
Subject: Re: [Sidr] V3 draft of SIDR Charter
In-Reply-To: <6.2.0.14.2.20051128203425.02acf120@kahuna.telstra.net>
Message-ID: <Pine.LNX.4.62.0511280138270.14705@sokol.elan.net>
References: <Pine.LNX.4.64.0511101743550.23850@netcore.fi> <6.2.0.14.2.20051112025129.02b3bdf8@localhost> <6.2.0.14.2.20051112031331.044471f8@localhost> <6.2.0.14.2.20051126074145.0301c218@kahuna.telstra.net> <F76529DC4E8579FB25AE6E9F@svartdal.hjemme.alvestrand.no> <6.2.0.14.2.20051128070004.02b0b268@kahuna.telstra.net> <2F57CBABD34601081A75DAFB@svartdal.hjemme.alvestrand.no> <6.2.0.14.2.20051128074620.02b03a48@kahuna.telstra.net> <6.2.0.14.2.20051128191945.02b75cb8@kahuna.telstra.net> <Pine.LNX.4.62.0511280024260.14705@sokol.elan.net> <6.2.0.14.2.20051128203425.02acf120@kahuna.telstra.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: sidr@ietf.org
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org

On Mon, 28 Nov 2005, Geoff Huston wrote:

> At 07:41 PM 28/11/2005, william(at)elan.net wrote:
>
>> I still think you need to specify that work will include information
>> on how to publish certification objects. Either have this as separate
>> point below or addition to existing one.
>> 
>>>  The SIDR working group is charged with the following tasks:
>>> 
>>>  - Document an extensible interdomain routing security architecture
>>> 
>>>  - Document the use of certification objects within this secure
>>>    routing architecture
>> 
>> Possibly change to:
>> 
>>   - Document use and publication of certification objects within
>>     secure interdomain routing architecture
>
> Now one way or another we are talking about certificate repositories. What 
> did you have in mind to specify here above and beyond normal repository 
> operation?

That is pretty much it. I do not see it clearly spelled out in the
charter that we would work on specifying access to (or at least linking 
rules for specifying PKI repository) PKI repositories and format of the 
data that is to be retrieved. There are actually quite a number of ways
to run a repository or certificate verification service that have been 
developed (plus add related issues and formats for publication of CRL
data as well), these are just a few these:
  SCVP (draft-ietf-pkix-scvp-21.txt)
  DVCS (RFC3029)
  OSCP (RFC2560)
  PKIXREP locator (draft-ietf-pkix-pkixrep-04.txt)
  HTTP Certificate Store (draft-ietf-pkix-certstore-http-09.txt)
  LDAP Certificate server
  PGP (HTTP based) key & certificate server
  etc.
And it may well be that none of the above will work because one of the key
issues is that BGP (like DNS) is a base protocol so one can not fully rely 
on some "higher" application protocol as part of BGP route establishment
(see also SBGP & soBGP and compare how they propose to store cert data).

I think info on considerations and issues involved in setting up and
running repositories that would be used for BGP security should be
considered and documented as well at least in some way.

Also the format for certificates and any necessary extensions are all 
in scope (i.e. if we decide we need extension of RFC3779) and this
I also see as publication-related issue.

-- 
William Leibzon
Elan Networks
william@elan.net

_______________________________________________
Sidr mailing list
Sidr@ietf.org
https://www1.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email