Re: [sidr] key rollover and algorithm migration
Stephen Kent <kent@bbn.com> Wed, 14 July 2010 14:55 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D54243A6AB3 for <sidr@core3.amsl.com>; Wed, 14 Jul 2010 07:55:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.228
X-Spam-Level:
X-Spam-Status: No, score=-2.228 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lT5SY1I2kfJH for <sidr@core3.amsl.com>; Wed, 14 Jul 2010 07:55:02 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id E61BC3A6B62 for <sidr@ietf.org>; Wed, 14 Jul 2010 07:55:01 -0700 (PDT)
Received: from dhcp89-089-136.bbn.com ([128.89.89.136]:49224) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1OZ3Md-000HZX-IE; Wed, 14 Jul 2010 10:55:11 -0400
Mime-Version: 1.0
Message-Id: <p06240811c8637d830fe8@[128.89.89.136]>
In-Reply-To: <4C3D90FD.1090301@ripe.net>
References: <p06240801c8384b76c13e@[128.89.89.149]> <20100614152202.621B922808@thrintun.hactrn.net> <4C17D109.9070705@ieca.com> <4C17D82F.4080105@nist.gov> <p06240801c83ef8843b8a@[128.89.89.144]> <4C3332B2.802@ripe.net> <p0624080ac8627a9d0718@[128.89.89.136]> <4C3D90FD.1090301@ripe.net>
Date: Wed, 14 Jul 2010 10:48:37 -0400
To: Tim Bruijnzeels <tim@ripe.net>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] key rollover and algorithm migration
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 14:55:02 -0000
At 12:27 PM +0200 7/14/10, Tim Bruijnzeels wrote: >Hi Steve, > >Geoff already replied to you and the list. I agree with his points. > >I do have one remaining comment though. It seems to me that the >algorithm described in section 8 of res-cert is targeting key roll overs >for normal operational CAs. Not CAs that want to be used as TAs... are you referring to a CA that uses the WG-selected method to publish info to make it accessible as a TA, or are you referring to the local TA management mechanisms that are described in draft-reynolds-rpki-ltamgmt-00? >... > > >> One thing to note is that our implementation is using a fully hosted >>> model for the moment. So child CAs are _hosted_ and live in the same >>> environment as our production CA. That means that we can actually >>> trigger the child CA to request a new certificate, and perform triggered >>> effects for itself like re-issuing a ROA object, when the parent has its >>> new key 'activated'. >> >> The fact that your model is based on experience building the hosted CA >> approach is worrisome to me. We need to publish standards that are not >> biased by this specific model. I'm not saying that what you have done >> is wrong, but I don't want SIDR to pursue an approach that is influence >> by that model, since it is not the general case (even if it becomes the > > most common case). >> > >I understand and agree. The reason that I stressed that we are using a >hosted setup is precisely because: > a) I can not be as certain whether stuff will be the same for remote > b) I want to invite people that do have that experience to jump in.. > >As it turns out in this specific case there is no problem for child CAs, >the parent does not have to wait for a remote child CA when it re-keys >to request a new certificate, it can 'push' and just re-issue as >described in section 8 of the res-certs draft. OK. Steve
- [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston - SIDR
- Re: [sidr] key rollover and algorithm migration Geoff Huston - SIDR
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration David A. Cooper
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration Robert Kisteleki
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Randy Bush
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Sandra Murphy
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels