Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
George Michaelson <ggm@algebras.org> Wed, 18 May 2016 22:39 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B1812D790 for <sidr@ietfa.amsl.com>; Wed, 18 May 2016 15:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.58
X-Spam-Level:
X-Spam-Status: No, score=-1.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wW_WRA7kd_H2 for <sidr@ietfa.amsl.com>; Wed, 18 May 2016 15:39:11 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9431E12D792 for <sidr@ietf.org>; Wed, 18 May 2016 15:39:10 -0700 (PDT)
Received: by mail-qg0-x234.google.com with SMTP id w36so34353633qge.3 for <sidr@ietf.org>; Wed, 18 May 2016 15:39:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc; bh=MM+pbhrKJBJxesnYS+K0WZsonpfblsVO61teZTXkOH8=; b=RkS0Fo1c5UPBYGSgpcF3ZnSvDqnE2Ionx34lqoVZt3owdWUZ0I+wm7gMCQdSQTlTaA Ltbd6Hv2ajzwwJzg3ve5rKYqyP+9g4T3Y80RtN6+e/n8E75+dXrx5CEgXptHptUQzfff nxBdnNobPfRHzjdE/o3OvcoU7Cdjdmozs8uJraiUvhPtdaGI9mjssp3cy5ClMoz/pbls YnyfDdQhhkJmS3RIZfieOTsZzEcgYvBPfFEnqgw5+L/YmLVyGJAP1x3wi80DL2A8dHt+ tQSimru0kubYlgefA4EKyIcPCNW6sZ7u4UbdVWQWdIML5q/7DjRCaFnD/rkBErRbenOj Lrjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc; bh=MM+pbhrKJBJxesnYS+K0WZsonpfblsVO61teZTXkOH8=; b=kw1nEX6ozBYYAOrSlkIilHFetXwUqaiRnNU0EV1HQ7+N8nBAaLL79QxcQOox5pUw3B CGac+zHpt3DfqJUOsTR9XI8wY2ql0TmFQ8LC1+LxlIDvLRL+hkydzeTssUAzOuyQaLub OtFI4CkLD4KTqBgzc/1T2gvkC3a5CDEqQ4A+8V+Xydd0vf9VzcrEhQma9wVkwkp/BhJl Mt/Uqrghpd1Mq0HeerP8s5THOhldj0mzPh/O+7Hk+KnL0p1XKwuNEtvkUuA80ACFBAMP tjIsEBmEltDvhEnOstO54uFp35YGjyIvEWH/egOxgshsf8aVwR5fj9qXbdDpkkC3HtsH 8JrA==
X-Gm-Message-State: AOPr4FXcSm7JmXZrEYwWRCgL2kCiS4J7LqLXbR67dR/l2nSZ5C/KH16h5I0bGiBc7bVZ5LodH0XBCfiJeu4dJA==
MIME-Version: 1.0
X-Received: by 10.140.197.5 with SMTP id s5mt11438926qha.17.1463611149685; Wed, 18 May 2016 15:39:09 -0700 (PDT)
Received: by 10.55.190.197 with HTTP; Wed, 18 May 2016 15:39:09 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:2947:a5f7:dc05:72b0]
In-Reply-To: <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net> <35AEF9F7-FFAD-470B-9D0D-1D7BE7C7FE90@ripe.net> <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net>
Date: Thu, 19 May 2016 08:39:09 +1000
Message-ID: <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/3CmaD--6L1eY7rt6aWIuT_5O8BA>
Cc: "Sandra L. Murphy" <sandy@tislabs.com>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-rpsl-sig@ietf.org, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 22:39:13 -0000
I would rather the sigs were signed by ee certs which were in the blob, than have to make an external reference and I would rather we varied the compliance needs to remove a pointless external ref. If there has to be a ref, I think making it mandated to a specific scheme is over specifying, especially in a context where we might begin to understand *where you get cryptographic materials from is less important than proving who said them*. Rsync is a bad fit. for the actual signing cert, Inline is better. It can refer to whatever chain it likes. -G On Thu, May 19, 2016 at 1:02 AM, Brian Haberman <brian@innovationslab.net> wrote: > Hi Tim, > > On 5/18/16 10:32 AM, Tim Bruijnzeels wrote: >> Hi, >> >>> On 18 May 2016, at 15:08, Brian Haberman <brian@innovationslab.net> >>> wrote: >>> >>> Hi Terry, >>> >>> On 5/17/16 11:37 PM, Terry Manderson wrote: >>>> Terry Manderson has entered the following ballot position for >>>> draft-ietf-sidr-rpsl-sig-11: Discuss >>>> >>>> When responding, please keep the subject line intact and reply to >>>> all email addresses included in the To and CC lines. (Feel free >>>> to cut this introductory paragraph, however.) >>>> >>>> >>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>> more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found >>>> here: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/ >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> > DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> >>>> > Thank you for putting substantial effort into this document. >>>> >>>> I have a few discusses. I hope they can be resolved quickly. >>>> >>>> In Section 2.1. The reference to the aligned certificate which >>>> has the same private key that signed the RPSL object is >>>> mandatory, and defined by a RSYNC URL or a HTTP(S) URL. My >>>> question surrounds the "or". The architecture of RPKI (IIRC) is >>>> centered around RSYNC, and thus SIA/AIA values MUST have a RSYNC >>>> URL, and MAY have other types. By this are you leaving it to the >>>> issuing party to control the RPKI Distribution mechanisms of the >>>> Replying Party? I am quite comfortable with "or" personally, >>>> however this facet of fetching the RPSL Certificate to validate >>>> the private key usage is seemingly orthogonal to the RPKI >>>> architecture of RSYNC preferred and should be called out if 'or' >>>> is the clear intention. Or, has the consensus of the WG moved on >>>> from being wedded to RSYNC? >>> >>> I am not aware of the WG moving away from their rsync leanings... >> >> My take on this: for the moment I would stick to rsync as it's >> required and EE certificates appearing in the rsync repository, and >> leave out http(s). >> > > If the consensus is to remove mention of an http(s) URI, I can live with > that. The current state of affairs within the SIDR documentation is such > that only an rsync URI will be feasible in the near future. I don't > believe that the mention of an http(s) URI in this context affects that > one way or the other. > > Regards, > Brian > > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] Terry Manderson's Discuss on draft-ietf-si… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… George Michaelson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Robert Kisteleki
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Kent
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels