IETF Logo Mail Archive

Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)

George Michaelson <ggm@algebras.org> Wed, 18 May 2016 22:39 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B1812D790 for <sidr@ietfa.amsl.com>; Wed, 18 May 2016 15:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.58
X-Spam-Level:
X-Spam-Status: No, score=-1.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wW_WRA7kd_H2 for <sidr@ietfa.amsl.com>; Wed, 18 May 2016 15:39:11 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9431E12D792 for <sidr@ietf.org>; Wed, 18 May 2016 15:39:10 -0700 (PDT)
Received: by mail-qg0-x234.google.com with SMTP id w36so34353633qge.3 for <sidr@ietf.org>; Wed, 18 May 2016 15:39:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc; bh=MM+pbhrKJBJxesnYS+K0WZsonpfblsVO61teZTXkOH8=; b=RkS0Fo1c5UPBYGSgpcF3ZnSvDqnE2Ionx34lqoVZt3owdWUZ0I+wm7gMCQdSQTlTaA Ltbd6Hv2ajzwwJzg3ve5rKYqyP+9g4T3Y80RtN6+e/n8E75+dXrx5CEgXptHptUQzfff nxBdnNobPfRHzjdE/o3OvcoU7Cdjdmozs8uJraiUvhPtdaGI9mjssp3cy5ClMoz/pbls YnyfDdQhhkJmS3RIZfieOTsZzEcgYvBPfFEnqgw5+L/YmLVyGJAP1x3wi80DL2A8dHt+ tQSimru0kubYlgefA4EKyIcPCNW6sZ7u4UbdVWQWdIML5q/7DjRCaFnD/rkBErRbenOj Lrjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc; bh=MM+pbhrKJBJxesnYS+K0WZsonpfblsVO61teZTXkOH8=; b=kw1nEX6ozBYYAOrSlkIilHFetXwUqaiRnNU0EV1HQ7+N8nBAaLL79QxcQOox5pUw3B CGac+zHpt3DfqJUOsTR9XI8wY2ql0TmFQ8LC1+LxlIDvLRL+hkydzeTssUAzOuyQaLub OtFI4CkLD4KTqBgzc/1T2gvkC3a5CDEqQ4A+8V+Xydd0vf9VzcrEhQma9wVkwkp/BhJl Mt/Uqrghpd1Mq0HeerP8s5THOhldj0mzPh/O+7Hk+KnL0p1XKwuNEtvkUuA80ACFBAMP tjIsEBmEltDvhEnOstO54uFp35YGjyIvEWH/egOxgshsf8aVwR5fj9qXbdDpkkC3HtsH 8JrA==
X-Gm-Message-State: AOPr4FXcSm7JmXZrEYwWRCgL2kCiS4J7LqLXbR67dR/l2nSZ5C/KH16h5I0bGiBc7bVZ5LodH0XBCfiJeu4dJA==
MIME-Version: 1.0
X-Received: by 10.140.197.5 with SMTP id s5mt11438926qha.17.1463611149685; Wed, 18 May 2016 15:39:09 -0700 (PDT)
Received: by 10.55.190.197 with HTTP; Wed, 18 May 2016 15:39:09 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:2947:a5f7:dc05:72b0]
In-Reply-To: <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net> <35AEF9F7-FFAD-470B-9D0D-1D7BE7C7FE90@ripe.net> <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net>
Date: Thu, 19 May 2016 08:39:09 +1000
Message-ID: <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/3CmaD--6L1eY7rt6aWIuT_5O8BA>
Cc: "Sandra L. Murphy" <sandy@tislabs.com>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-rpsl-sig@ietf.org, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 22:39:13 -0000

I would rather the sigs were signed by ee certs which were in the
blob, than have to make an external reference and I would rather we
varied the compliance needs to remove a pointless external ref.

If there has to be a ref, I think making it mandated to a specific
scheme is over specifying, especially in a context where we might
begin to understand *where you get cryptographic materials from is
less important than proving who said them*.

Rsync is a bad fit. for the actual signing cert, Inline is better. It
can refer to whatever chain it likes.

-G

On Thu, May 19, 2016 at 1:02 AM, Brian Haberman
<brian@innovationslab.net> wrote:
> Hi Tim,
>
> On 5/18/16 10:32 AM, Tim Bruijnzeels wrote:
>> Hi,
>>
>>> On 18 May 2016, at 15:08, Brian Haberman <brian@innovationslab.net>
>>> wrote:
>>>
>>> Hi Terry,
>>>
>>> On 5/17/16 11:37 PM, Terry Manderson wrote:
>>>> Terry Manderson has entered the following ballot position for
>>>> draft-ietf-sidr-rpsl-sig-11: Discuss
>>>>
>>>> When responding, please keep the subject line intact and reply to
>>>> all email addresses included in the To and CC lines. (Feel free
>>>> to cut this introductory paragraph, however.)
>>>>
>>>>
>>>> Please refer to
>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for
>>>> more information about IESG DISCUSS and COMMENT positions.
>>>>
>>>>
>>>> The document, along with other ballot positions, can be found
>>>> here: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>>
> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>>
>>>>
>>>>
> Thank you for putting substantial effort into this document.
>>>>
>>>> I have a few discusses. I hope they can be resolved quickly.
>>>>
>>>> In Section 2.1. The reference to the aligned certificate  which
>>>> has the same private key that signed the RPSL object is
>>>> mandatory, and defined by a RSYNC URL or a HTTP(S) URL. My
>>>> question surrounds the "or". The architecture of RPKI (IIRC) is
>>>> centered around RSYNC, and thus SIA/AIA values MUST have a RSYNC
>>>> URL, and MAY have other types. By this are you leaving it to the
>>>> issuing party to control the RPKI Distribution mechanisms of the
>>>> Replying Party? I am quite comfortable with "or" personally,
>>>> however this facet of fetching the RPSL Certificate to validate
>>>> the private key usage is seemingly orthogonal to the RPKI
>>>> architecture of RSYNC preferred and should be called out if 'or'
>>>> is the clear intention. Or, has the consensus of the WG moved on
>>>> from being wedded to RSYNC?
>>>
>>> I am not aware of the WG moving away from their rsync leanings...
>>
>> My take on this: for the moment I would stick to rsync as it's
>> required and EE certificates appearing in the rsync repository, and
>> leave out http(s).
>>
>
> If the consensus is to remove mention of an http(s) URI, I can live with
> that. The current state of affairs within the SIDR documentation is such
> that only an rsync URI will be feasible in the near future. I don't
> believe that the mention of an http(s) URI in this context affects that
> one way or the other.
>
> Regards,
> Brian
>
>
>
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>

v2.23.0 | Report a Bug | By Email