Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-09.txt
Tim Bruijnzeels <tim@ripe.net> Thu, 16 November 2017 08:44 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61AB1129A84 for <sidr@ietfa.amsl.com>; Thu, 16 Nov 2017 00:44:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmYMSF_LfzpK for <sidr@ietfa.amsl.com>; Thu, 16 Nov 2017 00:44:31 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88838129566 for <sidr@ietf.org>; Thu, 16 Nov 2017 00:44:31 -0800 (PST)
Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <tim@ripe.net>) id 1eFFmf-0005Ir-GX for sidr@ietf.org; Thu, 16 Nov 2017 09:44:30 +0100
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-250.ripe.net) by titi.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <tim@ripe.net>) id 1eFFmd-00062D-LT; Thu, 16 Nov 2017 09:44:29 +0100
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <151081919187.28369.12154628810347674400@ietfa.amsl.com>
Date: Thu, 16 Nov 2017 16:44:20 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <C098087D-009D-48F6-8456-61B8BC020F3E@ripe.net>
References: <151081919187.28369.12154628810347674400@ietfa.amsl.com>
To: sidr <sidr@ietf.org>
X-Mailer: Apple Mail (2.3273)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071965b1375632d4af3d28ca24defb61afc5
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/5PQbbeqjqquXKZI3ADLlh-t8NLs>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-09.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 08:44:33 -0000
Dear WG, This version was uploaded because looking at this on-line proved more convenient for IESG review, as opposed to the version of this that I sent as an email attachment. We have a had a discussion about remaining DISCUSS items and a -10 version is coming soon as well. Possibly still before I board my plane home tomorrow, otherwise early next week. Kind regards, Tim > On 16 Nov 2017, at 15:59, internet-drafts@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Secure Inter-Domain Routing WG of the IETF. > > Title : RPKI Validation Reconsidered > Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Daniel Shaw > Filename : draft-ietf-sidr-rpki-validation-reconsidered-09.txt > Pages : 22 > Date : 2017-11-15 > > Abstract: > This document specifies an alternative to the certificate validation > procedure specified in RFC 6487 that reduces aspects of operational > fragility in the management of certificates in the RPKI, while > retaining essential security features. > > Where the procedure specified in RFC 6487 requires that Resource > Certificates are rejecting entirely if they are found to over-claim > any resources not contained on the issuing certificate, the > validation process defined here allows an issuing Certificate > Authority to chose to communicate that such Resource Certificates > should be accepted for the intersection of their resources and the > issuing certificate. > > This choice is signalled by form of a set of alternative Object > Identifiers (OIDs) of RFC 3779 X.509 Extensions for IP Addresses and > AS Identifiers, and certificate policy for the Resource Public Key > Infrastructure (RFC 6484). It should be noted that in case these > OIDs are not used for any certificate under a Trust Anchor, the > validation procedure defined here has the same outcome as the > procedure defined in RFC 6487 > > Furthermore this document provides an alternative to ROA (RFC 6482), > and BGPSec Router Certificate (BGPSec PKI Profiles - publication > requested) validation. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-09 > https://datatracker.ietf.org/doc/html/draft-ietf-sidr-rpki-validation-reconsidered-09 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-09 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] I-D Action: draft-ietf-sidr-rpki-validatio… internet-drafts
- Re: [sidr] I-D Action: draft-ietf-sidr-rpki-valid… Tim Bruijnzeels