Re: [sidr] Origin Ops, TALs and Local TAs

Danny McPherson <> Tue, 15 November 2011 00:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4188911E8095 for <>; Mon, 14 Nov 2011 16:02:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xk1AmglAMzSz for <>; Mon, 14 Nov 2011 16:02:28 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BB44811E8090 for <>; Mon, 14 Nov 2011 16:02:28 -0800 (PST)
Received: by (Postfix, from userid 0) id 7C492268081; Mon, 14 Nov 2011 17:02:28 -0700 (MST)
Received: from ( []) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by with SMTP; Mon, 14 Nov 2011 17:02:27 -0700 (MST) (envelope-from
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Danny McPherson <>
In-Reply-To: <>
Date: Mon, 14 Nov 2011 19:02:09 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <>
To: Rob Austein <>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [sidr] Origin Ops, TALs and Local TAs
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Nov 2011 00:02:29 -0000

On Nov 14, 2011, at 6:47 PM, Rob Austein wrote:

> Danny,
> For purposes of this discussion, a LTA is semantically equivalent to a
> collection of TAs plus a constraint list.  Since LTAs are also a more
> general mechanism (they can be shared by a group of like-minded folks
> more easily than a constraint list -- just create a TAL pointing at
> the LTA) and since LTAs have the nice property of keeping the raw
> constraint list out of the validator itself (thus keeping the
> validator that much simpler), my advice to anybody who thinks they
> need a constraint list would be to use a LTA.
> We can discuss this further at the face to face meeting if you like,
> but that's the summary as I see it at the technical layer.

That'd be good, because I'm not comfortable with that as an RP.

> Layers 8+ are mostly out of scope for this list, so let me just say
> that I am really hoping that IANA and the RIRs will get their
> collective act together and issue a single TA before this becomes a
> serious problem.  They say that they intend to do so.  As somebody (KC
> Claffy?) said a few years ago, relying parties should not have to sort
> out this mess, that's what the industry pays the RIRs to do.  For the
> moment I'm willing to take the RIRs' word that they intend to do their
> job and just need a bit more time.  YMMV.

Until then (or even after in the event of a CA compromise), it's a 
technical issue and the capability for RPs to determine who holds 
what resources, or at least to constrain who they trust with what 
resources, and intersect that with the LTA 'federation' issue is very
much an operational issue.