IETF Logo Mail Archive

Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rfc6485bis-04: (with DISCUSS)

Sandra Murphy <sandy@tislabs.com> Thu, 19 November 2015 18:27 UTC

Return-Path: <sandy@tislabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 644961A8ADE; Thu, 19 Nov 2015 10:27:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNFWdEnO5dvP; Thu, 19 Nov 2015 10:27:42 -0800 (PST)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 565261A0143; Thu, 19 Nov 2015 10:27:39 -0800 (PST)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 90C4328B003D; Thu, 19 Nov 2015 13:27:38 -0500 (EST)
Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 73DB71F8035; Thu, 19 Nov 2015 13:27:38 -0500 (EST)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_E14FD9C0-3D5F-405E-B894-82B80A21E4D9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.1
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <20151118020907.790.34242.idtracker@ietfa.amsl.com>
Date: Thu, 19 Nov 2015 13:27:31 -0500
Message-Id: <938892D5-919F-4C61-B518-7145CB40A05B@tislabs.com>
References: <20151118020907.790.34242.idtracker@ietfa.amsl.com>
To: Terry Manderson <terry.manderson@icann.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/CCHRMVwhBRqPYJOqG3tnJ5OHemE>
Cc: draft-ietf-sidr-rfc6485bis@ietf.org, sidr-chairs@ietf.org, sidr wg list <sidr@ietf.org>, The IESG <iesg@ietf.org>, Sandra Murphy <sandy@tislabs.com>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rfc6485bis-04: (with DISCUSS)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 18:27:45 -0000

A bit of history here.

After RFC6485 was published, it was discovered that it incorrectly used the same OID for all RPKI crypto uses, which conflicts with CMS specs and is inconsistent with known implementations.

The wg decided to create RFC6485bis, to correct the OID problem and the OID problem only, with emphasis on the “only”.

The “SHOULD” language in section 5 is inherited from RFC6485, except for:

   The recommended
   procedures to implement such a transition of key sizes and algorithms
   is specified in [RFC6916]

RFC6916, which was published a year after RFC6485, is "Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)”.  It describes the procedure to follow in transitioning from one algorithm/key size to another.

Does RFC6916 satisfy your concerns about a change of algorithm?

Would you prefer that RFC6485bis remove the inherited “SHOULD” language and point only to RFC6916?

—Sandy

On Nov 17, 2015, at 9:09 PM, Terry Manderson <terry.manderson@icann.org> wrote:

> Terry Manderson has entered the following ballot position for
> draft-ietf-sidr-rfc6485bis-04: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6485bis/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I'm not so sure that this will be an easy DISCUSS to work through as I
> view this in light of future sustainability/deployability of RPKI and any
> protocol wedded to it (eg BGPSEC).
> 
> Section 5 "Additional Requirements" suggests that both CAs and RPs
> "SHOULD" be capable of supporting a transition and thus able to support
> multiple RPKI alg. and key profiles. To me this "SHOULD" seems like it
> invites fragility in any such transition. An immediate example would be
> the root DNSSEC ksk rollover. An rather large amount of work is underway
> to ascertain the impact. By leaving the SHOULDs in place is this walking
> the same path?
> 
> Let me ask another way. Under what situations is it actually appropriate
> for a CA or RP to be able to ignore the requirement of being able to
> support a phased introduction/deprecation of new/different RPKI algorithm
> and key profiles? And if they ignore such a recommendation does this make
> the entire RPKI infrastructure a fractured PKI by algorithm?
> 
> 
> 
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email