IETF Logo Mail Archive

Re: [Sidr] V3 draft of SIDR Charter

Geoff Huston <gih@apnic.net> Mon, 28 November 2005 23:41 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Egscw-0008UD-QO; Mon, 28 Nov 2005 18:41:42 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Egscv-0008Rz-8H for sidr@megatron.ietf.org; Mon, 28 Nov 2005 18:41:41 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09645 for <sidr@ietf.org>; Mon, 28 Nov 2005 18:40:55 -0500 (EST)
Received: from kahuna.telstra.net ([203.50.0.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Egswr-0001fY-Id for sidr@ietf.org; Mon, 28 Nov 2005 19:02:19 -0500
Received: from gihm3.apnic.net (rsdhcp5.telstra.net [203.50.0.197]) by kahuna.telstra.net (8.12.3/8.11.3) with ESMTP id jASNedXt008874; Tue, 29 Nov 2005 10:40:39 +1100 (EST) (envelope-from gih@apnic.net)
Message-Id: <6.2.0.14.2.20051129103756.02884288@kahuna.telstra.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Tue, 29 Nov 2005 10:40:40 +1100
To: "william(at)elan.net" <william@elan.net>
From: Geoff Huston <gih@apnic.net>
Subject: Re: [Sidr] V3 draft of SIDR Charter
In-Reply-To: <Pine.LNX.4.62.0511280138270.14705@sokol.elan.net>
References: <Pine.LNX.4.64.0511101743550.23850@netcore.fi> <6.2.0.14.2.20051112025129.02b3bdf8@localhost> <6.2.0.14.2.20051112031331.044471f8@localhost> <6.2.0.14.2.20051126074145.0301c218@kahuna.telstra.net> <F76529DC4E8579FB25AE6E9F@svartdal.hjemme.alvestrand.no> <6.2.0.14.2.20051128070004.02b0b268@kahuna.telstra.net> <2F57CBABD34601081A75DAFB@svartdal.hjemme.alvestrand.no> <6.2.0.14.2.20051128074620.02b03a48@kahuna.telstra.net> <6.2.0.14.2.20051128191945.02b75cb8@kahuna.telstra.net> <Pine.LNX.4.62.0511280024260.14705@sokol.elan.net> <6.2.0.14.2.20051128203425.02acf120@kahuna.telstra.net> <Pine.LNX.4.62.0511280138270.14705@sokol.elan.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: sidr@ietf.org
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
Sender: sidr-bounces@ietf.org
Errors-To: sidr-bounces@ietf.org

At 11:08 PM 28/11/2005, william(at)elan.net wrote:

>On Mon, 28 Nov 2005, Geoff Huston wrote:
>
>>At 07:41 PM 28/11/2005, william(at)elan.net wrote:
>>
>>>I still think you need to specify that work will include information
>>>on how to publish certification objects. Either have this as separate
>>>point below or addition to existing one.
>>>
>>>>  The SIDR working group is charged with the following tasks:
>>>>  - Document an extensible interdomain routing security architecture
>>>>  - Document the use of certification objects within this secure
>>>>    routing architecture
>>>Possibly change to:
>>>   - Document use and publication of certification objects within
>>>     secure interdomain routing architecture
>>
>>Now one way or another we are talking about certificate repositories. 
>>What did you have in mind to specify here above and beyond normal 
>>repository operation?
>
>That is pretty much it. I do not see it clearly spelled out in the
>charter that we would work on specifying access to (or at least linking 
>rules for specifying PKI repository) PKI repositories and format of the 
>data that is to be retrieved. There are actually quite a number of ways
>to run a repository or certificate verification service that have been 
>developed (plus add related issues and formats for publication of CRL
>data as well), these are just a few these:
>  SCVP (draft-ietf-pkix-scvp-21.txt)
>  DVCS (RFC3029)
>  OSCP (RFC2560)
>  PKIXREP locator (draft-ietf-pkix-pkixrep-04.txt)
>  HTTP Certificate Store (draft-ietf-pkix-certstore-http-09.txt)
>  LDAP Certificate server
>  PGP (HTTP based) key & certificate server
>  etc.
>And it may well be that none of the above will work because one of the key
>issues is that BGP (like DNS) is a base protocol so one can not fully rely 
>on some "higher" application protocol as part of BGP route establishment
>(see also SBGP & soBGP and compare how they propose to store cert data).
>
>I think info on considerations and issues involved in setting up and
>running repositories that would be used for BGP security should be
>considered and documented as well at least in some way.
>
>Also the format for certificates and any necessary extensions are all in 
>scope (i.e. if we decide we need extension of RFC3779) and this
>I also see as publication-related issue.

I am unsure how nmuch of this belongs in a SIDR charter and how much 
belongs in a security area as a work item and how much is beyond the scope 
of standards-related activities. For a charter I'm personally more 
comfortable with the more general phrase of

" Document the use of certification objects within this secure routing 
architecture"

and not specifying the form of repository nor the form of repository access 
as charter work items at this point in time.

regards,

     Geoff




_______________________________________________
Sidr mailing list
Sidr@ietf.org
https://www1.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email