Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

Geoff Huston <gih@apnic.net> Fri, 23 August 2013 22:04 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D8111E8123 for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.443
X-Spam-Level:
X-Spam-Status: No, score=-99.443 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, RELAY_IS_203=0.994, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8CNik2U+1ui for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:03:58 -0700 (PDT)
Received: from ao-mailgw.apnic.net (ao-mailgw.apnic.net [IPv6:2001:dd8:b:98::120]) by ietfa.amsl.com (Postfix) with SMTP id 4846B11E8127 for <sidr@ietf.org>; Fri, 23 Aug 2013 15:03:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:received:content-type:mime-version:subject:from:in-reply-to: date:cc:content-transfer-encoding:message-id:references:to:x-mailer: return-path; bh=vVRdTZNeta2aBlBTeJnC/shq6iQwXqCPv2AtjkbweX8=; b=v4gbEXZyN7wPJLtbh3zKsDLC5Df5higUeDTRbg2yBgXvbzQBw92L7KZGRqPD9eL9NvHUnAHNZ9o+8 B8eQ3GR2lro5WCRlstOurmr/DbkrWEJDOgKE7LXgE3C3oY3KSJvo4uT4MRe2pJjM6D+bQ3wjmXLoHL nMjldrbogOqkyQeg=
Received: from NXMDA1.org.apnic.net (unknown [203.119.101.249]) by ao-mailgw.apnic.net (Halon Mail Gateway) with ESMTP; Sat, 24 Aug 2013 08:02:47 +1000 (EST)
Received: from IAMDA2.org.apnic.net (2001:dd8:a:852::21) by NXMDA1.org.apnic.net (2001:dd8:9:802::11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Sat, 24 Aug 2013 08:03:51 +1000
Received: from [172.31.9.187] (203.119.101.249) by IAMDA2.org.apnic.net (203.119.111.21) with Microsoft SMTP Server (TLS) id 14.1.438.0; Sat, 24 Aug 2013 08:03:49 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6749E7607@CVA-MB002.centreville.ads.sparta.com>
Date: Sat, 24 Aug 2013 08:03:36 +1000
Content-Transfer-Encoding: quoted-printable
Message-ID: <973B0890-766F-4023-8F35-876936E470C6@apnic.net>
References: <EF4348D391D0334996EE9681630C83F0221213C8@xmb-rcd-x02.cisco.com>, <CE0AC78A.26953%andy@arin.net> <24B20D14B2CD29478C8D5D6E9CBB29F6749E7607@CVA-MB002.centreville.ads.sparta.com>
To: "Murphy, Sandra" <Sandra.Murphy@parsons.com>
X-Mailer: Apple Mail (2.1508)
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 22:04:02 -0000

Wouldn't it be better to note that: As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here.

Geoff



On 24/08/2013, at 4:09 AM, "Murphy, Sandra" <Sandra.Murphy@parsons.com> wrote:

> Speaking as working group chair:
> 
> I can't be certain that this indicates a promise to modify the draft or not.  Roque, Andy, could you comment?
> 
> If so, a new version is needed and I'll say so on the list.
> If not, I'll have to ask for resolution on list.
> 
> Speaking as regular ol' member (and a bit as wg chair, as I'm not clear about the intent of the new text):
> 
> I don't think this text hurts anything, but I am puzzled about the intent.  If "all known" implementations comply, why mention the problem?  OTOH, it might serve to forestall AD/IESG questions.
> 
> So I agree with Andy's observation, though I'd say a heading "Backward Compatibility Considerations" rather than "Interoperability Considerations" suits the situation better. 
> 
> (Apologies - searching for the thread, I found these comments stuck in my draft folder from 17 July.)
> 
> --Sandy
> 
> P.S.  
> 
> "strick"->"strict" 
> "RPKI signed objects" -> "RPKI objects" <because you mean CA certs as well and signed objects might be taken to mean only ROAs and ghostbusters and manifests etc>  
> "implements"->"include" or "contain" or...
> "RP"-> relying party (or you'll have to define the acronym somewhere)
> Not sure what ""as in IDR" means.
> 
> ________________________________________
> From: Andy Newton [andy@arin.net]
> Sent: Tuesday, July 16, 2013 9:49 AM
> To: Roque Gagliano (rogaglia)
> Cc: Murphy, Sandra; sidr@ietf.org
> Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
> 
> This sounds fine to me, though it is really an interoperability
> considerations section thingy. The IETF does those now, right? :)
> 
> -andy
> 
> On 7/16/13 4:55 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com> wrote:
> 
>> Thanks Andy.
>> 
>> Do you think we need to add something in the security section about the
>> transition?
>> 
>> Something like:
>> 
>> "A RP that performs a strick validation based on RFC6487 and fails to
>> support the updates described in this document, would incorrectly
>> invalidate RPKI signed objects that implements the changes in Section 2.
>> At the time of this writing, all known RP software suites (you can
>> mention them as in IDR) were tested and supported the updates on this
>> document"
>> 
>> Roque
>> 
>> On Jul 15, 2013, at 7:07 PM, Andy Newton <andy@arin.net> wrote:
>> 
>>> On 7/15/13 10:22 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
>>> wrote:
>>> 
>>>> Before sending my support to advance to the IESG, I wanted to ask the
>>>> author if they have tested the effects of this change on existing RP
>>>> tools. Do they really set the certificate as invalid?
>>> 
>>> Yes, we have tested against the three RP suites. One did not require a
>>> change while the other two required simple one line changes. Current
>>> releases of all three now accommodate it.
>>> 
>>> -andy
>>> 
>> 
>> 
> 
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr