IETF Logo Mail Archive

Re: [sidr] Simpler trust anchor format

Rob Austein <sra@isc.org> Mon, 07 June 2010 17:24 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF7D23A6E02 for <sidr@core3.amsl.com>; Mon, 7 Jun 2010 10:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_50=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGIFuwKovD5F for <sidr@core3.amsl.com>; Mon, 7 Jun 2010 10:24:11 -0700 (PDT)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id 8652A3A6A6D for <sidr@ietf.org>; Mon, 7 Jun 2010 09:05:59 -0700 (PDT)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 9B01D28431 for <sidr@ietf.org>; Mon, 7 Jun 2010 16:05:58 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 39E1A22808 for <sidr@ietf.org>; Mon, 7 Jun 2010 12:05:58 -0400 (EDT)
Date: Mon, 07 Jun 2010 12:05:58 -0400
From: Rob Austein <sra@isc.org>
To: sidr@ietf.org
In-Reply-To: <alpine.BSF.2.00.1006062239350.39651@fledge.watson.org>
References: <alpine.BSF.2.00.1006062239350.39651@fledge.watson.org>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20100607160558.39E1A22808@thrintun.hactrn.net>
Subject: Re: [sidr] Simpler trust anchor format
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:24:11 -0000

At Mon, 7 Jun 2010 00:21:49 -0400 (EDT), Sam Weiler wrote:
> 
> I just submitted an i-d documenting a much simpler trust anchor format 
> than the one in the current WG draft.  Like the format in the WG doc, 
> this one allows for a long-lived trust anchor even though the unlying 
> certificate changes more often, e.g. when new resources are added. 
> This format has the advantage of being noticeably simpler.
> 
> I encourage the WG to adopt this format in place of the one in the 
> current WG doc.

I support this proposal.

My validator software supports this trust anchor format, via the
"indirect-trust-anchor" configuration directive.  The semantics are
identical to the "trust-anchor-uri-with-key" format I implemented at
ARIN's request several years ago.  The only change from the older
directive is syntax: Sam pointed out (correctly) that moving the URI
out of the validator's configuration file and into the file with the
public key would make this mechanism easier to use.

v2.23.0 | Report a Bug | By Email