Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)
Rob Austein <sra@hactrn.net> Wed, 04 January 2017 20:04 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA25129458; Wed, 4 Jan 2017 12:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXiobIDk_ACJ; Wed, 4 Jan 2017 12:04:13 -0800 (PST)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A844C12958E; Wed, 4 Jan 2017 12:04:13 -0800 (PST)
Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id 5F32313998; Wed, 4 Jan 2017 20:04:12 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 1DFD04581178; Wed, 4 Jan 2017 15:04:13 -0500 (EST)
Date: Wed, 04 Jan 2017 15:04:13 -0500
From: Rob Austein <sra@hactrn.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <148353788046.13042.160471261406266.idtracker@ietfa.amsl.com>
References: <148353788046.13042.160471261406266.idtracker@ietfa.amsl.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170104200413.1DFD04581178@minas-ithil.hactrn.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/FrGEfF3j1IKL0ncLCvp72mclSeE>
Cc: morrowc@ops-netman.net, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-bgpsec-pki-profiles@ietf.org, sidr@ietf.org
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 20:04:15 -0000
[Not the author, but...] At Wed, 04 Jan 2017 05:51:20 -0800, Stephen Farrell wrote: ... > I have a few probably quick things I'd like to discuss for > this one: > > (1) 3.1.1: Why MUST a CA ensure that the CA name and > Subject name combination is unique? I don't see what'd > break in BGPsec if that rule is omitted, but maybe I'm > missing something. > > (2) 3.1.1: Similarly, I'm not clear why only common name > and serial number are allowed in Subject. Why is that > needed for interop? (I can see that you want to say that > code MUST support those but not why you want to prevent > other things.) This draft is a profile of RFC 6487, which is itself a profile of RFC 5280. All of the above is pretty much verbatim from RFC 6487. > (3) Where's certificate status checking covered? What's > expected for BGPsec router certs? If BGPsec speakers are > intended to inherit the CRL checking from 6487 then being > explicit about that would probably be worthwhile. Yes, I think this too is inherited from RFC 6487. > And I'd wonder if router cert revocation will be more common than > for other resource certs, in which case an OCSP-like system could be > needed - did the WG consider that? Not as such. Fair question, but the architecture kind of assumes that the RPKI RP process is separable from the BGPSEC implementation per se, BGPSEC just consumes the output of that process. Most likely implementation technique does all the RPKI stuff per se on a separate box and just stuffs the resulting raw keys into the router using the rpki-rtr protocol, so the router itself probably would not have the information needed to play OCSP even if it wanted to do so, which it probably doesn't. Requiring the routers to speak OCSP seems like a potentially dangerous layering violation.
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Rob Austein
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Rob Austein
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush