Re: [sidr] Terry Manderson's No Objection on draft-ietf-sidr-delta-protocol-07: (with COMMENT)

Tim Bruijnzeels <tim@ripe.net> Tue, 28 February 2017 14:26 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21926129598; Tue, 28 Feb 2017 06:26:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHyqfMMIZ3lG; Tue, 28 Feb 2017 06:26:00 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97A27129563; Tue, 28 Feb 2017 06:26:00 -0800 (PST)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1ciiiu-0006zw-BS; Tue, 28 Feb 2017 15:25:53 +0100
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-17.ripe.net) by nene.ripe.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1ciiit-0005dz-3k; Tue, 28 Feb 2017 15:25:51 +0100
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=utf-8
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <9DC16A6F-84C6-4E59-9086-3C4EB1A0C05E@ripe.net>
Date: Tue, 28 Feb 2017 15:25:49 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C15B021C-48E2-4BA1-94F9-325420E14B10@ripe.net>
References: <148721059915.31454.12790381111112907537.idtracker@ietfa.amsl.com> <47B3699A-B344-4BA5-A131-309A6DF04FBD@ripe.net> <3A008C78-B846-4F8F-A813-C54C276FAEFD@cisco.com> <A3DDD124-EBE6-42AC-B66F-532AF0A5E175@cisco.com> <9DC16A6F-84C6-4E59-9086-3C4EB1A0C05E@ripe.net>
To: Oleg Muravskiy <oleg@ripe.net>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ---------
X-RIPE-Spam-Report: Spam Total Points: -9.4 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0004]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07190781c0797ab8371f0317c97a78f951ba
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Gw03OT8riXehnui_BgGTDt_dbUQ>
Cc: "sidr@ietf.org" <sidr@ietf.org>, "morrowc@ops-netman.net" <morrowc@ops-netman.net>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, The IESG <iesg@ietf.org>, "sandy@tislabs.com" <sandy@tislabs.com>, "draft-ietf-sidr-delta-protocol@ietf.org" <draft-ietf-sidr-delta-protocol@ietf.org>
Subject: Re: [sidr] Terry Manderson's No Objection on draft-ietf-sidr-delta-protocol-07: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 14:26:02 -0000

Hi all,

> On 27 Feb 2017, at 10:24, Oleg Muravskiy <oleg@ripe.net> wrote:
> 
> Hi everybody,
> 
>> On 23 Feb 2017, at 20:25, Alvaro Retana (aretana) <aretana@cisco.com> wrote:
>> 
>> Tim:
>> 
>> Hi!
>> 
>> Given the feedback so far on the list, I think we should roll back the updates in preparation for next week’s IESG Telechat.
> 
> Currently RFC7730 (TAL format) only allows rsync URIs in there.
> 
> In order to allow RRDP in TAL, I think we have to keep the update to RFC7730 in draft-ietf-sidr-delta-protocol, namely this part of the draft:

While I share my co-author's enthusiasm to update the TAL document, I propose to do this as a separate effort so that the delta protocol doesn't depend on this. It's not needed by the protocol after all, but would help scale access to Trust Anchor certificates.

Also when we go here I believe we will have to allow HTTPS specifically as an alternative scheme. And we may have discussions whether it should be allowed in addition or even instead of rsync (which I believe may be a lot simpler than phasing out rsync everywhere else).

Tim


> 
> ============================================================================
> 4.3.  Updates to RFC7730
> 
> 4.3.1.  Update in Section 2.1, Trust Anchor Locator Format
> 
>   OLD:
> 
>      where the URI section is comprised of one of more of the ordered
>      sequence of:
> 
>         1.1) an rsync URI [RFC5781],
> 
>         1.2) a <CRLF> or <LF> line break.
> 
>   NEW:
> 
>      where the URI section is comprised of one of more of the ordered
>      sequence of:
> 
>         1.1) a URI [RFC3986],
> 
>         1.2) a <CRLF> or <LF> line break.
> 
> 4.3.2.  Update in Section 2.2, TAL and Trust Anchor Certificate
>        Considerations
> 
>   OLD:
> 
>      Each rsync URI in the TAL MUST reference a single object.  It MUST
>      NOT reference a directory or any other form of collection of
>      objects.
> 
>      ...
> 
>      Where the TAL contains two or more rsync URIs, then the same self-
>      signed CA certificate MUST be found at each referenced location.
> 
>   NEW:
> 
>      Each URI in the TAL MUST reference a single object.  It MUST NOT
>      reference a directory or any other form of collection of objects.
> 
>      ...
> 
>      Where the TAL contains two or more URIs, then the same self-signed
>      CA certificate MUST be found at each referenced location.
> 
> 4.3.3.  Update in Section 5.1, Normative References
> 
>   Remove the reference to RFC5781, "The rsync URI Scheme".
> 
>   Add a reference to RFC3986, "Uniform Resource Identifier (URI):
>   Generic Syntax".
> 
> 
> ============================================================================
> 
> What do you think?
> 
> Oleg
> 
> 
>> 
>> Thanks!
>> 
>> Alvaro.
>> 
>> On 2/17/17, 9:56 AM, "sidr on behalf of Alvaro Retana (aretana)" <sidr-bounces@ietf.org on behalf of aretana@cisco.com> wrote:
>> 
>>> **Chairs**:  Given that this is a significant change, and that the WG may have not been
>>> focused on the discussion, and that we now have a little more time given the fact that the
>>> IESG review of this document was deferred until Mar/2…  Please explicitly ask the WG to
>>> review the Updates to RFC6480, RFC6481 and RFC7730.  I think that a week of discussion
>>> on the list should be enough.
>> 
>> 
>