IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

Geoff Huston <gih@apnic.net> Mon, 17 March 2014 23:47 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8E81A01FB for <sidr@ietfa.amsl.com>; Mon, 17 Mar 2014 16:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.338
X-Spam-Level:
X-Spam-Status: No, score=-102.338 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHNk-0siwaXn for <sidr@ietfa.amsl.com>; Mon, 17 Mar 2014 16:47:03 -0700 (PDT)
Received: from ia-mailgw.apnic.net (ia-mailgw.apnic.net [IPv6:2001:dd8:a:3::243]) by ietfa.amsl.com (Postfix) with SMTP id C6F581A01E1 for <sidr@ietf.org>; Mon, 17 Mar 2014 16:47:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path; bh=PnFRF45IQmviZ6tclHtmE/NzPblEVLINdQeLpN/tOA8=; b=q7znlPkQ+WaK38SpzWO6/EEOZ3mCqLSC8ojMxCJJ2PKPRAI4/HKmPt3F29+eGevRexMyCygHB0Mgn kJMGbibkqjVSGzaYWLn30T7eDtJg0+HBN7UwogLtj+bik8BHo4mrzk8g7RBSu69Pdbok6n/iNcfOWC pQ799jPbE2PFSbgI=
Received: from NXMDA1.org.apnic.net (unknown [203.119.93.247]) by ia-mailgw.apnic.net (Halon Mail Gateway) with ESMTP; Tue, 18 Mar 2014 18:56:41 +1000 (EST)
Received: from aarnet-kab-ws1.canberra.aarnet.edu.au (203.119.101.249) by NXMDA1.org.apnic.net (203.119.107.11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Tue, 18 Mar 2014 09:46:51 +1000
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>
Date: Tue, 18 Mar 2014 10:46:49 +1100
Content-Transfer-Encoding: quoted-printable
Message-ID: <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>, <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/JKV8ZJacfIvTfwg5EQgF3xHpJt0
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 23:47:05 -0000

> 

Hi Sriram,


>> Perhaps if I rephrase the validation question a little, 
>> it may be a little clearer.
> 
>> The validation question is: Given a certificate X and a TA certificate, 
>> for what resources is this certificate "valid"?
> 
> Suggestion:
> s/Given a certificate X and a TA certificate/Given a certificate X and 
> its certification path (per Section 6 of RFC5280)/ 
> 

agreed, this is a little cleared

>> You point out
>>> (In terms of language and clarity, the notion of calling a certificate "valid" 
>>> is misleading when in fact all that is being checked is merely 
>>> whether a given INR is subsumed in it.)  
> 
>> Maybe there is a way of tightening this up. 
>> How about: A resource contained in the resource extension 
>> of a certificate is defined as "valid" if this resource 
>> is listed in the resource extension field of all certificates 
>> that are contained in a certification path, where the 
>> construction of this certification path is defined in section 6 of RFC5280.
> 
> Suggestion:
> s/is listed in the resource extension field of all certificates/
> /is subsumed in the resource extension field of each of the certificates/
> 
> (Note: A prefix may not be listed but may be subsumed in a less specific that is listed.)
> 

agreed


> Do you need somewhat different wording for the case of ROA validation?
> (Is a ROA also technically a "certificate"?)
> When you say "resource contained in the resource extension",
> is that well defined for a ROA as well?


RFC6482 need not be altered at all.

Section 4 of RFC64582 states:

      The IP address delegation extension [RFC3779 is present in the
      end-entity (EE) certificate (contained within the ROA), and each
      IP address prefix(es) in the ROA is contained within the set of IP
      addresses specified by the EE certificate's IP address delegation
      extension.

which still holds in this slightly altered certificated validation framework.



> 
>> (In the WG I also considered a slightly expanded question: 
>> Given a certificate X and a set of TA certificates, 
>> for what resources is this certificate "valid"?, 
>> but that proved to be a little more controversial for many!)
> 
> Yes, I also feel that the “join” idea is far more complicated and the benefits are not clear.
> 


I am working on clarity here in terms of explaining the benefits of this approach.


thanks,

   Geoff

v2.23.0 | Report a Bug | By Email