Re: [sidr] draft-ietf-sidrops-signed-tal-00

Tim Bruijnzeels <tim@ripe.net> Tue, 27 March 2018 09:38 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51FB1241FC for <sidr@ietfa.amsl.com>; Tue, 27 Mar 2018 02:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-VPXlDeeNFr for <sidr@ietfa.amsl.com>; Tue, 27 Mar 2018 02:38:29 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7D61200C5 for <sidr@ietf.org>; Tue, 27 Mar 2018 02:38:29 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <tim@ripe.net>) id 1f0l3i-0005dI-6l; Tue, 27 Mar 2018 11:38:27 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-150.ripe.net) by titi.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <tim@ripe.net>) id 1f0l3i-0001kD-2r; Tue, 27 Mar 2018 11:38:26 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <D62DAF4C-52A8-4C35-9919-9E4ED9E6C458@vigilsec.com>
Date: Tue, 27 Mar 2018 11:38:15 +0200
Cc: IETF SIDR <sidr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D2AED6D8-991E-4E5C-B2C0-0B3AC34077EF@ripe.net>
References: <B3A27099-810E-46D5-A2E9-49C01F4389A2@vigilsec.com> <5A5E79B7-4E84-4803-A9EC-4EC2D5719C77@ripe.net> <D62DAF4C-52A8-4C35-9919-9E4ED9E6C458@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071947dc7c19b3e2858a7847328f6c44d3b2
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/LGF70Ub9IW_gDFUC47_grxQKT3c>
Subject: Re: [sidr] draft-ietf-sidrops-signed-tal-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 09:38:31 -0000

Hi Russ, all,

How about:

OLD:
A signed TAL is an RPKI signed object, as specified in [RFC6488].

NEW:
The signed TAL object uses the standard template for
specifying signed objects that can be validated using the
RPKI [RFC6488], which is based on Cryptographic
Message Syntax (CMS) [RFC5652] as a standard
encapsulation format.

(Relevant text included and paraphrased from 6488)

Tim


> On 22 Mar 2018, at 18:44, Russ Housley <housley@vigilsec.com> wrote:
> 
> Tim:
> 
> I think that a statement in Section 3 that it uses CMS SignedData [RFC5652] would make this very clear.
> 
> Russ
> 
> 
>> On Mar 22, 2018, at 1:07 PM, Tim Bruijnzeels <tim@ripe.net> wrote:
>> 
>> Hi Russ,
>> 
>> Yes, this is a CMS object. Section 3 describes this. It’s an extension of RPKI Signed Object - which is CMS.- and specifies the relevant content type (3.1) and eContent (3.2).
>> 
>> Tim
>> 
>>> On 22 Mar 2018, at 17:02, Russ Housley <housley@vigilsec.com> wrote:
>>> 
>>> Is the intent to use CMS to sign the trust anchor list?  Since ROAs are signed with CMS, I was expecting these signatures to follow the same convention.  However, there is no reference to CMS in the draft.
>>> 
>>> Russ
>>> 
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>>> 
>> 
> 
>