Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agility-03

Roque Gagliano <rogaglia@cisco.com> Tue, 08 November 2011 10:41 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF4021F8CBD for <sidr@ietfa.amsl.com>; Tue, 8 Nov 2011 02:41:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.189
X-Spam-Level:
X-Spam-Status: No, score=-7.189 tagged_above=-999 required=5 tests=[AWL=2.809, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6Xc7Z1vdsu4 for <sidr@ietfa.amsl.com>; Tue, 8 Nov 2011 02:41:12 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 3A20721F8CB7 for <sidr@ietf.org>; Tue, 8 Nov 2011 02:41:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=16562; q=dns/txt; s=iport; t=1320748871; x=1321958471; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=f/CybbLUeDTuZeLOt/MzvltzMrL4aI3zRSVDiLzjBkI=; b=b7E+2Pc2qTJsXI81jwW6kWGy35/J7Mbzd8Tfn+hUyZ8uNmT9xZ+FP6pD Dvgf7yhfI+CSu6y+6RZfjd/vrGktCHZCbIIbwMyif9iLdVxIjJcf0Pmbd ZiLHmPbf1vsxNcSk+FlKVR26wFeoD0jj9NRXs10qYzR4bredt8oiYIDiS E=;
X-Files: smime.p7s : 4389
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlQFAB0HuU6Q/khL/2dsb2JhbABDoiEBhjyBJYEFgXIBAQEDAQEBAQ8BWwsFCwtGAiUwBhMih2AImGwBnx+ISmMElCGRbw
X-IronPort-AV: E=Sophos; i="4.69,476,1315180800"; d="p7s'?scan'208,217"; a="121060253"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 08 Nov 2011 10:41:02 +0000
Received: from dhcp-vlan250-10-147-19-222.cisco.com (dhcp-vlan250-10-147-19-222.cisco.com [10.147.19.222]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id pA8Af21Q022017; Tue, 8 Nov 2011 10:41:02 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; boundary=Apple-Mail-122-991758355; protocol="application/pkcs7-signature"; micalg=sha1
From: Roque Gagliano <rogaglia@cisco.com>
In-Reply-To: <CAH1iCipuaB=niUZY2WQdMX8REDVTWGjhosxTyq1AekkUiLZ=FQ@mail.gmail.com>
Date: Tue, 8 Nov 2011 11:40:54 +0100
Message-Id: <BC53A8AD-CABC-4AAC-8B08-EBD0CB825350@cisco.com>
References: <Pine.WNT.4.64.1110201037470.4820@SMURPHY-LT.columbia.ads.sparta.com> <24B20D14B2CD29478C8D5D6E9CBB29F6025FEE@Hermes.columbia.ads.sparta.com> <CAH1iCipuaB=niUZY2WQdMX8REDVTWGjhosxTyq1AekkUiLZ=FQ@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: "Murphy, Sandra" <Sandra.Murphy@cobham.com>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agility-03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 10:41:13 -0000

Hi Brian, 

Thanks for your comments.
Please see inline.

Roque


(snif)

> 
> So the analogous high-level design for agility SHOULD be as follows:
> - new CP documents may be published, with new OIDs


The CP document in section 6.1.5 refers the definition of the Algorithm Suite to the draft-ietf-sidr-rpki-algs document. There are not OID defined in the CP document. That is why in our document we refer to an update of this document instead.

> - ONLY when a CA with a given CPS decides to change CP does that CA
> need to execute a locally-significant key+alg roll
> - The CA would issue new certs with the new CP which itself lists
> additional algorithms
> - The same procedure would be executed in multiple phases - issue new
> child certs published under the old main cert; move them to the new
> cert, rewriting/overwriting in the same location
> 

In section 4.1 we defined: 
   CA Ready Algorithm B Date  - After this date, all (non-leaf) CAs MUST
               be ready to process a request from a child CA to issue a
               certificate under the Algorithm B suite
If I summarize your comment, you are stating that the definition of "ready" for a CA should also include an update on its CPS to refer to the new suite. This was understood but as what each CA will need to do to be ready to process requests from a child CA is local to that CA, we did not got into the details. 

The process that you have described is indeed the proposed algorithm in the document for the CAs, where we adopted a "top-down" process and we maintain the two suites independent. The document also includes the transition to the new suite on the RPs that are distributed globally. 

Regards,
Roque


> This could be handled gracefully by having two CPs - one CP having the
> additional algorithm(s), and subsequently another CP with the new but
> minus the old.
> 
> This mechanism could be used to introduce new algorithms without
> requiring retiring specific old algorithms. The two actions - adding
> and removing - are in fact independent, beyond the requirement that
> there be at least one algorithm (which goes without saying, really).
> The only other requirement is that the issued certs have algorithms
> consistent with the specified CP (OID) attached to the cert.
> 
> I may be completely off the mark, but this would seem to be much more
> in line with the whole manner in which algorithms, policies, resource
> objects, etc., have been separated out and linked by normative
> reference.
> Perhaps we could get Geoff Huston to comment on my interpretation of
> the CP/CPS/alg interaction and explicit/implicit rules?
> Is it intended that CAs have a uniform hierarchy using exactly one
> algorithm set, or is it intended that each CA be able to specify (via
> CPS + CP)  the set of algorithms it supports, with the initial CP
> document being the minimum acceptable algorithm set?
> 
> Modulo the interaction between parents/children, and requiring old
> algorithms to be retired, and having a set timeline, and  having all
> global CAs on the same timetable, the general methodology for handling
> the phases seems pretty solid.
> 
> IMHO.
> 
> Brian
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr