Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
Robert Kisteleki <robert@ripe.net> Fri, 20 May 2016 11:32 UTC
Return-Path: <robert@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FAC12D894; Fri, 20 May 2016 04:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUJZpwunJ2YC; Fri, 20 May 2016 04:32:44 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A667E12D831; Fri, 20 May 2016 04:32:44 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <robert@ripe.net>) id 1b3ifY-00082d-Ax; Fri, 20 May 2016 13:32:41 +0200
Received: from gibbon.ripe.net ([193.0.1.206] helo=[127.0.0.1]) by nene.ripe.net with esmtp (Exim 4.72) (envelope-from <robert@ripe.net>) id 1b3ifY-0005v9-5T; Fri, 20 May 2016 13:32:40 +0200
To: George Michaelson <ggm@algebras.org>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net> <35AEF9F7-FFAD-470B-9D0D-1D7BE7C7FE90@ripe.net> <d4872829-f267-2297-0abc-4820bbde07ed@innovationslab.net> <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
From: Robert Kisteleki <robert@ripe.net>
Organization: RIPE NCC
Message-ID: <9e0601f1-92f7-105b-57c1-c95d2fad660c@ripe.net>
Date: Fri, 20 May 2016 13:32:39 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAKr6gn2dekUfo6EAORAnOck=U-FoFsXreZ43KDT3X8SBRWG3HA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points: -10.8 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 72e00e6d7601fa19264e98abc238a274734bc57264d5e4e7cf989173833f93a2
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/OL2fNqocnp8M8W87qgd469KrZ2A>
Cc: "Sandra L. Murphy" <sandy@tislabs.com>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-rpsl-sig@ietf.org, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 11:32:49 -0000
Chiming it late... On 2016-05-19 0:39, George Michaelson wrote: > I would rather the sigs were signed by ee certs which were in the > blob, than have to make an external reference and I would rather we > varied the compliance needs to remove a pointless external ref. > > If there has to be a ref, I think making it mandated to a specific > scheme is over specifying, especially in a context where we might > begin to understand *where you get cryptographic materials from is > less important than proving who said them*. > > Rsync is a bad fit. for the actual signing cert, Inline is better. It > can refer to whatever chain it likes. > > -G In the good ol' days a reference was put in because while the signature itself is relatively small, including the full EE cert would bloat the whole RPSL object to potentially multiple times its original size -- and for those who don't care about signatures this is a huge overhead. Furthermore, if one would reuse EE certs in multiple signatures (I don't see why that would be prohibited -- for example if I want to sign multiple objects at the same time), then this method makes even more sense. Then the whole back-and-forth started about whether it should be rsync or http(s) and now perhaps it's neither. It feels like we're going around in circles here :) Robert
- [sidr] Terry Manderson's Discuss on draft-ietf-si… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… George Michaelson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Robert Kisteleki
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Kent
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels